Play interactive tour

Edit tour

Windows Analysis Report PO_101&102.exe

Overview

General Information

Sample Name:	PO_101&102.exe
Analysis ID:	510600
MD5:	c8a5346cb632c91e0006252fd2c47bec
SHA1:	a671570c31428ebc9bee30c9a2b9963bf629560a
SHA256:	46a0a8595dccf134213c2e9ae10dd6fdd8e3ff5f0cb1b01014a6b67e31927eec
Tags:	exeformbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sigma detected: Suspect Svchost Activity

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

Injects a PE file into a foreign processes

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

System is w10x64

PO_101&102.exe (PID: 7016 cmdline: 'C:\Users\user\Desktop\PO_101&102.exe' MD5: C8A5346CB632C91E0006252FD2C47BEC)

PO_101&102.exe (PID: 5268 cmdline: {path} MD5: C8A5346CB632C91E0006252FD2C47BEC)

PO_101&102.exe (PID: 5964 cmdline: {path} MD5: C8A5346CB632C91E0006252FD2C47BEC)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 5580 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 6216 cmdline: /c del 'C:\Users\user\Desktop\PO_101&102.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.reynbetgirisi.com/snr6/"], "decoy": ["jjglassmi1.com", "vpsseattle.com", "drfllc.top", "staycoolonline.com", "eptlove.com", "solusimatasehat.site", "ionrarecharlestonproperties.com", "b3eflucg.xyz", "tvchosun-usa.com", "mmahzxwzsadqlshop.life", "gospelimport.com", "demoapps.website", "jackburst54.com", "99rocket.education", "ccbwithbri.com", "trapperairsoft.com", "useroadly.com", "ralphlaurenonline-nl.com", "loanmaster4u.com", "champ-beauty-tomigaoka-nail.com", "theripemillennial.com", "123intan.net", "typopendant.com", "coruscant.holdings", "bio-intelligenz-therapie.com", "reprv.com", "directreport.net", "phinespe.xyz", "xuvedae.site", "idilikproperties.info", "wakigaggenin.com", "mal2tech.com", "nftwhaler.xyz", "gxhnjssx.com", "ozba.xyz", "lecupcake.net", "lucid.quest", "kaleoslawncare.com", "tiew.store", "texcommercialpainting.com", "2152351.com", "likewize-xl.com", "dacooligans.com", "manuelmartinezs.com", "beancusp.com", "barbershopvalleyvillage.com", "southwickfunerals.com", "briellebaeslay.info", "rebeccarye.com", "unitedstateswelders.com", "saudiarabiavegan.com", "testcarona.com", "serverapsd.com", "crickx.email", "hdszbj.com", "bennettmountainoutfitter.com", "leileilei1999.xyz", "baroquefolke.com", "francinegeorges.com", "horpces.online", "resolutionfix.com", "mike-schultz.xyz", "sohutobankueahomupezinkv.xyz", "flowerseedqueen.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x139730:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1399aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x166b50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x166dca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1454dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1728fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x144fc9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1723e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1455df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1729ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x145757:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x172b77:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a3c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1677e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x144244:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x171664:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13b0bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1684db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14b74f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x178b6f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14c752:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x148671:$sqlite3step: 68 34 1C 7B E1 0x148784:$sqlite3step: 68 34 1C 7B E1 0x175a91:$sqlite3step: 68 34 1C 7B E1 0x175ba4:$sqlite3step: 68 34 1C 7B E1 0x1486a0:$sqlite3text: 68 38 2A 90 C5 0x1487c5:$sqlite3text: 68 38 2A 90 C5 0x175ac0:$sqlite3text: 68 38 2A 90 C5 0x175be5:$sqlite3text: 68 38 2A 90 C5 0x1486b3:$sqlite3blob: 68 53 D8 7F 8C 0x1487db:$sqlite3blob: 68 53 D8 7F 8C 0x175ad3:$sqlite3blob: 68 53 D8 7F 8C 0x175bfb:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: PO_101&102.exe PID: 7016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.PO_101&102.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.PO_101&102.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.PO_101&102.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
10.0.PO_101&102.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.0.PO_101&102.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.0.PO_101&102.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
10.0.PO_101&102.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.0.PO_101&102.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.0.PO_101&102.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
10.0.PO_101&102.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.0.PO_101&102.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.0.PO_101&102.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
10.0.PO_101&102.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.0.PO_101&102.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.0.PO_101&102.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
10.2.PO_101&102.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.PO_101&102.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.PO_101&102.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.PO_101&102.exe.45ada08.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO_101&102.exe.45ada08.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8bd28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8bfa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb9148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb93c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x97ad5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xc4ef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x975c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xc49e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x97bd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xc4ff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x97d4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc516f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8c9ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb9dda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x9683c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc3c5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8d6b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xbaad3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9dd47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xcb167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x9ed4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO_101&102.exe.45ada08.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9ac69:$sqlite3step: 68 34 1C 7B E1 0x9ad7c:$sqlite3step: 68 34 1C 7B E1 0xc8089:$sqlite3step: 68 34 1C 7B E1 0xc819c:$sqlite3step: 68 34 1C 7B E1 0x9ac98:$sqlite3text: 68 38 2A 90 C5 0x9adbd:$sqlite3text: 68 38 2A 90 C5 0xc80b8:$sqlite3text: 68 38 2A 90 C5 0xc81dd:$sqlite3text: 68 38 2A 90 C5 0x9acab:$sqlite3blob: 68 53 D8 7F 8C 0x9add3:$sqlite3blob: 68 53 D8 7F 8C 0xc80cb:$sqlite3blob: 68 53 D8 7F 8C 0xc81f3:$sqlite3blob: 68 53 D8 7F 8C
10.0.PO_101&102.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.0.PO_101&102.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.0.PO_101&102.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5580

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5580

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5580

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.reynbetgirisi.com/snr6/"], "decoy": ["jjglassmi1.com", "vpsseattle.com", "drfllc.top", "staycoolonline.com", "eptlove.com", "solusimatasehat.site", "ionrarecharlestonproperties.com", "b3eflucg.xyz", "tvchosun-usa.com", "mmahzxwzsadqlshop.life", "gospelimport.com", "demoapps.website", "jackburst54.com", "99rocket.education", "ccbwithbri.com", "trapperairsoft.com", "useroadly.com", "ralphlaurenonline-nl.com", "loanmaster4u.com", "champ-beauty-tomigaoka-nail.com", "theripemillennial.com", "123intan.net", "typopendant.com", "coruscant.holdings", "bio-intelligenz-therapie.com", "reprv.com", "directreport.net", "phinespe.xyz", "xuvedae.site", "idilikproperties.info", "wakigaggenin.com", "mal2tech.com", "nftwhaler.xyz", "gxhnjssx.com", "ozba.xyz", "lecupcake.net", "lucid.quest", "kaleoslawncare.com", "tiew.store", "texcommercialpainting.com", "2152351.com", "likewize-xl.com", "dacooligans.com", "manuelmartinezs.com", "beancusp.com", "barbershopvalleyvillage.com", "southwickfunerals.com", "briellebaeslay.info", "rebeccarye.com", "unitedstateswelders.com", "saudiarabiavegan.com", "testcarona.com", "serverapsd.com", "crickx.email", "hdszbj.com", "bennettmountainoutfitter.com", "leileilei1999.xyz", "baroquefolke.com", "francinegeorges.com", "horpces.online", "resolutionfix.com", "mike-schultz.xyz", "sohutobankueahomupezinkv.xyz", "flowerseedqueen.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PO_101&102.exe

ReversingLabs: Detection: 35%

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: https://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF	Avira URL Cloud: Label: malware
Source: http://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF+l+57NdrJs1Xds1ailiks&l0D0=fJBTE	Avira URL Cloud: Label: malware
Source: www.reynbetgirisi.com/snr6/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: PO_101&102.exe

Joe Sandbox ML: detected

Source: 10.0.PO_101&102.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.PO_101&102.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.PO_101&102.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.PO_101&102.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: PO_101&102.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO_101&102.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: PO_101&102.exe, 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, svchost.exe, 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO_101&102.exe, svchost.exe
Source:	Binary string: svchost.pdb source: PO_101&102.exe, 0000000A.00000002.371642195.00000000015B0000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: PO_101&102.exe, 0000000A.00000002.371642195.00000000015B0000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_07DF7710
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_07DF7700
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 4x nop then pop ebx	10_2_00407B2D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 4x nop then pop esi	10_2_0041732F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop ebx	15_2_02F47B2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop esi	15_2_02F5732F

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.178.208.163 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.reynbetgirisi.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.reynbetgirisi.com/snr6/

Source: Joe Sandbox View

ASN Name: DDOS-GUARDRU DDOS-GUARDRU

Source: global traffic

HTTP traffic detected: GET /snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF+l+57NdrJs1Xds1ailiks&l0D0=fJBTE HTTP/1.1Host: www.reynbetgirisi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO_101&102.exe, 00000001.00000002.311135246.00000000033C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
Source: PO_101&102.exe	String found in binary or memory: http://tempuri.org/DatabaseDataSet.xsd
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO_101&102.exe, 00000001.00000003.309471550.0000000006450000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO_101&102.exe, 00000001.00000003.290680081.0000000006459000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers&
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO_101&102.exe, 00000001.00000003.309471550.0000000006450000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com5
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO_101&102.exe, 00000001.00000003.285166630.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com-u
Source: PO_101&102.exe, 00000001.00000003.285166630.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com-uI
Source: PO_101&102.exe, 00000001.00000003.285275223.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: PO_101&102.exe, 00000001.00000003.287344198.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO_101&102.exe, 00000001.00000003.309471550.0000000006450000.00000004.00000001.sdmp, PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
Source: PO_101&102.exe, 00000001.00000003.285223985.0000000006474000.00000004.00000001.sdmp, PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO_101&102.exe, 00000001.00000003.286605823.0000000006456000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO_101&102.exe, 00000001.00000003.286605823.0000000006456000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krE
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO_101&102.exe, 00000001.00000003.285531786.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comF
Source: PO_101&102.exe, 00000001.00000003.285505347.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: PO_101&102.exe, 00000001.00000003.286197487.000000000646B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comy
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 0000000F.00000002.561711505.000000000411F000.00000004.00020000.sdmp	String found in binary or memory: https://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF

Source: unknown

DNS traffic detected: queries for: www.reynbetgirisi.com

Source: global traffic

Source: PO_101&102.exe, 00000001.00000002.310356859.000000000175A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: PO_101&102.exe

Source: PO_101&102.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_00FA0E25	1_2_00FA0E25
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_0199D4E1	1_2_0199D4E1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_0199C2B0	1_2_0199C2B0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_01999968	1_2_01999968
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_05A2D4E8	1_2_05A2D4E8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD27B0	1_2_07BD27B0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD73F8	1_2_07BD73F8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD8AB0	1_2_07BD8AB0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD1990	1_2_07BD1990
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD8080	1_2_07BD8080
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BDC0E8	1_2_07BDC0E8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD6818	1_2_07BD6818
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BDCBA8	1_2_07BDCBA8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD73CA	1_2_07BD73CA
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BDBF08	1_2_07BDBF08
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD8AA0	1_2_07BD8AA0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BDBA88	1_2_07BDBA88
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD1982	1_2_07BD1982
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BDF8A0	1_2_07BDF8A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BDA890	1_2_07BDA890
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BDBCE0	1_2_07BDBCE0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD680A	1_2_07BD680A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD8070	1_2_07BD8070
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF0948	1_2_07DF0948
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF1030	1_2_07DF1030
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF3619	1_2_07DF3619
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF0E10	1_2_07DF0E10
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF3628	1_2_07DF3628
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF1319	1_2_07DF1319
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF3B11	1_2_07DF3B11
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF1328	1_2_07DF1328
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF3B20	1_2_07DF3B20
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF1950	1_2_07DF1950
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF0938	1_2_07DF0938
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF1925	1_2_07DF1925
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF0040	1_2_07DF0040
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF0025	1_2_07DF0025
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 9_2_00190E25	9_2_00190E25
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041E83A	10_2_0041E83A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041DD3A	10_2_0041DD3A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041EDC6	10_2_0041EDC6
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041E5DB	10_2_0041E5DB
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00402D87	10_2_00402D87
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041D5A6	10_2_0041D5A6
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00409E60	10_2_00409E60
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00B00E25	10_2_00B00E25
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01644120	10_2_01644120
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162F900	10_2_0162F900
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016FE824	10_2_016FE824
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A830	10_2_0164A830
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1002	10_2_016E1002
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F28EC	10_2_016F28EC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016520A0	10_2_016520A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F20A8	10_2_016F20A8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163B090	10_2_0163B090
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016CCB4F	10_2_016CCB4F
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164AB40	10_2_0164AB40
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F2B28	10_2_016F2B28
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016D23E3	10_2_016D23E3
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E03DA	10_2_016E03DA
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EDBD2	10_2_016EDBD2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165ABD8	10_2_0165ABD8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165EBB0	10_2_0165EBB0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165138B	10_2_0165138B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164EB9A	10_2_0164EB9A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016DFA2B	10_2_016DFA2B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B236	10_2_0164B236
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F22AE	10_2_016F22AE
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F1D55	10_2_016F1D55
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01620D20	10_2_01620D20
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F2D07	10_2_016F2D07
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163D5E0	10_2_0163D5E0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F25DD	10_2_016F25DD
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652581	10_2_01652581
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016ED466	10_2_016ED466
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163841F	10_2_0163841F
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F1FF1	10_2_016F1FF1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016FDFCE	10_2_016FDFCE
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01646E30	10_2_01646E30
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016ED616	10_2_016ED616
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F2EF7	10_2_016F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374AB40	15_2_0374AB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F2B28	15_2_037F2B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037D23E3	15_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E03DA	15_2_037E03DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037EDBD2	15_2_037EDBD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0375ABD8	15_2_0375ABD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0375EBB0	15_2_0375EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037DFA2B	15_2_037DFA2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F22AE	15_2_037F22AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03744120	15_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0372F900	15_2_0372F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037499BF	15_2_037499BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A830	15_2_0374A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037FE824	15_2_037FE824
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E1002	15_2_037E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F28EC	15_2_037F28EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037520A0	15_2_037520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F20A8	15_2_037F20A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0373B090	15_2_0373B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F1FF1	15_2_037F1FF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037FDFCE	15_2_037FDFCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03746E30	15_2_03746E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037ED616	15_2_037ED616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F2EF7	15_2_037F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F1D55	15_2_037F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03720D20	15_2_03720D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F2D07	15_2_037F2D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0373D5E0	15_2_0373D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F25DD	15_2_037F25DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03752581	15_2_03752581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E2D82	15_2_037E2D82
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037ED466	15_2_037ED466
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0373841F	15_2_0373841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4496	15_2_037E4496
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5E83A	15_2_02F5E83A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F49E60	15_2_02F49E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F42FB0	15_2_02F42FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5E5DB	15_2_02F5E5DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5D5A6	15_2_02F5D5A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F42D90	15_2_02F42D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F42D87	15_2_02F42D87

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B150 appears 133 times
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: String function: 0162B150 appears 139 times

Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041A360 NtCreateFile,	10_2_0041A360
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041A410 NtReadFile,	10_2_0041A410
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041A490 NtClose,	10_2_0041A490
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041A540 NtAllocateVirtualMemory,	10_2_0041A540
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041A40D NtReadFile,	10_2_0041A40D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041A48B NtClose,	10_2_0041A48B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041A53C NtAllocateVirtualMemory,	10_2_0041A53C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_01669910
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016699A0 NtCreateSection,LdrInitializeThunk,	10_2_016699A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_01669860
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669840 NtDelayExecution,LdrInitializeThunk,	10_2_01669840
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016698F0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_016698F0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669A50 NtCreateFile,LdrInitializeThunk,	10_2_01669A50
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669A20 NtResumeThread,LdrInitializeThunk,	10_2_01669A20
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669A00 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_01669A00
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669540 NtReadFile,LdrInitializeThunk,	10_2_01669540
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016695D0 NtClose,LdrInitializeThunk,	10_2_016695D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669710 NtQueryInformationToken,LdrInitializeThunk,	10_2_01669710
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016697A0 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_016697A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669780 NtMapViewOfSection,LdrInitializeThunk,	10_2_01669780
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_01669660
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016696E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_016696E0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669950 NtQueueApcThread,	10_2_01669950
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016699D0 NtCreateProcessEx,	10_2_016699D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0166B040 NtSuspendThread,	10_2_0166B040
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669820 NtEnumerateKey,	10_2_01669820
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016698A0 NtWriteVirtualMemory,	10_2_016698A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669B00 NtSetValueKey,	10_2_01669B00
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0166A3B0 NtGetContextThread,	10_2_0166A3B0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669A10 NtQuerySection,	10_2_01669A10
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669A80 NtOpenDirectoryObject,	10_2_01669A80
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669560 NtWriteFile,	10_2_01669560
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669520 NtWaitForSingleObject,	10_2_01669520
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0166AD30 NtSetContextThread,	10_2_0166AD30
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016695F0 NtQueryInformationFile,	10_2_016695F0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669760 NtOpenProcess,	10_2_01669760
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0166A770 NtOpenThread,	10_2_0166A770
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669770 NtSetInformationFile,	10_2_01669770
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669730 NtQueryVirtualMemory,	10_2_01669730
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0166A710 NtOpenProcessToken,	10_2_0166A710
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669FE0 NtCreateMutant,	10_2_01669FE0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669670 NtQueryInformationProcess,	10_2_01669670
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669650 NtQueryValueKey,	10_2_01669650
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01669610 NtEnumerateValueKey,	10_2_01669610
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016696D0 NtCreateKey,	10_2_016696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769A50 NtCreateFile,LdrInitializeThunk,	15_2_03769A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_03769910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037699A0 NtCreateSection,LdrInitializeThunk,	15_2_037699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_03769860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769840 NtDelayExecution,LdrInitializeThunk,	15_2_03769840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769710 NtQueryInformationToken,LdrInitializeThunk,	15_2_03769710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769FE0 NtCreateMutant,LdrInitializeThunk,	15_2_03769FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769780 NtMapViewOfSection,LdrInitializeThunk,	15_2_03769780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_03769660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769650 NtQueryValueKey,LdrInitializeThunk,	15_2_03769650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037696E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_037696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037696D0 NtCreateKey,LdrInitializeThunk,	15_2_037696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769540 NtReadFile,LdrInitializeThunk,	15_2_03769540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037695D0 NtClose,LdrInitializeThunk,	15_2_037695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769B00 NtSetValueKey,	15_2_03769B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0376A3B0 NtGetContextThread,	15_2_0376A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769A20 NtResumeThread,	15_2_03769A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769A10 NtQuerySection,	15_2_03769A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769A00 NtProtectVirtualMemory,	15_2_03769A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769A80 NtOpenDirectoryObject,	15_2_03769A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769950 NtQueueApcThread,	15_2_03769950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037699D0 NtCreateProcessEx,	15_2_037699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0376B040 NtSuspendThread,	15_2_0376B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769820 NtEnumerateKey,	15_2_03769820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037698F0 NtReadVirtualMemory,	15_2_037698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037698A0 NtWriteVirtualMemory,	15_2_037698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0376A770 NtOpenThread,	15_2_0376A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769770 NtSetInformationFile,	15_2_03769770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769760 NtOpenProcess,	15_2_03769760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769730 NtQueryVirtualMemory,	15_2_03769730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0376A710 NtOpenProcessToken,	15_2_0376A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037697A0 NtUnmapViewOfSection,	15_2_037697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769670 NtQueryInformationProcess,	15_2_03769670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769610 NtEnumerateValueKey,	15_2_03769610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769560 NtWriteFile,	15_2_03769560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0376AD30 NtSetContextThread,	15_2_0376AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03769520 NtWaitForSingleObject,	15_2_03769520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037695F0 NtQueryInformationFile,	15_2_037695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5A360 NtCreateFile,	15_2_02F5A360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5A490 NtClose,	15_2_02F5A490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5A410 NtReadFile,	15_2_02F5A410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5A540 NtAllocateVirtualMemory,	15_2_02F5A540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5A48B NtClose,	15_2_02F5A48B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5A40D NtReadFile,	15_2_02F5A40D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5A53C NtAllocateVirtualMemory,	15_2_02F5A53C

Source: PO_101&102.exe, 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs PO_101&102.exe
Source: PO_101&102.exe, 00000001.00000002.311135246.00000000033C1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO_101&102.exe
Source: PO_101&102.exe, 00000001.00000000.282576255.000000000103A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameenNNpuJ.exe4 vs PO_101&102.exe
Source: PO_101&102.exe, 00000001.00000002.310356859.000000000175A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO_101&102.exe
Source: PO_101&102.exe, 00000009.00000000.303163894.000000000022A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameenNNpuJ.exe4 vs PO_101&102.exe
Source: PO_101&102.exe, 0000000A.00000002.371671376.00000000015BB000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs PO_101&102.exe
Source: PO_101&102.exe, 0000000A.00000002.372084013.00000000018AF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO_101&102.exe
Source: PO_101&102.exe, 0000000A.00000000.306435842.0000000000B9A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameenNNpuJ.exe4 vs PO_101&102.exe
Source: PO_101&102.exe	Binary or memory string: OriginalFilenameenNNpuJ.exe4 vs PO_101&102.exe

Source: PO_101&102.exe

ReversingLabs: Detection: 35%

Source: PO_101&102.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO_101&102.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO_101&102.exe 'C:\Users\user\Desktop\PO_101&102.exe'
Source: C:\Users\user\Desktop\PO_101&102.exe	Process created: C:\Users\user\Desktop\PO_101&102.exe {path}
Source: C:\Users\user\Desktop\PO_101&102.exe	Process created: C:\Users\user\Desktop\PO_101&102.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_101&102.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO_101&102.exe	Process created: C:\Users\user\Desktop\PO_101&102.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process created: C:\Users\user\Desktop\PO_101&102.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_101&102.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_101&102.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@2/1

Source: C:\Users\user\Desktop\PO_101&102.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: PO_101&102.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO_101&102.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO_101&102.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: PO_101&102.exe, 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, svchost.exe, 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO_101&102.exe, svchost.exe
Source:	Binary string: svchost.pdb source: PO_101&102.exe, 0000000A.00000002.371642195.00000000015B0000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: PO_101&102.exe, 0000000A.00000002.371642195.00000000015B0000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_00F94FA2 push 00000000h; iretd	1_2_00F94FEC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_05A29112 push C800055Eh; ret	1_2_05A29121
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_05A290E0 push 5C00005Eh; ret	1_2_05A29101
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_05A22E61 push ecx; ret	1_2_05A22E75
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07BD9ADE push esi; iretd	1_2_07BD9AE5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF2E23 push esi; retf	1_2_07DF2E24
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 1_2_07DF850C push FFFFFF8Bh; iretd	1_2_07DF8517
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 9_2_00184FA2 push 00000000h; iretd	9_2_00184FEC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041EA41 push eax; ret	10_2_0041EB9B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00407B2B pushfd ; iretd	10_2_00407B2C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041ABC6 push edx; ret	10_2_0041ABC8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00417C75 push eax; ret	10_2_00417C8B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_004164E9 push ebx; iretd	10_2_004164F2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041D4B5 push eax; ret	10_2_0041D508
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041656B push esp; iretd	10_2_0041656C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041D56C push eax; ret	10_2_0041D572
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041D502 push eax; ret	10_2_0041D508
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041D50B push eax; ret	10_2_0041D572
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041DD3A push eax; ret	10_2_0041DB23
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0041D5A6 push eax; ret	10_2_0041DB23
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00403633 push eax; iretd	10_2_0040363E
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_00AF4FA2 push 00000000h; iretd	10_2_00AF4FEC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0167D0D1 push ecx; ret	10_2_0167D0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0377D0D1 push ecx; ret	15_2_0377D0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5EA41 push eax; ret	15_2_02F5EB9B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5ABC6 push edx; ret	15_2_02F5ABC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F47B2B pushfd ; iretd	15_2_02F47B2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F43633 push eax; iretd	15_2_02F4363E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F564E9 push ebx; iretd	15_2_02F564F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F5D4B5 push eax; ret	15_2_02F5D508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_02F57C75 push eax; ret	15_2_02F57C8B

Source: initial sample

Static PE information: section name: .text entropy: 7.43588694795

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE3

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\PO_101&102.exe'
Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del 'C:\Users\user\Desktop\PO_101&102.exe'			Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: PO_101&102.exe PID: 7016, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PO_101&102.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO_101&102.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002F49904 second address: 0000000002F4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002F49B7E second address: 0000000002F49B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO_101&102.exe TID: 7076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4292	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 4908	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO_101&102.exe

Code function: 10_2_00409AB0 rdtsc

10_2_00409AB0

Source: C:\Users\user\Desktop\PO_101&102.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe

Code function: 1_2_00F9A8FF sgdt fword ptr [eax]

1_2_00F9A8FF

Source: C:\Users\user\Desktop\PO_101&102.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 0000000B.00000000.321646424.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.353798297.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000B.00000000.319717839.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.321646424.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000B.00000000.319717839.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: PO_101&102.exe, 00000001.00000002.311209437.0000000003420000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000B.00000000.321646424.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\PO_101&102.exe

Code function: 10_2_00409AB0 rdtsc

10_2_00409AB0

Source: C:\Users\user\Desktop\PO_101&102.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162C962 mov eax, dword ptr fs:[00000030h]	10_2_0162C962
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162B171 mov eax, dword ptr fs:[00000030h]	10_2_0162B171
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162B171 mov eax, dword ptr fs:[00000030h]	10_2_0162B171
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B944 mov eax, dword ptr fs:[00000030h]	10_2_0164B944
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B944 mov eax, dword ptr fs:[00000030h]	10_2_0164B944
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01644120 mov eax, dword ptr fs:[00000030h]	10_2_01644120
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01644120 mov eax, dword ptr fs:[00000030h]	10_2_01644120
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01644120 mov eax, dword ptr fs:[00000030h]	10_2_01644120
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01644120 mov eax, dword ptr fs:[00000030h]	10_2_01644120
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01644120 mov ecx, dword ptr fs:[00000030h]	10_2_01644120
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165513A mov eax, dword ptr fs:[00000030h]	10_2_0165513A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165513A mov eax, dword ptr fs:[00000030h]	10_2_0165513A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629100 mov eax, dword ptr fs:[00000030h]	10_2_01629100
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629100 mov eax, dword ptr fs:[00000030h]	10_2_01629100
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629100 mov eax, dword ptr fs:[00000030h]	10_2_01629100
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016B41E8 mov eax, dword ptr fs:[00000030h]	10_2_016B41E8
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0162B1E1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0162B1E1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162B1E1 mov eax, dword ptr fs:[00000030h]	10_2_0162B1E1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016561A0 mov eax, dword ptr fs:[00000030h]	10_2_016561A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016561A0 mov eax, dword ptr fs:[00000030h]	10_2_016561A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E49A4 mov eax, dword ptr fs:[00000030h]	10_2_016E49A4
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E49A4 mov eax, dword ptr fs:[00000030h]	10_2_016E49A4
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E49A4 mov eax, dword ptr fs:[00000030h]	10_2_016E49A4
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E49A4 mov eax, dword ptr fs:[00000030h]	10_2_016E49A4
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A69A6 mov eax, dword ptr fs:[00000030h]	10_2_016A69A6
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A51BE mov eax, dword ptr fs:[00000030h]	10_2_016A51BE
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A51BE mov eax, dword ptr fs:[00000030h]	10_2_016A51BE
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A51BE mov eax, dword ptr fs:[00000030h]	10_2_016A51BE
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A51BE mov eax, dword ptr fs:[00000030h]	10_2_016A51BE
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov eax, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov eax, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov eax, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov ecx, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016499BF mov eax, dword ptr fs:[00000030h]	10_2_016499BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165A185 mov eax, dword ptr fs:[00000030h]	10_2_0165A185
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164C182 mov eax, dword ptr fs:[00000030h]	10_2_0164C182
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652990 mov eax, dword ptr fs:[00000030h]	10_2_01652990
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F1074 mov eax, dword ptr fs:[00000030h]	10_2_016F1074
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2073 mov eax, dword ptr fs:[00000030h]	10_2_016E2073
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01640050 mov eax, dword ptr fs:[00000030h]	10_2_01640050
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01640050 mov eax, dword ptr fs:[00000030h]	10_2_01640050
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165002D mov eax, dword ptr fs:[00000030h]	10_2_0165002D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165002D mov eax, dword ptr fs:[00000030h]	10_2_0165002D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165002D mov eax, dword ptr fs:[00000030h]	10_2_0165002D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165002D mov eax, dword ptr fs:[00000030h]	10_2_0165002D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165002D mov eax, dword ptr fs:[00000030h]	10_2_0165002D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163B02A mov eax, dword ptr fs:[00000030h]	10_2_0163B02A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163B02A mov eax, dword ptr fs:[00000030h]	10_2_0163B02A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163B02A mov eax, dword ptr fs:[00000030h]	10_2_0163B02A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163B02A mov eax, dword ptr fs:[00000030h]	10_2_0163B02A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A830 mov eax, dword ptr fs:[00000030h]	10_2_0164A830
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A830 mov eax, dword ptr fs:[00000030h]	10_2_0164A830
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A830 mov eax, dword ptr fs:[00000030h]	10_2_0164A830
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A830 mov eax, dword ptr fs:[00000030h]	10_2_0164A830
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F4015 mov eax, dword ptr fs:[00000030h]	10_2_016F4015
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F4015 mov eax, dword ptr fs:[00000030h]	10_2_016F4015
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A7016 mov eax, dword ptr fs:[00000030h]	10_2_016A7016
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A7016 mov eax, dword ptr fs:[00000030h]	10_2_016A7016
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A7016 mov eax, dword ptr fs:[00000030h]	10_2_016A7016
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B8E4 mov eax, dword ptr fs:[00000030h]	10_2_0164B8E4
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B8E4 mov eax, dword ptr fs:[00000030h]	10_2_0164B8E4
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016240E1 mov eax, dword ptr fs:[00000030h]	10_2_016240E1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016240E1 mov eax, dword ptr fs:[00000030h]	10_2_016240E1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016240E1 mov eax, dword ptr fs:[00000030h]	10_2_016240E1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016258EC mov eax, dword ptr fs:[00000030h]	10_2_016258EC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BB8D0 mov eax, dword ptr fs:[00000030h]	10_2_016BB8D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BB8D0 mov ecx, dword ptr fs:[00000030h]	10_2_016BB8D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BB8D0 mov eax, dword ptr fs:[00000030h]	10_2_016BB8D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BB8D0 mov eax, dword ptr fs:[00000030h]	10_2_016BB8D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BB8D0 mov eax, dword ptr fs:[00000030h]	10_2_016BB8D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BB8D0 mov eax, dword ptr fs:[00000030h]	10_2_016BB8D0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016520A0 mov eax, dword ptr fs:[00000030h]	10_2_016520A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016520A0 mov eax, dword ptr fs:[00000030h]	10_2_016520A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016520A0 mov eax, dword ptr fs:[00000030h]	10_2_016520A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016520A0 mov eax, dword ptr fs:[00000030h]	10_2_016520A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016520A0 mov eax, dword ptr fs:[00000030h]	10_2_016520A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016520A0 mov eax, dword ptr fs:[00000030h]	10_2_016520A0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016690AF mov eax, dword ptr fs:[00000030h]	10_2_016690AF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165F0BF mov ecx, dword ptr fs:[00000030h]	10_2_0165F0BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165F0BF mov eax, dword ptr fs:[00000030h]	10_2_0165F0BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165F0BF mov eax, dword ptr fs:[00000030h]	10_2_0165F0BF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629080 mov eax, dword ptr fs:[00000030h]	10_2_01629080
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A3884 mov eax, dword ptr fs:[00000030h]	10_2_016A3884
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A3884 mov eax, dword ptr fs:[00000030h]	10_2_016A3884
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162DB60 mov ecx, dword ptr fs:[00000030h]	10_2_0162DB60
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01653B7A mov eax, dword ptr fs:[00000030h]	10_2_01653B7A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01653B7A mov eax, dword ptr fs:[00000030h]	10_2_01653B7A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162DB40 mov eax, dword ptr fs:[00000030h]	10_2_0162DB40
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F8B58 mov eax, dword ptr fs:[00000030h]	10_2_016F8B58
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162F358 mov eax, dword ptr fs:[00000030h]	10_2_0162F358
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A309 mov eax, dword ptr fs:[00000030h]	10_2_0164A309
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E131B mov eax, dword ptr fs:[00000030h]	10_2_016E131B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016503E2 mov eax, dword ptr fs:[00000030h]	10_2_016503E2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016503E2 mov eax, dword ptr fs:[00000030h]	10_2_016503E2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016503E2 mov eax, dword ptr fs:[00000030h]	10_2_016503E2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016503E2 mov eax, dword ptr fs:[00000030h]	10_2_016503E2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016503E2 mov eax, dword ptr fs:[00000030h]	10_2_016503E2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016503E2 mov eax, dword ptr fs:[00000030h]	10_2_016503E2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164DBE9 mov eax, dword ptr fs:[00000030h]	10_2_0164DBE9
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016D23E3 mov ecx, dword ptr fs:[00000030h]	10_2_016D23E3
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016D23E3 mov ecx, dword ptr fs:[00000030h]	10_2_016D23E3
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016D23E3 mov eax, dword ptr fs:[00000030h]	10_2_016D23E3
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A53CA mov eax, dword ptr fs:[00000030h]	10_2_016A53CA
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A53CA mov eax, dword ptr fs:[00000030h]	10_2_016A53CA
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01654BAD mov eax, dword ptr fs:[00000030h]	10_2_01654BAD
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01654BAD mov eax, dword ptr fs:[00000030h]	10_2_01654BAD
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01654BAD mov eax, dword ptr fs:[00000030h]	10_2_01654BAD
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F5BA5 mov eax, dword ptr fs:[00000030h]	10_2_016F5BA5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E138A mov eax, dword ptr fs:[00000030h]	10_2_016E138A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01631B8F mov eax, dword ptr fs:[00000030h]	10_2_01631B8F
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01631B8F mov eax, dword ptr fs:[00000030h]	10_2_01631B8F
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016DD380 mov ecx, dword ptr fs:[00000030h]	10_2_016DD380
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165138B mov eax, dword ptr fs:[00000030h]	10_2_0165138B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165138B mov eax, dword ptr fs:[00000030h]	10_2_0165138B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165138B mov eax, dword ptr fs:[00000030h]	10_2_0165138B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652397 mov eax, dword ptr fs:[00000030h]	10_2_01652397
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165B390 mov eax, dword ptr fs:[00000030h]	10_2_0165B390
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164EB9A mov eax, dword ptr fs:[00000030h]	10_2_0164EB9A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164EB9A mov eax, dword ptr fs:[00000030h]	10_2_0164EB9A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016DB260 mov eax, dword ptr fs:[00000030h]	10_2_016DB260
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016DB260 mov eax, dword ptr fs:[00000030h]	10_2_016DB260
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F8A62 mov eax, dword ptr fs:[00000030h]	10_2_016F8A62
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0166927A mov eax, dword ptr fs:[00000030h]	10_2_0166927A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629240 mov eax, dword ptr fs:[00000030h]	10_2_01629240
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629240 mov eax, dword ptr fs:[00000030h]	10_2_01629240
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629240 mov eax, dword ptr fs:[00000030h]	10_2_01629240
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01629240 mov eax, dword ptr fs:[00000030h]	10_2_01629240
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EEA55 mov eax, dword ptr fs:[00000030h]	10_2_016EEA55
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016B4257 mov eax, dword ptr fs:[00000030h]	10_2_016B4257
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01664A2C mov eax, dword ptr fs:[00000030h]	10_2_01664A2C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01664A2C mov eax, dword ptr fs:[00000030h]	10_2_01664A2C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164A229 mov eax, dword ptr fs:[00000030h]	10_2_0164A229
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B236 mov eax, dword ptr fs:[00000030h]	10_2_0164B236
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B236 mov eax, dword ptr fs:[00000030h]	10_2_0164B236
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B236 mov eax, dword ptr fs:[00000030h]	10_2_0164B236
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B236 mov eax, dword ptr fs:[00000030h]	10_2_0164B236
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B236 mov eax, dword ptr fs:[00000030h]	10_2_0164B236
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B236 mov eax, dword ptr fs:[00000030h]	10_2_0164B236
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01638A0A mov eax, dword ptr fs:[00000030h]	10_2_01638A0A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01625210 mov eax, dword ptr fs:[00000030h]	10_2_01625210
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01625210 mov ecx, dword ptr fs:[00000030h]	10_2_01625210
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01625210 mov eax, dword ptr fs:[00000030h]	10_2_01625210
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01625210 mov eax, dword ptr fs:[00000030h]	10_2_01625210
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162AA16 mov eax, dword ptr fs:[00000030h]	10_2_0162AA16
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162AA16 mov eax, dword ptr fs:[00000030h]	10_2_0162AA16
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01643A1C mov eax, dword ptr fs:[00000030h]	10_2_01643A1C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EAA16 mov eax, dword ptr fs:[00000030h]	10_2_016EAA16
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EAA16 mov eax, dword ptr fs:[00000030h]	10_2_016EAA16
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652AE4 mov eax, dword ptr fs:[00000030h]	10_2_01652AE4
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4AEF mov eax, dword ptr fs:[00000030h]	10_2_016E4AEF
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652ACB mov eax, dword ptr fs:[00000030h]	10_2_01652ACB
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016252A5 mov eax, dword ptr fs:[00000030h]	10_2_016252A5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016252A5 mov eax, dword ptr fs:[00000030h]	10_2_016252A5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016252A5 mov eax, dword ptr fs:[00000030h]	10_2_016252A5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016252A5 mov eax, dword ptr fs:[00000030h]	10_2_016252A5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016252A5 mov eax, dword ptr fs:[00000030h]	10_2_016252A5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163AAB0 mov eax, dword ptr fs:[00000030h]	10_2_0163AAB0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163AAB0 mov eax, dword ptr fs:[00000030h]	10_2_0163AAB0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165FAB0 mov eax, dword ptr fs:[00000030h]	10_2_0165FAB0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165D294 mov eax, dword ptr fs:[00000030h]	10_2_0165D294
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165D294 mov eax, dword ptr fs:[00000030h]	10_2_0165D294
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164C577 mov eax, dword ptr fs:[00000030h]	10_2_0164C577
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164C577 mov eax, dword ptr fs:[00000030h]	10_2_0164C577
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01663D43 mov eax, dword ptr fs:[00000030h]	10_2_01663D43
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A3540 mov eax, dword ptr fs:[00000030h]	10_2_016A3540
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016D3D40 mov eax, dword ptr fs:[00000030h]	10_2_016D3D40
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01647D50 mov eax, dword ptr fs:[00000030h]	10_2_01647D50
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165F527 mov eax, dword ptr fs:[00000030h]	10_2_0165F527
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165F527 mov eax, dword ptr fs:[00000030h]	10_2_0165F527
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165F527 mov eax, dword ptr fs:[00000030h]	10_2_0165F527
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162AD30 mov eax, dword ptr fs:[00000030h]	10_2_0162AD30
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01633D34 mov eax, dword ptr fs:[00000030h]	10_2_01633D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EE539 mov eax, dword ptr fs:[00000030h]	10_2_016EE539
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F8D34 mov eax, dword ptr fs:[00000030h]	10_2_016F8D34
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016AA537 mov eax, dword ptr fs:[00000030h]	10_2_016AA537
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01654D3B mov eax, dword ptr fs:[00000030h]	10_2_01654D3B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01654D3B mov eax, dword ptr fs:[00000030h]	10_2_01654D3B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01654D3B mov eax, dword ptr fs:[00000030h]	10_2_01654D3B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163D5E0 mov eax, dword ptr fs:[00000030h]	10_2_0163D5E0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163D5E0 mov eax, dword ptr fs:[00000030h]	10_2_0163D5E0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EFDE2 mov eax, dword ptr fs:[00000030h]	10_2_016EFDE2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EFDE2 mov eax, dword ptr fs:[00000030h]	10_2_016EFDE2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EFDE2 mov eax, dword ptr fs:[00000030h]	10_2_016EFDE2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EFDE2 mov eax, dword ptr fs:[00000030h]	10_2_016EFDE2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016D8DF1 mov eax, dword ptr fs:[00000030h]	10_2_016D8DF1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6DC9 mov eax, dword ptr fs:[00000030h]	10_2_016A6DC9
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6DC9 mov eax, dword ptr fs:[00000030h]	10_2_016A6DC9
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6DC9 mov eax, dword ptr fs:[00000030h]	10_2_016A6DC9
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6DC9 mov ecx, dword ptr fs:[00000030h]	10_2_016A6DC9
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6DC9 mov eax, dword ptr fs:[00000030h]	10_2_016A6DC9
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6DC9 mov eax, dword ptr fs:[00000030h]	10_2_016A6DC9
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F05AC mov eax, dword ptr fs:[00000030h]	10_2_016F05AC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F05AC mov eax, dword ptr fs:[00000030h]	10_2_016F05AC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016535A1 mov eax, dword ptr fs:[00000030h]	10_2_016535A1
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01651DB5 mov eax, dword ptr fs:[00000030h]	10_2_01651DB5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01651DB5 mov eax, dword ptr fs:[00000030h]	10_2_01651DB5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01651DB5 mov eax, dword ptr fs:[00000030h]	10_2_01651DB5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652581 mov eax, dword ptr fs:[00000030h]	10_2_01652581
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652581 mov eax, dword ptr fs:[00000030h]	10_2_01652581
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652581 mov eax, dword ptr fs:[00000030h]	10_2_01652581
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01652581 mov eax, dword ptr fs:[00000030h]	10_2_01652581
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01622D8A mov eax, dword ptr fs:[00000030h]	10_2_01622D8A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01622D8A mov eax, dword ptr fs:[00000030h]	10_2_01622D8A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01622D8A mov eax, dword ptr fs:[00000030h]	10_2_01622D8A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01622D8A mov eax, dword ptr fs:[00000030h]	10_2_01622D8A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01622D8A mov eax, dword ptr fs:[00000030h]	10_2_01622D8A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82 mov eax, dword ptr fs:[00000030h]	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82 mov eax, dword ptr fs:[00000030h]	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82 mov eax, dword ptr fs:[00000030h]	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82 mov eax, dword ptr fs:[00000030h]	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82 mov eax, dword ptr fs:[00000030h]	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82 mov eax, dword ptr fs:[00000030h]	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E2D82 mov eax, dword ptr fs:[00000030h]	10_2_016E2D82
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165FD9B mov eax, dword ptr fs:[00000030h]	10_2_0165FD9B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165FD9B mov eax, dword ptr fs:[00000030h]	10_2_0165FD9B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164746D mov eax, dword ptr fs:[00000030h]	10_2_0164746D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B477 mov eax, dword ptr fs:[00000030h]	10_2_0164B477
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165AC7B mov eax, dword ptr fs:[00000030h]	10_2_0165AC7B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165A44B mov eax, dword ptr fs:[00000030h]	10_2_0165A44B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BC450 mov eax, dword ptr fs:[00000030h]	10_2_016BC450
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BC450 mov eax, dword ptr fs:[00000030h]	10_2_016BC450
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165BC2C mov eax, dword ptr fs:[00000030h]	10_2_0165BC2C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6C0A mov eax, dword ptr fs:[00000030h]	10_2_016A6C0A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6C0A mov eax, dword ptr fs:[00000030h]	10_2_016A6C0A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6C0A mov eax, dword ptr fs:[00000030h]	10_2_016A6C0A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6C0A mov eax, dword ptr fs:[00000030h]	10_2_016A6C0A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F740D mov eax, dword ptr fs:[00000030h]	10_2_016F740D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F740D mov eax, dword ptr fs:[00000030h]	10_2_016F740D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F740D mov eax, dword ptr fs:[00000030h]	10_2_016F740D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1C06 mov eax, dword ptr fs:[00000030h]	10_2_016E1C06
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E14FB mov eax, dword ptr fs:[00000030h]	10_2_016E14FB
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6CF0 mov eax, dword ptr fs:[00000030h]	10_2_016A6CF0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6CF0 mov eax, dword ptr fs:[00000030h]	10_2_016A6CF0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A6CF0 mov eax, dword ptr fs:[00000030h]	10_2_016A6CF0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F8CD6 mov eax, dword ptr fs:[00000030h]	10_2_016F8CD6
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163849B mov eax, dword ptr fs:[00000030h]	10_2_0163849B
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E4496 mov eax, dword ptr fs:[00000030h]	10_2_016E4496
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163FF60 mov eax, dword ptr fs:[00000030h]	10_2_0163FF60
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F8F6A mov eax, dword ptr fs:[00000030h]	10_2_016F8F6A
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163EF40 mov eax, dword ptr fs:[00000030h]	10_2_0163EF40
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01624F2E mov eax, dword ptr fs:[00000030h]	10_2_01624F2E
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01624F2E mov eax, dword ptr fs:[00000030h]	10_2_01624F2E
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165E730 mov eax, dword ptr fs:[00000030h]	10_2_0165E730
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B73D mov eax, dword ptr fs:[00000030h]	10_2_0164B73D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164B73D mov eax, dword ptr fs:[00000030h]	10_2_0164B73D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F070D mov eax, dword ptr fs:[00000030h]	10_2_016F070D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F070D mov eax, dword ptr fs:[00000030h]	10_2_016F070D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165A70E mov eax, dword ptr fs:[00000030h]	10_2_0165A70E
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165A70E mov eax, dword ptr fs:[00000030h]	10_2_0165A70E
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164F716 mov eax, dword ptr fs:[00000030h]	10_2_0164F716
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BFF10 mov eax, dword ptr fs:[00000030h]	10_2_016BFF10
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BFF10 mov eax, dword ptr fs:[00000030h]	10_2_016BFF10
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016637F5 mov eax, dword ptr fs:[00000030h]	10_2_016637F5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01638794 mov eax, dword ptr fs:[00000030h]	10_2_01638794
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A7794 mov eax, dword ptr fs:[00000030h]	10_2_016A7794
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A7794 mov eax, dword ptr fs:[00000030h]	10_2_016A7794
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A7794 mov eax, dword ptr fs:[00000030h]	10_2_016A7794
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0163766D mov eax, dword ptr fs:[00000030h]	10_2_0163766D
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164AE73 mov eax, dword ptr fs:[00000030h]	10_2_0164AE73
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164AE73 mov eax, dword ptr fs:[00000030h]	10_2_0164AE73
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164AE73 mov eax, dword ptr fs:[00000030h]	10_2_0164AE73
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164AE73 mov eax, dword ptr fs:[00000030h]	10_2_0164AE73
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0164AE73 mov eax, dword ptr fs:[00000030h]	10_2_0164AE73
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01637E41 mov eax, dword ptr fs:[00000030h]	10_2_01637E41
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01637E41 mov eax, dword ptr fs:[00000030h]	10_2_01637E41
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01637E41 mov eax, dword ptr fs:[00000030h]	10_2_01637E41
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01637E41 mov eax, dword ptr fs:[00000030h]	10_2_01637E41
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01637E41 mov eax, dword ptr fs:[00000030h]	10_2_01637E41
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01637E41 mov eax, dword ptr fs:[00000030h]	10_2_01637E41
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EAE44 mov eax, dword ptr fs:[00000030h]	10_2_016EAE44
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016EAE44 mov eax, dword ptr fs:[00000030h]	10_2_016EAE44
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162E620 mov eax, dword ptr fs:[00000030h]	10_2_0162E620
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016DFE3F mov eax, dword ptr fs:[00000030h]	10_2_016DFE3F
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162C600 mov eax, dword ptr fs:[00000030h]	10_2_0162C600
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162C600 mov eax, dword ptr fs:[00000030h]	10_2_0162C600
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0162C600 mov eax, dword ptr fs:[00000030h]	10_2_0162C600
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01658E00 mov eax, dword ptr fs:[00000030h]	10_2_01658E00
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016E1608 mov eax, dword ptr fs:[00000030h]	10_2_016E1608
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165A61C mov eax, dword ptr fs:[00000030h]	10_2_0165A61C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_0165A61C mov eax, dword ptr fs:[00000030h]	10_2_0165A61C
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016376E2 mov eax, dword ptr fs:[00000030h]	10_2_016376E2
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016516E0 mov ecx, dword ptr fs:[00000030h]	10_2_016516E0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_01668EC7 mov eax, dword ptr fs:[00000030h]	10_2_01668EC7
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016536CC mov eax, dword ptr fs:[00000030h]	10_2_016536CC
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016DFEC0 mov eax, dword ptr fs:[00000030h]	10_2_016DFEC0
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F8ED6 mov eax, dword ptr fs:[00000030h]	10_2_016F8ED6
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F0EA5 mov eax, dword ptr fs:[00000030h]	10_2_016F0EA5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F0EA5 mov eax, dword ptr fs:[00000030h]	10_2_016F0EA5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016F0EA5 mov eax, dword ptr fs:[00000030h]	10_2_016F0EA5
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016A46A7 mov eax, dword ptr fs:[00000030h]	10_2_016A46A7
Source: C:\Users\user\Desktop\PO_101&102.exe	Code function: 10_2_016BFE87 mov eax, dword ptr fs:[00000030h]	10_2_016BFE87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03753B7A mov eax, dword ptr fs:[00000030h]	15_2_03753B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03753B7A mov eax, dword ptr fs:[00000030h]	15_2_03753B7A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0372DB60 mov ecx, dword ptr fs:[00000030h]	15_2_0372DB60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F8B58 mov eax, dword ptr fs:[00000030h]	15_2_037F8B58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0372F358 mov eax, dword ptr fs:[00000030h]	15_2_0372F358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0372DB40 mov eax, dword ptr fs:[00000030h]	15_2_0372DB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E131B mov eax, dword ptr fs:[00000030h]	15_2_037E131B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A309 mov eax, dword ptr fs:[00000030h]	15_2_0374A309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037503E2 mov eax, dword ptr fs:[00000030h]	15_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037503E2 mov eax, dword ptr fs:[00000030h]	15_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037503E2 mov eax, dword ptr fs:[00000030h]	15_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037503E2 mov eax, dword ptr fs:[00000030h]	15_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037503E2 mov eax, dword ptr fs:[00000030h]	15_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037503E2 mov eax, dword ptr fs:[00000030h]	15_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374DBE9 mov eax, dword ptr fs:[00000030h]	15_2_0374DBE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037D23E3 mov ecx, dword ptr fs:[00000030h]	15_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037D23E3 mov ecx, dword ptr fs:[00000030h]	15_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037D23E3 mov eax, dword ptr fs:[00000030h]	15_2_037D23E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037A53CA mov eax, dword ptr fs:[00000030h]	15_2_037A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037A53CA mov eax, dword ptr fs:[00000030h]	15_2_037A53CA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03754BAD mov eax, dword ptr fs:[00000030h]	15_2_03754BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03754BAD mov eax, dword ptr fs:[00000030h]	15_2_03754BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03754BAD mov eax, dword ptr fs:[00000030h]	15_2_03754BAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F5BA5 mov eax, dword ptr fs:[00000030h]	15_2_037F5BA5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03752397 mov eax, dword ptr fs:[00000030h]	15_2_03752397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0375B390 mov eax, dword ptr fs:[00000030h]	15_2_0375B390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E138A mov eax, dword ptr fs:[00000030h]	15_2_037E138A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03731B8F mov eax, dword ptr fs:[00000030h]	15_2_03731B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03731B8F mov eax, dword ptr fs:[00000030h]	15_2_03731B8F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037DD380 mov ecx, dword ptr fs:[00000030h]	15_2_037DD380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0376927A mov eax, dword ptr fs:[00000030h]	15_2_0376927A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037DB260 mov eax, dword ptr fs:[00000030h]	15_2_037DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037DB260 mov eax, dword ptr fs:[00000030h]	15_2_037DB260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037F8A62 mov eax, dword ptr fs:[00000030h]	15_2_037F8A62
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037EEA55 mov eax, dword ptr fs:[00000030h]	15_2_037EEA55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037B4257 mov eax, dword ptr fs:[00000030h]	15_2_037B4257
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03729240 mov eax, dword ptr fs:[00000030h]	15_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03729240 mov eax, dword ptr fs:[00000030h]	15_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03729240 mov eax, dword ptr fs:[00000030h]	15_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03729240 mov eax, dword ptr fs:[00000030h]	15_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03764A2C mov eax, dword ptr fs:[00000030h]	15_2_03764A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03764A2C mov eax, dword ptr fs:[00000030h]	15_2_03764A2C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0374A229 mov eax, dword ptr fs:[00000030h]	15_2_0374A229
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03725210 mov eax, dword ptr fs:[00000030h]	15_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03725210 mov ecx, dword ptr fs:[00000030h]	15_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03725210 mov eax, dword ptr fs:[00000030h]	15_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03725210 mov eax, dword ptr fs:[00000030h]	15_2_03725210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0372AA16 mov eax, dword ptr fs:[00000030h]	15_2_0372AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0372AA16 mov eax, dword ptr fs:[00000030h]	15_2_0372AA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03743A1C mov eax, dword ptr fs:[00000030h]	15_2_03743A1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037EAA16 mov eax, dword ptr fs:[00000030h]	15_2_037EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037EAA16 mov eax, dword ptr fs:[00000030h]	15_2_037EAA16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03738A0A mov eax, dword ptr fs:[00000030h]	15_2_03738A0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03752AE4 mov eax, dword ptr fs:[00000030h]	15_2_03752AE4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037E4AEF mov eax, dword ptr fs:[00000030h]	15_2_037E4AEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_03752ACB mov eax, dword ptr fs:[00000030h]	15_2_03752ACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0373AAB0 mov eax, dword ptr fs:[00000030h]	15_2_0373AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0373AAB0 mov eax, dword ptr fs:[00000030h]	15_2_0373AAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_0375FAB0 mov eax, dword ptr fs:[00000030h]	15_2_0375FAB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037252A5 mov eax, dword ptr fs:[00000030h]	15_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 15_2_037252A5 mov eax, dword ptr fs:[00000030h]	15_2_037252A5

Source: C:\Users\user\Desktop\PO_101&102.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe

Code function: 10_2_0040ACF0 LdrLoadDll,

10_2_0040ACF0

Source: C:\Users\user\Desktop\PO_101&102.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.178.208.163 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.reynbetgirisi.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PO_101&102.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 100000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PO_101&102.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PO_101&102.exe

Memory written: C:\Users\user\Desktop\PO_101&102.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO_101&102.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO_101&102.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3352			Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe	Process created: C:\Users\user\Desktop\PO_101&102.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Process created: C:\Users\user\Desktop\PO_101&102.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_101&102.exe'	Jump to behavior

Source: explorer.exe, 0000000B.00000000.329498700.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000F.00000002.561850229.0000000004590000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000B.00000000.329180655.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000B.00000000.349357050.0000000005E10000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.561850229.0000000004590000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.329498700.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000F.00000002.561850229.0000000004590000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.329498700.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000F.00000002.561850229.0000000004590000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.353798297.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Users\user\Desktop\PO_101&102.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_101&102.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO_101&102.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PO_101&102.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO_101&102.exe.45ada08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.PO_101&102.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery221	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Process Discovery2	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion41	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO_101&102.exe	36%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
PO_101&102.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.0.PO_101&102.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.0.PO_101&102.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.2.PO_101&102.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.0.PO_101&102.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.comy	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
https://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF	100%	Avira URL Cloud	malware
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.tiro.comF	0%	URL Reputation	safe
http://www.fonts.com-uI	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/_	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF+l+57NdrJs1Xds1ailiks&l0D0=fJBTE	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/0	0%	URL Reputation	safe
www.reynbetgirisi.com/snr6/	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://tempuri.org/DatabaseDataSet.xsd	0%	Avira URL Cloud	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.fontbureau.com5	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/c	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sandoll.co.krE	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fonts.com-u	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.reynbetgirisi.com	185.178.208.163	true	true		unknown
www.francinegeorges.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF+l+57NdrJs1Xds1ailiks&l0D0=fJBTE	true	Avira URL Cloud: malware	unknown
www.reynbetgirisi.com/snr6/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	PO_101&102.exe, 00000001.00000003.309471550.0000000006450000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comy	PO_101&102.exe, 00000001.00000003.286197487.000000000646B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.tiro.comn	PO_101&102.exe, 00000001.00000003.285505347.000000000646B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF	svchost.exe, 0000000F.00000002.561711505.000000000411F000.00000004.00020000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.tiro.com	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/H	PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.tiro.comF	PO_101&102.exe, 00000001.00000003.285531786.000000000646B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com-uI	PO_101&102.exe, 00000001.00000003.285166630.000000000646B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	PO_101&102.exe, 00000001.00000003.285223985.0000000006474000.00000004.00000001.sdmp, PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/9	PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/_	PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	PO_101&102.exe, 00000001.00000003.309471550.0000000006450000.00000004.00000001.sdmp, PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers&	PO_101&102.exe, 00000001.00000003.290680081.0000000006459000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	PO_101&102.exe, 00000001.00000003.287344198.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/0	PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DatabaseDataSet.xsd	PO_101&102.exe	false	Avira URL Cloud: safe	unknown
http://www.fonts.comn	PO_101&102.exe, 00000001.00000003.285275223.000000000646B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.fonts.com	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	PO_101&102.exe, 00000001.00000003.286605823.0000000006456000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com5	PO_101&102.exe, 00000001.00000003.309471550.0000000006450000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP	PO_101&102.exe, 00000001.00000002.311135246.00000000033C1000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/c	PO_101&102.exe, 00000001.00000003.288893237.0000000006454000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krE	PO_101&102.exe, 00000001.00000003.286605823.0000000006456000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	PO_101&102.exe, 00000001.00000002.316119891.0000000007662000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com-u	PO_101&102.exe, 00000001.00000003.285166630.000000000646B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.178.208.163	www.reynbetgirisi.com	Russian Federation		57724	DDOS-GUARDRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510600
Start date:	28.10.2021
Start time:	00:35:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO_101&102.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/1@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.2% (good quality ratio 14.5%) Quality average: 72% Quality standard deviation: 31.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 132 Number of non-executed functions: 189
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.49.157.6, 93.184.221.240, 20.54.110.249, 52.251.79.25, 40.112.88.60, 40.91.112.76, 80.67.82.211, 80.67.82.235, 20.82.210.154 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:36:12	API Interceptor	2x Sleep call for process: PO_101&102.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.178.208.163	S.O.A.exe	Get hash	malicious	Browse	www.reynbetgirisi.com/snr6/?Q2JHDn=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF+l+57NdrJs1X3zFqihgss&j0Gh4=5j9l3Fyx

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.reynbetgirisi.com	S.O.A.exe	Get hash	malicious	Browse	185.178.208.163

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DDOS-GUARDRU	S.O.A.exe	Get hash	malicious	Browse	185.178.208.163
	6xVYuXitGI.exe	Get hash	malicious	Browse	185.178.208.148
	vbc.exe	Get hash	malicious	Browse	185.129.100.113
	pYXAhd1foP.exe	Get hash	malicious	Browse	185.129.100.113
	DeqrIfxzHW.exe	Get hash	malicious	Browse	185.129.100.113
	Elon Musk Club - 024705 .htm	Get hash	malicious	Browse	185.129.100.115
	loligang.x86	Get hash	malicious	Browse	185.129.101.234
	APfSnkgVzU	Get hash	malicious	Browse	185.129.101.214
	PO650.exe	Get hash	malicious	Browse	77.220.207.191
	ABhHk2dXUE.exe	Get hash	malicious	Browse	185.178.208.180
	vrTEp3LkwG.exe	Get hash	malicious	Browse	185.178.208.180
	sDsPEdoFdb.exe	Get hash	malicious	Browse	185.178.208.177
	SEPTEMBER ORDER.xlsx	Get hash	malicious	Browse	185.178.208.164
	Decline-331847309-06242021.xlsm	Get hash	malicious	Browse	5.253.62.174
	Decline-331847309-06242021.xlsm	Get hash	malicious	Browse	5.253.62.174
	Permission-851469163-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-851469163-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-830724601-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-830724601-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_101&102.exe.log Download File
Process:	C:\Users\user\Desktop\PO_101&102.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.427190609127641
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO_101&102.exe
File size:	684032
MD5:	c8a5346cb632c91e0006252fd2c47bec
SHA1:	a671570c31428ebc9bee30c9a2b9963bf629560a
SHA256:	46a0a8595dccf134213c2e9ae10dd6fdd8e3ff5f0cb1b01014a6b67e31927eec
SHA512:	eb3f2e70339e04821b86ced686a47abec277f59a0f90d03b512d6023d71d24de0ae84c36983291d40ecbb4765b94d146affea45b8d09d0d000633af20cfdf528
SSDEEP:	12288:fhwV/8FumO5ZBLbGZ3EEFdmgTSuAReaSA7hqJFTP:fmV/8FumO/B3GtnmRufo7hq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7vya..............P..f..........B.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4a8542
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61797637 [Wed Oct 27 15:54:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa84f0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa6548	0xa6600	False	0.698281073911	data	7.43588694795	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x5a4	0x600	False	0.418619791667	data	4.06372822623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xaa090	0x314	data
RT_MANIFEST	0xaa3b4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	enNNpuJ.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	placement
ProductVersion	1.0.0.0
FileDescription	placement
OriginalFilename	enNNpuJ.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 00:37:54.351341009 CEST	49816	80	192.168.2.3	185.178.208.163
Oct 28, 2021 00:37:54.375788927 CEST	80	49816	185.178.208.163	192.168.2.3
Oct 28, 2021 00:37:54.376008034 CEST	49816	80	192.168.2.3	185.178.208.163
Oct 28, 2021 00:37:54.376329899 CEST	49816	80	192.168.2.3	185.178.208.163
Oct 28, 2021 00:37:54.401038885 CEST	80	49816	185.178.208.163	192.168.2.3
Oct 28, 2021 00:37:54.402657032 CEST	80	49816	185.178.208.163	192.168.2.3
Oct 28, 2021 00:37:54.402678967 CEST	80	49816	185.178.208.163	192.168.2.3
Oct 28, 2021 00:37:54.403064013 CEST	49816	80	192.168.2.3	185.178.208.163
Oct 28, 2021 00:37:54.403167963 CEST	49816	80	192.168.2.3	185.178.208.163
Oct 28, 2021 00:37:54.717906952 CEST	49816	80	192.168.2.3	185.178.208.163
Oct 28, 2021 00:37:54.741796017 CEST	80	49816	185.178.208.163	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 00:37:54.252959013 CEST	56527	53	192.168.2.3	8.8.8.8
Oct 28, 2021 00:37:54.319506884 CEST	53	56527	8.8.8.8	192.168.2.3
Oct 28, 2021 00:38:15.052742004 CEST	49559	53	192.168.2.3	8.8.8.8
Oct 28, 2021 00:38:15.117805004 CEST	53	49559	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 28, 2021 00:37:54.252959013 CEST	192.168.2.3	8.8.8.8	0x4941	Standard query (0)	www.reynbetgirisi.com	A (IP address)	IN (0x0001)
Oct 28, 2021 00:38:15.052742004 CEST	192.168.2.3	8.8.8.8	0x80cf	Standard query (0)	www.francinegeorges.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 28, 2021 00:37:54.319506884 CEST	8.8.8.8	192.168.2.3	0x4941	No error (0)	www.reynbetgirisi.com		185.178.208.163	A (IP address)	IN (0x0001)
Oct 28, 2021 00:38:15.117805004 CEST	8.8.8.8	192.168.2.3	0x80cf	Name error (3)	www.francinegeorges.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.reynbetgirisi.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49816	185.178.208.163	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 28, 2021 00:37:54.376329899 CEST	5185	OUT	GET /snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF+l+57NdrJs1Xds1ailiks&l0D0=fJBTE HTTP/1.1 Host: www.reynbetgirisi.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 28, 2021 00:37:54.402657032 CEST	5186	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Date: Wed, 27 Oct 2021 22:37:54 GMT Connection: close Location: https://www.reynbetgirisi.com/snr6/?jDH8=E19JCPWLLAvTbcnEEa/roDJkoR1wzkcHqaxLe1hmnUekSrF+l+57NdrJs1Xds1ailiks&l0D0=fJBTE Content-Type: text/html; charset=utf8 Content-Length: 568 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 33 30 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 20 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 20 3a 6e 6f 6e 65 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 70 3e 3c 62 3e 33 30 31 20 2d 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 20 2e 3c 2f 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 52 65 71 75 65 73 74 65 64 20 63 6f 6e 74 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 20 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e Data Ascii: <!DOCTYPE html><html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 301</title><style>*{margin:0;padding:0}html{font:15px/22px arial,sans-serif;background: #fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}p{margin:11px 0 22px;overflow :hidden}ins{color:#777;text-decoration :none;}</style><p><b>301 - Moved Permanently .</b> <ins>Thats an error.</ins><p>Requested content has been permanently moved. <ins>Thats all we know.</ins>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO_101&102.exe PID: 7016 Parent PID: 5532

General

Start time:	00:36:04
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\PO_101&102.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO_101&102.exe'
Imagebase:	0xf90000
File size:	684032 bytes
MD5 hash:	C8A5346CB632C91E0006252FD2C47BEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.312254656.0000000004500000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: PO_101&102.exe PID: 5268 Parent PID: 7016

General

Start time:	00:36:14
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\PO_101&102.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x180000
File size:	684032 bytes
MD5 hash:	C8A5346CB632C91E0006252FD2C47BEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: PO_101&102.exe PID: 5964 Parent PID: 7016

General

Start time:	00:36:15
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\PO_101&102.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xaf0000
File size:	684032 bytes
MD5 hash:	C8A5346CB632C91E0006252FD2C47BEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.307243585.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.371409464.0000000001530000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.371246188.0000000001500000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.308236166.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 5964

General

Start time:	00:36:18
Start date:	28/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.352889129.0000000007949000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.335987438.0000000007949000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5580 Parent PID: 3352

General

Start time:	00:36:42
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x100000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.558614233.0000000002E40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.555083742.00000000001A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6216 Parent PID: 5580

General

Start time:	00:36:47
Start date:	28/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PO_101&102.exe'
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6076 Parent PID: 6216

General

Start time:	00:36:48
Start date:	28/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO_101&102.exe PID: 7016 Parent PID: 5532 PO_101&102.exeCOMMON

Executed Functions

Function 05A2D4E8, Relevance: 3.0, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

`Mm, xrefs: 05A2D60E
`Mm, xrefs: 05A2D959

Memory Dump Source

Source File: 00000001.00000002.312909549.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false

Similarity

API ID:
String ID: `Mm$`Mm
API String ID: 0-2400159306
Opcode ID: 737f3e2e703c12a6454faf5a7d0a63991ba217bf630620e75fe21b806c6a9aac
Instruction ID: e077d730cc1f8f607d382809467e9c9b54bb55e4e0a4e0401e4b624d4ec018ab
Opcode Fuzzy Hash: 737f3e2e703c12a6454faf5a7d0a63991ba217bf630620e75fe21b806c6a9aac
Instruction Fuzzy Hash: 402202B0E012298FDB24CFA9C844BAEB7B2BF89304F1485A9D409A7355DB349A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 07DF0E10, Relevance: 2.8, Strings: 2, Instructions: 343COMMON

Download Yara Rule

Strings

D0Nm, xrefs: 07DF0F63
2}T, xrefs: 07DF1165

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: 2}T$D0Nm
API String ID: 0-1053740657
Opcode ID: 9212c5b1b4531f3d4d8673276d85a4ed6b4c8ebb493511bb0b0e5f3395c6cba2
Instruction ID: ce95b17ea0c18573079ba5c24c6834e6603dbe4af9dd1ff3de0a3176804f04a4
Opcode Fuzzy Hash: 9212c5b1b4531f3d4d8673276d85a4ed6b4c8ebb493511bb0b0e5f3395c6cba2
Instruction Fuzzy Hash: CFD1DFB0E0420ACFCF04CFB9C5846EEFBF6AF89214F258829D605A7355DB3599458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF0948, Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

Ioq, xrefs: 07DF0A01
CT6T, xrefs: 07DF0C06

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: CT6T$Ioq
API String ID: 0-3085051841
Opcode ID: 73ba8c72c4a0ee8a7711d3978d55ae984affa8baed301a669e397573db1d935b
Instruction ID: 9da5d9a401855425a297e14cc4cdb108d5ea116cf6134233c83cd73ff3055dac
Opcode Fuzzy Hash: 73ba8c72c4a0ee8a7711d3978d55ae984affa8baed301a669e397573db1d935b
Instruction Fuzzy Hash: 68A136B0E01219CBCB04CFAAC5855DEFBF2BF89304F18D529D545AB219EB349942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 07DF0938, Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

Ioq, xrefs: 07DF0A01
CT6T, xrefs: 07DF0C06

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: CT6T$Ioq
API String ID: 0-3085051841
Opcode ID: 1ef1ee0edc222f8f092e7630ad8e69d4759a150e0a53d1d93dccad898ef6db0f
Instruction ID: d08cbeb9d5f22302a6bac12faf117188eb71cd47fa69ceaf97e66b2b3f1e5802
Opcode Fuzzy Hash: 1ef1ee0edc222f8f092e7630ad8e69d4759a150e0a53d1d93dccad898ef6db0f
Instruction Fuzzy Hash: 14A149B0E01219CBDB04CFEAC6855DEFBF2BF89300F18D52AD545AB215EB349942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 07DF1030, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

2}T, xrefs: 07DF1165

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: 2}T
API String ID: 0-2234117683
Opcode ID: 1aaf9bea6ec3c1e864e26484e6bc25cedd60f16b740de9bbf114b1397454d2a8
Instruction ID: 5e2eefb2a04d9d8b433359f5293e41360ec0152542dfc2718ec184ea0a39c429
Opcode Fuzzy Hash: 1aaf9bea6ec3c1e864e26484e6bc25cedd60f16b740de9bbf114b1397454d2a8
Instruction Fuzzy Hash: F06166B0E0524ADFCB04CFAAC5856AEFBF2AF89310F14D426D514B7224D7359A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07BD8070, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

wI9B, xrefs: 07BD8179

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID: wI9B
API String ID: 0-1051810928
Opcode ID: 767afe8832c0541c84991465d0df22000931c114f5428524e596b62b2003c98f
Instruction ID: 040d720eb4db70a63f0ab5fe86061916d4fbf8812464744b75de47fb3839108d
Opcode Fuzzy Hash: 767afe8832c0541c84991465d0df22000931c114f5428524e596b62b2003c98f
Instruction Fuzzy Hash: 8F5138B0E1460ADFDB08CFAAC5415AEFBF2EF89301F14D46AD419A7254E7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 07BD8080, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

wI9B, xrefs: 07BD8179

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID: wI9B
API String ID: 0-1051810928
Opcode ID: 286488e2c54aa54bad915b78bf8455b7d70b3725c2c6d6f495f5169fa0427b9e
Instruction ID: 3fac91f6d54c436351e84c47d0d95c859e820edab7313da8047c9b367a7e57f4
Opcode Fuzzy Hash: 286488e2c54aa54bad915b78bf8455b7d70b3725c2c6d6f495f5169fa0427b9e
Instruction Fuzzy Hash: 395138B0E1460ACFDB08CFAAC5415AEFBF2EF89301F14D46AD419A7254E7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07BD8AB0, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

0F}y, xrefs: 07BD8B4A

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID: 0F}y
API String ID: 0-372250860
Opcode ID: 37cdc020c45785c3f5fe06c02f756f95253c648c90e953015619b204e3ecc404
Instruction ID: 7830945e3d444fc60e8fecced4c849772084566b26ec663cb3dcdffc93e5091f
Opcode Fuzzy Hash: 37cdc020c45785c3f5fe06c02f756f95253c648c90e953015619b204e3ecc404
Instruction Fuzzy Hash: 1B31F9B1E006588BEB18CFABD94469EBBF3EFC9311F14C0AAE409A6354DB315945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07BD8AA0, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

0F}y, xrefs: 07BD8B4A

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID: 0F}y
API String ID: 0-372250860
Opcode ID: 60ee1c8342a32f16629cd27d2cb1b9f8b66e86212cd6dcaf5af36ebdfa6fb9ac
Instruction ID: 9e00ea0b1296b116ab42371b5401a74a50c39eed119de9f783eae5f42ccfb20a
Opcode Fuzzy Hash: 60ee1c8342a32f16629cd27d2cb1b9f8b66e86212cd6dcaf5af36ebdfa6fb9ac
Instruction Fuzzy Hash: 4421E0B1E006598BEB18CFA7C94569EBBF3EFC8300F14C179D409A6258DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07BD27B0, Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7999aa60b036a7cd637744bb19ef8e57b1e184f62b7bd4ee2f8b55313261313c
Instruction ID: 80479a80c1d101a7b9e11f13ef317f5255388aaab58b82e4e3d0c39a27ae5e16
Opcode Fuzzy Hash: 7999aa60b036a7cd637744bb19ef8e57b1e184f62b7bd4ee2f8b55313261313c
Instruction Fuzzy Hash: 36528FB1B00116DFDB14DF69C484AAE7BB6FF89314F0585A9E8069B365EB31DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0199D4E1, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96352f37334999110f1eb05b698179ed4a583d3ed973552a839c81f3cf94ed21
Instruction ID: 788481fa3abdff4b01e31117f52293b816775493d74daf17110efb0d28b895e7
Opcode Fuzzy Hash: 96352f37334999110f1eb05b698179ed4a583d3ed973552a839c81f3cf94ed21
Instruction Fuzzy Hash: 7AB17EB4A007068FCB14EFB9D490A9EBBF5FF89204B14892AC54ADB755DB34EC058B91

Uniqueness

Uniqueness Score: -1.00%

Function 07BD1982, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc27e9cc24f05448c5863fa57d0de1056da66dc432f48e93536f8a627e2a083
Instruction ID: f0e4b318fa7c0a6345bc787bc7b84c48a34a96c2b24ec3e2ec70190b04b8c391
Opcode Fuzzy Hash: 2cc27e9cc24f05448c5863fa57d0de1056da66dc432f48e93536f8a627e2a083
Instruction Fuzzy Hash: 5DA107B4E0521DCFEB24DFA9D88479DBBB6FB8A300F1490A9D409AB244EB345D81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 07BD1990, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99107aa360de157dffba9fb5b4da2271838e9fcba8993140af30f6efb617b118
Instruction ID: b076d8a31473021dbcc3ddc1153c31dd616761fbba0f6c033048c3729d895f0b
Opcode Fuzzy Hash: 99107aa360de157dffba9fb5b4da2271838e9fcba8993140af30f6efb617b118
Instruction Fuzzy Hash: 6C9107B4E0521DCFEB24DFA9D8447ADBBB6FB8A300F1094A9D409AB244EB305D81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 07BD73CA, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c7560b6e13d0b9f602655795c28cea3e17435bb25bf0e8386cc2164d400d0b
Instruction ID: 8f39a01e47fd1973f1c3b14ff08bc57ccf37340f87a20a290ccb488017fc49f5
Opcode Fuzzy Hash: 89c7560b6e13d0b9f602655795c28cea3e17435bb25bf0e8386cc2164d400d0b
Instruction Fuzzy Hash: B69115B4E112098FDB08CFEAC884ADEBBB2EF89310F14906AD515BB354EB349945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 07BD73F8, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc851aec0caee90d7d3f5b705057382c98e8bc9cb07f7c45d35e987b20a0462
Instruction ID: 9813956196c87f6c2fce0b37a7e1793e85628cb2e7b0c513c64e069c89931811
Opcode Fuzzy Hash: 7cc851aec0caee90d7d3f5b705057382c98e8bc9cb07f7c45d35e987b20a0462
Instruction Fuzzy Hash: 9F81F2B4E112198FDB08CFEAC884ADEBBB2FF89310F10946AD415BB254EB349941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 07BDC0E8, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b222ddb5aaaa3567701f2917801c2e51f84dd6627989e3011b4c7c6348e76f7
Instruction ID: 33aae0f0ba00b74a688a8f462cf975d90d43ea816210d3325ca8b1b57ea681a8
Opcode Fuzzy Hash: 8b222ddb5aaaa3567701f2917801c2e51f84dd6627989e3011b4c7c6348e76f7
Instruction Fuzzy Hash: DA51F9B0E016199FEB14CFA6C94479EFBF7EF88204F04C4A6D508A7225EB309985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07BD6818, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bd18ea30a3c19380bc9f070cf08aee0999accf038e5c8a8fb34ee4c6bd28d4
Instruction ID: 2f3809234701320476a4d6c9c95501968af9f2d6185f4b7c2bbd199ff5e683f3
Opcode Fuzzy Hash: 72bd18ea30a3c19380bc9f070cf08aee0999accf038e5c8a8fb34ee4c6bd28d4
Instruction Fuzzy Hash: C731BC71E006199BEB58DFABD844B9EBBB7AFC9204F04C0AAD508B7254EB3059458F61

Uniqueness

Uniqueness Score: -1.00%

Function 07DF7700, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67371d27d3ceb3f0b3414575650090389069be362ebbc9ba64d1866fa9b2b2a
Instruction ID: 1aab301d37bef0abaa18fa424dbdfff435706edd7c5196ca86eeef069e385719
Opcode Fuzzy Hash: b67371d27d3ceb3f0b3414575650090389069be362ebbc9ba64d1866fa9b2b2a
Instruction Fuzzy Hash: B81166B0C152188BCB148FA4D908BEDFBF1BB0A315F159069D491BB290CB398948DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DF7710, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aac55e248042291393da20fef8dc467f6e9f346f995b18475fb8f017ebceb02
Instruction ID: 0c9aaef748fd32315120084ca814749114ee6b11e0d7d57de1509e2a1c1cfaf8
Opcode Fuzzy Hash: 6aac55e248042291393da20fef8dc467f6e9f346f995b18475fb8f017ebceb02
Instruction Fuzzy Hash: 1511ACB0C152188BDB14CFA5C908BEEFBF1BB0E311F159069D191B7290C7388944CB68

Uniqueness

Uniqueness Score: -1.00%

Function 01996B90, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01996C00
GetCurrentThread.KERNEL32 ref: 01996C3D
GetCurrentProcess.KERNEL32 ref: 01996C7A
GetCurrentThreadId.KERNEL32 ref: 01996CD3

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3f2a4be2a29d8ce493b8222f3c64e093a4d14f4b437ec9aab844a091bf6a74c7
Instruction ID: fb36ee343f554c7f6471738536e65a2910db30ea4c670a7d581332c052370010
Opcode Fuzzy Hash: 3f2a4be2a29d8ce493b8222f3c64e093a4d14f4b437ec9aab844a091bf6a74c7
Instruction Fuzzy Hash: 0E5173B4D006498FDB14CFAAD988BDEBBF4EF49304F24846EE019A7250E774A844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01996BA0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01996C00
GetCurrentThread.KERNEL32 ref: 01996C3D
GetCurrentProcess.KERNEL32 ref: 01996C7A
GetCurrentThreadId.KERNEL32 ref: 01996CD3

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0c664f3cd6cd3a61e790da3e59df171708f6990d8cc134fd814dabc17183a54f
Instruction ID: c4e7236577664ce0525ad54aebd43cf6dad477f69887c301fa1f4e230e5b2d28
Opcode Fuzzy Hash: 0c664f3cd6cd3a61e790da3e59df171708f6990d8cc134fd814dabc17183a54f
Instruction Fuzzy Hash: E15164B4D006498FDB14CFAAD588BDEBBF4FB48304F24846EE119B7250E774A944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0199BBB8, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0199BE0E

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7bf5a67706182c7bcf056b64b942b6285d70f1876ba6d05c7b9a11684b96b9c4
Instruction ID: 12c73f7b4cf4e924d5c997db9b07bf8624edfff0a7fd808c92b15fe6ddc14646
Opcode Fuzzy Hash: 7bf5a67706182c7bcf056b64b942b6285d70f1876ba6d05c7b9a11684b96b9c4
Instruction Fuzzy Hash: 66712770A00B058FDB24DF6ED055B9ABBF5FF88205F00892ED54AD7A40EB79E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5194, Relevance: 1.6, APIs: 1, Instructions: 147processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07DF52F3

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c2ae8ad86c7821784d4b9ae5fc2b4a8ae29e898a5549fee812b404025a1bf1d3
Instruction ID: eaa0338c8a528f9804a199961a77be8f1dbafd7e0c0b923ebf09e2cdae51d175
Opcode Fuzzy Hash: c2ae8ad86c7821784d4b9ae5fc2b4a8ae29e898a5549fee812b404025a1bf1d3
Instruction Fuzzy Hash: D85137B1D01319DFDB10CF99D880BDDBBB6BF48314F15859AE909A7210DB709A89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07DF51A0, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07DF52F3

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b1262639d8eaa02809fe2a4d53af00caad50cfbe3259bc0f8ab3c79519251370
Instruction ID: 079facb48ad05218e7afb0b877228026c3a46258ea944d9ba8b278acf97c07be
Opcode Fuzzy Hash: b1262639d8eaa02809fe2a4d53af00caad50cfbe3259bc0f8ab3c79519251370
Instruction Fuzzy Hash: 035117B1D01329DFDB10CF99D880BDDBBB6BF48314F15859AE509A7210DB709A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0199DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0199DD8A

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e927be0363b79e2ef698694732bf6847594aa8d514fa6ee2a98f10174c434626
Instruction ID: e737198fb5739ebe89c9ef5008cfefad5aa59229d8a32748bb5cc52fec3ce86f
Opcode Fuzzy Hash: e927be0363b79e2ef698694732bf6847594aa8d514fa6ee2a98f10174c434626
Instruction Fuzzy Hash: 7051B0B1D002499FDF14CFE9D884ADEBBB5BF88314F24852AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0199DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0199DD8A

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 50e43f06c17992f4098f6fca8af887b6669f6b2a68f332b900e3f3dfa101ea88
Instruction ID: 191ed6b8260de233a8eef94f0beacdb28ee0306fe92dc33a2c2f45fb2503d71f
Opcode Fuzzy Hash: 50e43f06c17992f4098f6fca8af887b6669f6b2a68f332b900e3f3dfa101ea88
Instruction Fuzzy Hash: A641B0B1D003099FDF14CFE9C884ADEBBB5BF48314F24852AE519AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01996D51, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01996E4F

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9743d5b8264a9b5c8e5688c52eee223ee8fe2a9f048d898328708f347ee51a52
Instruction ID: 20f6904655265a876f1c0de14683143d3774a05355c5db80ca786f671ba39869
Opcode Fuzzy Hash: 9743d5b8264a9b5c8e5688c52eee223ee8fe2a9f048d898328708f347ee51a52
Instruction Fuzzy Hash: 02415BB69002099FCF11CFA9D884AEEBFF5FB98310F14841AE914A7310D735A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A29FC4, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05A2C48D,?,?), ref: 05A2C53F

Memory Dump Source

Source File: 00000001.00000002.312909549.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 00a0827530b2fadd7243018b768a29f98c489e2e5708325ab91b8103c7c2f89e
Instruction ID: 4a473fe46dd1faa2a43382c4076a18baa3d385d359313bdb1dd5b308dcc25b2c
Opcode Fuzzy Hash: 00a0827530b2fadd7243018b768a29f98c489e2e5708325ab91b8103c7c2f89e
Instruction Fuzzy Hash: 8D31E2B1900219AFDB10CF99D884AEEFBF4FF48320F14842EE919A7210D775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A2C578, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05A2C48D,?,?), ref: 05A2C53F

Memory Dump Source

Source File: 00000001.00000002.312909549.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 98e79bacf9f3c60c65e3b4cb9e38f4cf27ec897af78fb834bbfbd35ba171cc7f
Instruction ID: 9daaf2c47937eb0a55edd8e68b8a9e31d445d62db3fc702a906a4e7bc8d9ec57
Opcode Fuzzy Hash: 98e79bacf9f3c60c65e3b4cb9e38f4cf27ec897af78fb834bbfbd35ba171cc7f
Instruction Fuzzy Hash: 17217C72D00218AFCF109FA8D804BDEBBB5FF88364F15852AE915B7250D731A965DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A2C4A2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05A2C48D,?,?), ref: 05A2C53F

Memory Dump Source

Source File: 00000001.00000002.312909549.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f1efad02ab2df5bb653936931393bf7eb0d4008bb29c265c34b46c59730aab9d
Instruction ID: 935d0a3d236984e3a6a35b170250a159c60e21bca0c2978456b5ac3b547d272f
Opcode Fuzzy Hash: f1efad02ab2df5bb653936931393bf7eb0d4008bb29c265c34b46c59730aab9d
Instruction Fuzzy Hash: 3521C0B5D012199FDB10CFA9D884AEEBBF4FB48324F14842EE919A7210D775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A29D4C, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,05A2A66F,?,?,?), ref: 05A2A70E

Memory Dump Source

Source File: 00000001.00000002.312909549.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: d6065aea211b0461131f63695c89ca452e4a6c975734863ed7b9b6428fe3e5d6
Instruction ID: 85548da9ddb7f295ae3377aad0f5a0d5917490003ccfe94eab747082c8252833
Opcode Fuzzy Hash: d6065aea211b0461131f63695c89ca452e4a6c975734863ed7b9b6428fe3e5d6
Instruction Fuzzy Hash: A021D4B19013199FDB10CFE9D484AEEFBF5FB58314F14842EE519A7200D3B5A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5858, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DF58ED

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6692e295e428ac69a4ac930138445be5e4294c6ca38f9fcb80bbf5fb4f685c26
Instruction ID: b3327e8dfc4126f7de6acec7acddcb7c296204529adca10c9d54bdce14e73eb0
Opcode Fuzzy Hash: 6692e295e428ac69a4ac930138445be5e4294c6ca38f9fcb80bbf5fb4f685c26
Instruction Fuzzy Hash: 982107B6900219DFCB10CFA9D985BDEBBF5FB48320F14852AE519A3340D778A554CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5860, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DF58ED

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 79218e1dcffd75da03cf36734170bca69a45b16726f03bc7f8317b80cda8b640
Instruction ID: e6a0c534dd70b91b6e58dc07fa6967b9e29caf41e5e9378119dd689a0b2fe8a2
Opcode Fuzzy Hash: 79218e1dcffd75da03cf36734170bca69a45b16726f03bc7f8317b80cda8b640
Instruction Fuzzy Hash: B421E4B1900259DFCB14CFAAD885BDEFBF4FB48324F14852AE919A3240D774A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01996DC0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01996E4F

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 85412aa1dce75acc323a5f02fddd66c513fa8f942fc21adbf8e9bbf515523cf8
Instruction ID: c8e22f041e1b517a69d540b0bb506d68cbb2c0a6149234d9b846ed72fbf7165a
Opcode Fuzzy Hash: 85412aa1dce75acc323a5f02fddd66c513fa8f942fc21adbf8e9bbf515523cf8
Instruction Fuzzy Hash: 0A21D4B59012099FDF10CFA9D484ADEFBF8FF48324F14841AE918A7210D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A2A680, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,05A2A66F,?,?,?), ref: 05A2A70E

Memory Dump Source

Source File: 00000001.00000002.312909549.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: cd7994f9e91dcf3a70e738e185ece9d1d061b26c876880806cea4ee1284057f9
Instruction ID: f09a8ab0e8c2ac2de9674536a0cbf1c7db61fb6e88880d76eab4cb59a0eff33e
Opcode Fuzzy Hash: cd7994f9e91dcf3a70e738e185ece9d1d061b26c876880806cea4ee1284057f9
Instruction Fuzzy Hash: B121DFB6D012199FDB10CFE9D984AEEFBF4FB48314F14842EE519A7600D375AA44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01996DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01996E4F

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fd7ec7fcb62481bec884a491aba58eec4224d9dfe0e925eb672a49f20ce93670
Instruction ID: 0550292e62817d9e7b46a5c47d493949bf12022c4e52e43c463685899766eaa3
Opcode Fuzzy Hash: fd7ec7fcb62481bec884a491aba58eec4224d9dfe0e925eb672a49f20ce93670
Instruction Fuzzy Hash: 0621B0B59012099FDF10CFAAD884ADEBBF8EB48324F14841AE958A3210D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF55C8, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DF564F

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fe8957b375e610f676b1d3e334ae510907f860c3af957d870364d75236c2fe95
Instruction ID: e07ccb92e5f853fc53f442658ba73ebd17ef2f14455eb303a91d40a9456a3bb9
Opcode Fuzzy Hash: fe8957b375e610f676b1d3e334ae510907f860c3af957d870364d75236c2fe95
Instruction Fuzzy Hash: 0921F3B6D00209DFCB00CF99D885BDEFBF4FB48320F14842AE968A7610D334A554CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF55D0, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DF564F

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 804f29b484aff2002a9681319e1796f8d91daccc96918c9ef8ccda3c2ff3e8d0
Instruction ID: 442c83a37300f5a6127b16543a3ef65254fd8b5def9e8fce5566fd11c0f6a659
Opcode Fuzzy Hash: 804f29b484aff2002a9681319e1796f8d91daccc96918c9ef8ccda3c2ff3e8d0
Instruction Fuzzy Hash: C72115B1900209DFCB10CF9AD884BDEFBF4FB48320F14842AE968A3200D374A554CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5508, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07DF5587

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 32030f34c6fdec7424ef114ac375ce17a2593871129df11fd824eba38a7a4f17
Instruction ID: 1a3162b7db4b4bc7525b00eb2971e36dbdb73dd35069a38e0876e8b1ce2b6528
Opcode Fuzzy Hash: 32030f34c6fdec7424ef114ac375ce17a2593871129df11fd824eba38a7a4f17
Instruction Fuzzy Hash: 702158B1D0021A9FCB00CFAAD4847DEFBF4BB49224F44812AE418B3740D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5510, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07DF5587

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5b2f7339d25a1cc07b1faa75e0a93f5f4a550dc132f1112d5ae9368b4db689cc
Instruction ID: aa0242a07bff41d1af546f4731cfa866504bd03cbba778933253862cd5bcffd9
Opcode Fuzzy Hash: 5b2f7339d25a1cc07b1faa75e0a93f5f4a550dc132f1112d5ae9368b4db689cc
Instruction Fuzzy Hash: 6E2108B1D0061A9FCB00CF9AD485BDEFBF4BB49224F54812AE518B3740D778A9548FA1

Uniqueness

Uniqueness Score: -1.00%

Function 07BDF260, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07BDF2D3

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 16a402182a7deba975a0523d96f39e1fe7553453bbfb41f0b14029fdaac4d259
Instruction ID: 8e8f72ed56a1c07ba68db0614e728d11a6e35345bf69b2d5590af8f2f7654c41
Opcode Fuzzy Hash: 16a402182a7deba975a0523d96f39e1fe7553453bbfb41f0b14029fdaac4d259
Instruction Fuzzy Hash: 7421E7B59002099FDB10CFAAC484BDEFBF4FB48324F14842AE569A7240D774AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0199B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0199BE89,00000800,00000000,00000000), ref: 0199C09A

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d337c1a9928d520ace3fd2e48477b7869086e5906dfec0828d24ad065810712
Instruction ID: e42f14d28e03060af9151d7a25e12e917d95ebf8128c3ddcdc63c684e4e591b6
Opcode Fuzzy Hash: 2d337c1a9928d520ace3fd2e48477b7869086e5906dfec0828d24ad065810712
Instruction Fuzzy Hash: 6111F2B29002099FDF14CFAAD844BDEFBF8AB49224F14852EE519B7200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0199C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0199BE89,00000800,00000000,00000000), ref: 0199C09A

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b58cb4f79709863c253e94d8d3eec6e8a3c5cb78f3bda39b7047ef71d89f2155
Instruction ID: 381fc59c5d9e8cdde402772a0bf983c90dc7fea72cea8668e97754cf2e1fff2a
Opcode Fuzzy Hash: b58cb4f79709863c253e94d8d3eec6e8a3c5cb78f3bda39b7047ef71d89f2155
Instruction Fuzzy Hash: 7811F2B28002099FDF14CFAAD844ADEFBF8AB49324F14852AE519B7200C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5698, Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DF570B

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ef241092047e7679b74b4ae2aa3482e5e954615b9ed20309c71aaf412d4e834
Instruction ID: 2b6fa6c8fe1deacd536108f5c83d5c8162a4c3a8efb6f44cb4389a810f4865b7
Opcode Fuzzy Hash: 3ef241092047e7679b74b4ae2aa3482e5e954615b9ed20309c71aaf412d4e834
Instruction Fuzzy Hash: E81143B6800209DFCB10CFD9D884BDEBBF4FB48320F14881AE968A7600D335A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF56A0, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DF570B

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7abb1ae31b09609721b5b154167a2ea047d7735eaa97a8870e1a771cabaf1dcd
Instruction ID: 095a36c5a26e67c9ac2cbf988c0bf26c0afc4ba3516c35359605b718a6cab125
Opcode Fuzzy Hash: 7abb1ae31b09609721b5b154167a2ea047d7735eaa97a8870e1a771cabaf1dcd
Instruction Fuzzy Hash: 2F11D2B5900649DFCB10CF9AD884BDEBBF8FB48324F14841AE569A7210D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0199BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0199BE0E

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 76b7f5e51393e936444db1248d2c87a6de6599cdd08d220e86e5ca36fadab55c
Instruction ID: 4f8d7fb7937f331429d6e8820e1f64435b5c19566680c450eb164b4137aadbf0
Opcode Fuzzy Hash: 76b7f5e51393e936444db1248d2c87a6de6599cdd08d220e86e5ca36fadab55c
Instruction Fuzzy Hash: 4F11E3B6C006498FDB10CF9AD444BDEFBF8EB48224F14852AD569B7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0199DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0199DF1D

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 17f7383044fe29d68dbd65c0cb163ba5b405b83b53804a5f455a8e727fa28d4f
Instruction ID: 8088e9873976e008e56065e6eb5dfe56e2d1a6d57dc232e0a3d25205fa05be1d
Opcode Fuzzy Hash: 17f7383044fe29d68dbd65c0cb163ba5b405b83b53804a5f455a8e727fa28d4f
Instruction Fuzzy Hash: 7E1103B58002499FDB10DF99D485BDEFBF8EB48324F14855AE959B7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5D38, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07DF5D95

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a0927273ea20ca3d492280bef471063acc50af0dafde220872d078c1fbd73455
Instruction ID: 0d15c239055c7f6cf6bd2f017688dff9ec4983a5d029a3450073a2f5ca276625
Opcode Fuzzy Hash: a0927273ea20ca3d492280bef471063acc50af0dafde220872d078c1fbd73455
Instruction Fuzzy Hash: 5E11D3B58012499FDB10CF99D888BDEFBF8EB48324F14881AE565A7600C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5D31, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07DF5D95

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7acf5dfe3b8129cbd488b7df77bf2fae462c60e76a9f5a90150c2d9a222adfed
Instruction ID: 0ea374dd24e86449b5f256cbdf9cac83f7830933e9f79c229bdeb0c898bb7aef
Opcode Fuzzy Hash: 7acf5dfe3b8129cbd488b7df77bf2fae462c60e76a9f5a90150c2d9a222adfed
Instruction Fuzzy Hash: A11103B68012099FDB10CF99D989BDEFBF8EB08324F14881AD965B7600D375A594CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5A10, Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07DF5A77

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b67930ac25f45711edc658969084077596f00a675e45dcf7964a3a95baedf201
Instruction ID: 62f5b8553426475ba3b68f2a45c0cbc25bbab93420221d29c37540ba952078e1
Opcode Fuzzy Hash: b67930ac25f45711edc658969084077596f00a675e45dcf7964a3a95baedf201
Instruction Fuzzy Hash: 3211F2B58002098FCB10DF99E584BDEBBF8AB48324F14845AD529A7600D375A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0199DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0199DF1D

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 91a860983449ec8e4b091bde43279abffe3b3bf1b6055886a29bd6c61f270a30
Instruction ID: bc475e46d4e1f25474b55a823c1aca66ce7218e23c34048171cf2bde3fcb7359
Opcode Fuzzy Hash: 91a860983449ec8e4b091bde43279abffe3b3bf1b6055886a29bd6c61f270a30
Instruction Fuzzy Hash: 8F11E2B58002099FDB10DF9AD485BDEFBF8EB48324F14851AE959B7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DF5A18, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07DF5A77

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 979f3da11629e41e6ae32149623280ded064fd9eb473290e852458057b0f627d
Instruction ID: aa8569b7c3481ba9e9f4156775fdaaf27fa9175dcb99b5f8d653d7acb54a1a80
Opcode Fuzzy Hash: 979f3da11629e41e6ae32149623280ded064fd9eb473290e852458057b0f627d
Instruction Fuzzy Hash: 1A1112B1800209CFCB10CFDAE484BDEFBF8EB48324F14841AD529A3200D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015DD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310138121.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a263d15f44877cf3838e948c0a4495e836e9613c9840eb903f1dc5eb33c17736
Instruction ID: 32c529b5167a6869be113c46d0d3d8322c621fa5445df73c05cf7715f5a4251a
Opcode Fuzzy Hash: a263d15f44877cf3838e948c0a4495e836e9613c9840eb903f1dc5eb33c17736
Instruction Fuzzy Hash: 1C210871500244DFDB25CF98D9C4B1ABBB5FB84318F24896DE9050F296C336D855C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 015ED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310154652.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d98a85b5fa73538898ecf4ebf5cfcdb9b977b4bcbc9094e5ca27e8f1842377
Instruction ID: 1ddfb75d40173c0d50071c16838d215afbcbd5a09be029b7e260f98cd2d508fb
Opcode Fuzzy Hash: 54d98a85b5fa73538898ecf4ebf5cfcdb9b977b4bcbc9094e5ca27e8f1842377
Instruction Fuzzy Hash: 9021F171904244DFCB19CFA4D8C8B26BFF5FB84254F28C96DE8090F246D336D806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 015ED1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310154652.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dee65a5cd1e1259281cb4b0f1012f5c254d18646cfc94a0c13f80eeefcb679a
Instruction ID: 8b42420c9a20f37f3bd7889780b58d53b385da380af68fe7f44a441b3f7de747
Opcode Fuzzy Hash: 9dee65a5cd1e1259281cb4b0f1012f5c254d18646cfc94a0c13f80eeefcb679a
Instruction Fuzzy Hash: CE21F875904244DFDB09CFA4D9C8B1ABBF5FB84324F24C96DE8494F252C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 015ED006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310154652.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea988b886062c4530ac182c5722b01bc0bc7af1897774b74054f00cb02cde01
Instruction ID: 2c62acdc64381a3113d3a8996305ca672d33e4e0acf32dc24cff1abb99586abf
Opcode Fuzzy Hash: 5ea988b886062c4530ac182c5722b01bc0bc7af1897774b74054f00cb02cde01
Instruction Fuzzy Hash: 672180755093808FCB06CF24D594715BFB1FB46214F28C5DAD8498F657D33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 015DD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310138121.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126d6a370d32116efd8d3f42ee2ee6af0e33e49a79e3b015178476bcf27a00c2
Instruction ID: e4835fccec3b2ebd710a0bfd6bad5c9f80c06b83d0db3b20614f529087c2bac0
Opcode Fuzzy Hash: 126d6a370d32116efd8d3f42ee2ee6af0e33e49a79e3b015178476bcf27a00c2
Instruction Fuzzy Hash: B611D376404280DFCF16CF58D5C4B1ABF71FB84324F2886A9D9050F656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 015ED1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310154652.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2768a098322f759a09f859b4bec5ce5f4b49d149c1034eb6a6088ad743ced972
Instruction ID: d4a9b1c3eff504d313644ee1aaafe4e8ebf9aef396eb3e6bfcf7ea7625eb429b
Opcode Fuzzy Hash: 2768a098322f759a09f859b4bec5ce5f4b49d149c1034eb6a6088ad743ced972
Instruction Fuzzy Hash: 79118B75904280DFDB16CF54D5C4B19BBB1FB84224F28C6ADD8494F696C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 015DD7CD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310138121.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977f5025e952bce06ca6232ba57214d6a00d93909fbf7f7cd848c127b9b95a23
Instruction ID: 6151ddcbd46fd977d173f30a4e11a516b40d39748b51d6d50b0db1664bc19697
Opcode Fuzzy Hash: 977f5025e952bce06ca6232ba57214d6a00d93909fbf7f7cd848c127b9b95a23
Instruction Fuzzy Hash: 7901D4614052809AE7214AADCC85BA7FBE8FB41624F08885AED085E286D378A844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 015DD7CC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310138121.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42302f5939af4c1e384c17667c6bf77e6307e458963260cccb07f90ac094d3be
Instruction ID: 3817f2d40fe0f1930e6d885123ec4fc69dfc8560329b41035fa60fa158b40465
Opcode Fuzzy Hash: 42302f5939af4c1e384c17667c6bf77e6307e458963260cccb07f90ac094d3be
Instruction Fuzzy Hash: 69F0C271405284AEE7218A59CC84B66FFA8EB41234F18C45AED485F286C379A844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07DF1328, Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

kv3, xrefs: 07DF14FE
j{TI, xrefs: 07DF138E

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: j{TI$kv3
API String ID: 0-2009563758
Opcode ID: f13a7345346f43f336f2ae3997942bf0e592a75e2aacbcd9335273c78ea8547a
Instruction ID: 6efba2b19cd1a9cfd18cec7caabdd9d938e68eb1a620f55defe4c8503f1af03d
Opcode Fuzzy Hash: f13a7345346f43f336f2ae3997942bf0e592a75e2aacbcd9335273c78ea8547a
Instruction Fuzzy Hash: CDA1F8B4E1011ADBDB14CFA9C980AADFBF6FB89304F24C5A9D909A7215D731AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07DF1319, Relevance: 2.7, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

kv3, xrefs: 07DF14FE
j{TI, xrefs: 07DF138E

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: j{TI$kv3
API String ID: 0-2009563758
Opcode ID: 56436920e59c49aaf802f236abc33f9f52ba28f11f154ffc09bb3d7fb601c7b8
Instruction ID: 8b9ab980d0bd51d79c50994a5628b093849b945a59a72a0cd32ce8d23041dc02
Opcode Fuzzy Hash: 56436920e59c49aaf802f236abc33f9f52ba28f11f154ffc09bb3d7fb601c7b8
Instruction Fuzzy Hash: 8EA1F9B4E1051ADBDB14CFA9C980AADFBF6BB89304F24C5A9D808A7315D731A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07DF3619, Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

Wpd, xrefs: 07DF368D
$, xrefs: 07DF3857

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: $$Wpd
API String ID: 0-2631054920
Opcode ID: ca251c0a550af81876005e4d34cf5e6b5c0f6ebb1c6ae0fa2bf1cb032b0a5fa8
Instruction ID: 137d28d852ac67f569c907ca07bf8272f466080eb9958c9c1b6f4e3149b23b66
Opcode Fuzzy Hash: ca251c0a550af81876005e4d34cf5e6b5c0f6ebb1c6ae0fa2bf1cb032b0a5fa8
Instruction Fuzzy Hash: 537127B0E1520ACFCB04DFA5D5415AEFBF2FF89200F12A42AD555A7304EB3599068FA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DF3628, Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

Wpd, xrefs: 07DF368D
$, xrefs: 07DF3857

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID: $$Wpd
API String ID: 0-2631054920
Opcode ID: 7ec67543215d298253dcd747d687c4bf93f4b7471b0a170d695728e068d2be29
Instruction ID: a8a99a4abe775db208ad710ca087e08d593b677a9828525f0ece7db017092e92
Opcode Fuzzy Hash: 7ec67543215d298253dcd747d687c4bf93f4b7471b0a170d695728e068d2be29
Instruction Fuzzy Hash: 427127B0E1521ACFCB04DFE6D4415AEFBF2FF89200F12A42AD555A7314DB349A068FA5

Uniqueness

Uniqueness Score: -1.00%

Function 07BDBF08, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

7EK, xrefs: 07BDBF57

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID: 7EK
API String ID: 0-8942696
Opcode ID: e26bc9f7dff81e3bf457f0d11cbc819f4886d2e69e61cbe7b443f9b05fbe10c2
Instruction ID: 80009a37dcebcfba435814648cc0768fb3bedf6342631e1d0cd5b5e2f55756fc
Opcode Fuzzy Hash: e26bc9f7dff81e3bf457f0d11cbc819f4886d2e69e61cbe7b443f9b05fbe10c2
Instruction Fuzzy Hash: CB41D6B0E1560ADFDB44CFA6C5815EEFBF2AB89300F24C5AAC419B7214E7349A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0E25, Relevance: 1.0, Instructions: 1047COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309714727.0000000000F92000.00000002.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.309704875.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.309840314.000000000103A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a6884187842ae8fa403de64710de248849e3273780b120adece22749eb4c36
Instruction ID: 6edda8708ce9cd4d867e28d68f948543cf6c4065e8256cad43177d1481e71979
Opcode Fuzzy Hash: 59a6884187842ae8fa403de64710de248849e3273780b120adece22749eb4c36
Instruction Fuzzy Hash: 9782087140E3D29FCB474F789CA15D17FB0AE5331871E05DBC4C18E0A7E2296A6ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 0199C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d281442309f143e97a834dbe0100da5fe5e1a71cd6b8fa5b2dccbe4d1dbb36f8
Instruction ID: 66b5b77613f074475a43b90b3580bf9d67b58ab4dbce36d6ea5a66b96c90d287
Opcode Fuzzy Hash: d281442309f143e97a834dbe0100da5fe5e1a71cd6b8fa5b2dccbe4d1dbb36f8
Instruction Fuzzy Hash: 735279B1540B068FD710EF18FACC1993BB1FBA6328FA0C289D1655B6D8DBB46546CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01999968, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310603207.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3827363947bb90e6316ace0385dadc1debdd7a9d3ecfccb308d9222b6d98716b
Instruction ID: dd95b0da35d4182aebcde1a0eff03182da15ebf8b17c6b770c00e1e783e4cbad
Opcode Fuzzy Hash: 3827363947bb90e6316ace0385dadc1debdd7a9d3ecfccb308d9222b6d98716b
Instruction Fuzzy Hash: 89A1A432E0021A8FCF05DFB9D8449DDBBB6FF85301B15856AE90ABB261DB35A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07BDF8A0, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357c0662d833e04499ffc4d493e42d3f0f40322913b06424c8f0d49a99d818b0
Instruction ID: 8f4002c237636f8f086850a0544e778c1c868d37e4e8b836d5853960ca5f0318
Opcode Fuzzy Hash: 357c0662d833e04499ffc4d493e42d3f0f40322913b06424c8f0d49a99d818b0
Instruction Fuzzy Hash: AD814BB4E1511A9FDB14CFA9D980AAEFBF2FB89200F24D1A9D419A7215E7309D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07BDA890, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecffbc0cf1a7ed4ba702128f0308f2877b5fda1b19b532d6a8d721fcfe302ddc
Instruction ID: 8772e263cebad41808943f5690b7c308610de055b159a64653db754767a19cef
Opcode Fuzzy Hash: ecffbc0cf1a7ed4ba702128f0308f2877b5fda1b19b532d6a8d721fcfe302ddc
Instruction Fuzzy Hash: 5581D0B4E11219DFCB04CFA9C68499EBBF2FF89210F249569D419AB310E334AE42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 07DF3B20, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3452a4c22aef16179dde0d3e65b9eabdb225d7354bc5d4ca7dd08e439f047c
Instruction ID: fe23bc407c047bae448d04d187d3ef2640b7d30789b9c7bdc24079f2d71317fa
Opcode Fuzzy Hash: 7b3452a4c22aef16179dde0d3e65b9eabdb225d7354bc5d4ca7dd08e439f047c
Instruction Fuzzy Hash: AA6138B1E1466ACBDB24CF66CD44799FBB2FBC9300F0591EAC50DA7614EB309A819F40

Uniqueness

Uniqueness Score: -1.00%

Function 07BDBCE0, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7271df6d523c24f1b55322d808733e79619dd57e6813cac808c2c1e8852dd75
Instruction ID: 6ba9330b1edb8acdade72930dda849ef330cf09f41caa5c7378eb85db4c8a2b9
Opcode Fuzzy Hash: c7271df6d523c24f1b55322d808733e79619dd57e6813cac808c2c1e8852dd75
Instruction Fuzzy Hash: B551B2B4E15219CFDB08CFAAD5809DEFBF2FB89310F24946AD405B7224E7349A41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 07DF3B11, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0c569bd1d2da082db4e23f26aa91172203039644bc7e9af2c6901c8c72891a
Instruction ID: 73f25c83e0b98b355e94e8dd08ca0d43f15d7628035f70dfa73759eecd891c2a
Opcode Fuzzy Hash: 6e0c569bd1d2da082db4e23f26aa91172203039644bc7e9af2c6901c8c72891a
Instruction Fuzzy Hash: 6C514BB1E1565ACBDB28CF66CD44799FBB2FFC8300F1482EAD509A7614EB305A859F40

Uniqueness

Uniqueness Score: -1.00%

Function 07BDBA88, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7baaa69cff4c8b36b002ad1821edc155a658aeeecf54d11396888881aa2729
Instruction ID: 0be422bc6e718b0c77a624806f6ae471115e6d524fd93799ba3f5744d468ecca
Opcode Fuzzy Hash: ad7baaa69cff4c8b36b002ad1821edc155a658aeeecf54d11396888881aa2729
Instruction Fuzzy Hash: 775108B0E1460ADBDB08CFA6C5815EEFBF2FF89340F14D46AC519A7254E7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 07BDCBA8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb40afc91ae318d4f1846b347dad3a7c40ac814362babf4099e6f431d28fcd51
Instruction ID: c3e4e05f9f4ce67ac80fedc797f60fe2617b0e90d5c22b0ae727dd2454f7832b
Opcode Fuzzy Hash: bb40afc91ae318d4f1846b347dad3a7c40ac814362babf4099e6f431d28fcd51
Instruction Fuzzy Hash: 60414DB1E116188BEB58CF6B9D4569AFBF3AFC8304F14C1BA954CA6214EB304A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 07DF0025, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2219e945b0917f1922e88773b9b570f5d536a55ec6d04d6f4870f14ff6c4bbcf
Instruction ID: e2fbe975750287b241f75a2f455034a9ee88627b427bb41356b5e143c0235f05
Opcode Fuzzy Hash: 2219e945b0917f1922e88773b9b570f5d536a55ec6d04d6f4870f14ff6c4bbcf
Instruction Fuzzy Hash: AB31A0B0E162499FDB09CFA6D94069EFBF3AFC5200F15C16AD408EB265D7344A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07DF0040, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5493c7fd66ebbd60d2ff6bf444e95d7d957d2acaf2cd121433d411b0f350baae
Instruction ID: e01eaa2ad1be2e062c40fc5471c7c3033be7681ff820760921a2e79f736d1d2c
Opcode Fuzzy Hash: 5493c7fd66ebbd60d2ff6bf444e95d7d957d2acaf2cd121433d411b0f350baae
Instruction Fuzzy Hash: 923159B0E11219DBDB08CFAAD94069EFBF6FFC8210F14D02AD408B7265DB348A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07DF1925, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019dffe28ea0b74cc3d49d7d79cc3ba2348d70fff273326ba4e2fe0fd6f99d3d
Instruction ID: de0823d833b0cbf009603a0a9608339d387b087f0375944c656c7310a0552d0a
Opcode Fuzzy Hash: 019dffe28ea0b74cc3d49d7d79cc3ba2348d70fff273326ba4e2fe0fd6f99d3d
Instruction Fuzzy Hash: 82213970E15249CFDB18CF6BD84469EBBF6AF89300F18C0AAD508AB265EB344A05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07DF1950, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318968024.0000000007DF0000.00000040.00000001.sdmp, Offset: 07DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd954aa400967f3f29e889faf67825058d8d7c9d07c84433cbbc06581cb8328
Instruction ID: e3d365154eaefb5c3962fa25e5d745bd16bcd0d5dcdd52f5de08406dbc25d8af
Opcode Fuzzy Hash: dcd954aa400967f3f29e889faf67825058d8d7c9d07c84433cbbc06581cb8328
Instruction Fuzzy Hash: 74113671E112198BDB08CFAAE94069EFAF7AFC8210F14C17AD508A7214EB308A058B50

Uniqueness

Uniqueness Score: -1.00%

Function 07BD680A, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.318598202.0000000007BD0000.00000040.00000001.sdmp, Offset: 07BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f6f0194370db683e401c99fc93d7d03bf3e4686d91293a34f62e8502f9bbde
Instruction ID: 06f432ac13d874d3c612a791a84dc66858115fe5f66e9ceba9f763fd277baf0d
Opcode Fuzzy Hash: b5f6f0194370db683e401c99fc93d7d03bf3e4686d91293a34f62e8502f9bbde
Instruction Fuzzy Hash: F711C9B1E106189BEB0CCFABD80569EFAF3AFC8200F04C07AD918A6254EF3449468F51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A8FF, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309714727.0000000000F92000.00000002.00020000.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000001.00000002.309704875.0000000000F90000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.309840314.000000000103A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee45d98eb1a5245db8818e74618f9a44854acd0953462557fe1bf23598346fd
Instruction ID: 936ccf6a0d47fa9579371b8e6bf0492ab8915d6854e175c4103db18e458d12e1
Opcode Fuzzy Hash: 8ee45d98eb1a5245db8818e74618f9a44854acd0953462557fe1bf23598346fd
Instruction Fuzzy Hash: 30E0922605DAC6AFDB436BB489702D1BFB6AE4721536E55D1C0D04B423D3226A34CB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO_101&102.exe PID: 5964 Parent PID: 7016 PO_101&102.exeCOMMON

Executed Functions

Function 0041A40D, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A40D(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				_t13 = _a4;
				_t30 = _a4 + 0xc48;
				E0041AF60(_t28, _t13, _t30,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t30))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t29, _t32); // executed
				return _t18;
			}

0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A432, 0041A440

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 0e04a803f5e259f0d5bacdee2b7c3f5a2feb64ba838f92ce499d636879965c2e
Instruction ID: b72db96ae2617f363b1935093db4b83570b1ccb8e4aae8d3470fc1ce09002b38
Opcode Fuzzy Hash: 0e04a803f5e259f0d5bacdee2b7c3f5a2feb64ba838f92ce499d636879965c2e
Instruction Fuzzy Hash: A3F017B2200108AFCB08CF99CC90EEB77AAEF8C354F158249FA0DD7240C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A432, 0041A440

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A53C, Relevance: 1.6, APIs: 1, Instructions: 51
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A53C(void* __ecx, void* __edi, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {
				void* _v0;
				void* _v4;

				if (__ecx - 1 > 0) goto L3;
				_push(_t42);
			}

0x0041a53f
0x0041a540

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 288337327dec3a4e87523586403533ecbee8ae6078bb8ea454fbf349e53edd2b
Instruction ID: c648e0a611a1d329bc332bc39003a103a8488de8e09d686db9eaee693cac15bd
Opcode Fuzzy Hash: 288337327dec3a4e87523586403533ecbee8ae6078bb8ea454fbf349e53edd2b
Instruction Fuzzy Hash: 4C0108B1204208ABDB14DF88DC81DEB73ADEF8C754F148549BD0897241D634E861CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACF0(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_t25 = _a8;
				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(_v8, _t25, __eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acf9
0x0040ad0c
0x0040ad0f
0x0040ad14
0x0040ad19
0x0040ad23
0x0040ad28
0x0040ad2b
0x0040ad2d
0x0040ad35
0x0040ad3a
0x0040ad3a
0x0040ad41
0x0040ad49
0x0040ad4c
0x0040ad4e
0x0040ad62
0x00000000
0x0040ad64
0x0040ad6a
0x0040ad1e
0x0040ad1e
0x0040ad1e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041a36f
0x0041a377
0x0041a3ad
0x0041a3b1

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a493
0x0041a496
0x0041a49f
0x0041a4a7
0x0041a4b5
0x0041a4b9

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A48B, Relevance: 1.5, APIs: 1, Instructions: 19
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A48B(intOrPtr _a7, void* _a11) {
				long _t8;
				void* _t12;

				 *0xec8b5574 =  *0xec8b5574 >> 0x8b;
				_t5 = _a7;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t12, _a7, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a11); // executed
				return _t8;
			}

0x0041a48d
0x0041a493
0x0041a496
0x0041a49f
0x0041a4a7
0x0041a4b5
0x0041a4b9

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ac8b72195eacec38001df1f247b325e1afc62523d5dbbf57172cbaa174c76120
Instruction ID: 6371e0e2cc7a7e02bd64565d575ba3a0186074f821a54c7928bbdccca83d7df1
Opcode Fuzzy Hash: ac8b72195eacec38001df1f247b325e1afc62523d5dbbf57172cbaa174c76120
Instruction Fuzzy Hash: 98D02BA940E3C44BC711EBB4ACC50D27F50DE5153C7284BCFE4E80B683C1649116E391

Uniqueness

Uniqueness Score: -1.00%

Function 01669910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0166991A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4695e64c2c40e64619faac65e399cb0999a84b4dbd0868e7d5dbe03ab1075378
Instruction ID: 5e08d7068ea4aa736484ed1a64031c44616ca963b12c76e80819ac585f736545
Opcode Fuzzy Hash: 4695e64c2c40e64619faac65e399cb0999a84b4dbd0868e7d5dbe03ab1075378
Instruction Fuzzy Hash: FA9002B120100402E140759948057470109ABD0341F51C411A5055554EC6998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 016699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016699AA

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7260c4e954a2a5acae82a67e0e12353f0d1008f1db04e5cfbcbe6d81f96ecd09
Instruction ID: 6eacbef5086a18f167f80593dbe9a18137ac7f069bc6d9a28ff37751df4708f2
Opcode Fuzzy Hash: 7260c4e954a2a5acae82a67e0e12353f0d1008f1db04e5cfbcbe6d81f96ecd09
Instruction Fuzzy Hash: DA9002A134100442E10065994815B070109EBE1341F51C415E1055554DC659CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 01669860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0166986A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cc4e7fa23f13f29dfa7427ea5f49eb9407d003dcd4fff3ebdf49267cfbbc0d5
Instruction ID: 6d58a2faf690b2989f720c3154e63c4898615998eba9e71d497f2280cda6e71f
Opcode Fuzzy Hash: 1cc4e7fa23f13f29dfa7427ea5f49eb9407d003dcd4fff3ebdf49267cfbbc0d5
Instruction Fuzzy Hash: 3390027120100413E11165994905707010DABD0281F91C812A0415558DD6968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 01669840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0166984A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4af5785f29226946f3b7a489ad4a1f23ae585ed9f1c255de1f15264e59ba3217
Instruction ID: b68d2debb647f9d3a2089aa0b30902935a67335c972d18a668a28cd20ea23695
Opcode Fuzzy Hash: 4af5785f29226946f3b7a489ad4a1f23ae585ed9f1c255de1f15264e59ba3217
Instruction Fuzzy Hash: B2900261242041526545B5994805507410ABBE0281791C412A1405950CC5669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 016698F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016698FA

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48badcf748ca49d06d0e7aa895d33ca5eb0532989f595718192ed089913d99b2
Instruction ID: 3d242d129301b9cf52e0b88dc5a26ffb651051505f9672a92d9d3fe49b8404a7
Opcode Fuzzy Hash: 48badcf748ca49d06d0e7aa895d33ca5eb0532989f595718192ed089913d99b2
Instruction Fuzzy Hash: F590026160100502E10175994805617010EABD0281F91C422A1015555ECA658992B171

Uniqueness

Uniqueness Score: -1.00%

Function 01669A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01669A5A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45b24b4ed35f735f6490af5e80f51d9536933a5c7bdd558a6a2e4f40577847c1
Instruction ID: 3b886fe7c749730ecd9488da7dc858d6f001c54f6af8667746315c7b95d160bb
Opcode Fuzzy Hash: 45b24b4ed35f735f6490af5e80f51d9536933a5c7bdd558a6a2e4f40577847c1
Instruction Fuzzy Hash: FB90026121180042E20069A94C15B070109ABD0343F51C515A0145554CC95588616561

Uniqueness

Uniqueness Score: -1.00%

Function 01669A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01669A2A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 425b57803654045e84b56c55b0c98d228fd7d84051e4ca081c9419ddd64bab02
Instruction ID: b2ac5fa06f7b5ee6c9acd390625d5adb19b00781b49473fb268f6db86531285b
Opcode Fuzzy Hash: 425b57803654045e84b56c55b0c98d228fd7d84051e4ca081c9419ddd64bab02
Instruction Fuzzy Hash: 8190026160100042514075A98C459074109BFE1251751C521A0989550DC599886566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01669A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01669A0A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7fb41b680768ac571e418549dd0b5029131d5a3f2251bfafb055618dfc8b0a9
Instruction ID: 91dc3d55fdf9489e285e492b3c6edf992ee60e47f6ed2f0700432001ffad95b0
Opcode Fuzzy Hash: e7fb41b680768ac571e418549dd0b5029131d5a3f2251bfafb055618dfc8b0a9
Instruction Fuzzy Hash: C990027120140402E10065994C1570B0109ABD0342F51C411A1155555DC665885175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01669540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0166954A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54a120b450a6b574131af2247711ba8d09d09c4c9836f1c7cf8f28c7aaa57dc0
Instruction ID: 97381257ac39b6d704c1a615b256c7a249c93cfa87fd4f0a4c2cb1f5de2209ff
Opcode Fuzzy Hash: 54a120b450a6b574131af2247711ba8d09d09c4c9836f1c7cf8f28c7aaa57dc0
Instruction Fuzzy Hash: 16900265211000031105A9990B05507014AABD5391351C421F1006550CD66188616161

Uniqueness

Uniqueness Score: -1.00%

Function 016695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016695DA

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d5ade9b71c17b032e5501165f43fca07027ec6a390432d06e56b991e576bdf6
Instruction ID: f83788d181a51b1010d40679d5a747e47d3e66a8c39561165d302fc641f72541
Opcode Fuzzy Hash: 2d5ade9b71c17b032e5501165f43fca07027ec6a390432d06e56b991e576bdf6
Instruction Fuzzy Hash: F39002A120200003510575994815617410EABE0241B51C421E1005590DC56588917165

Uniqueness

Uniqueness Score: -1.00%

Function 01669710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0166971A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1b0e108146eb88b9cb0b001e753ee3ded0e46e90ede6ff8123b4d84462afda8
Instruction ID: d9ce8fed38ad710fa411acb87931bc596137d1e543f2dbe46f914f0a6384093f
Opcode Fuzzy Hash: a1b0e108146eb88b9cb0b001e753ee3ded0e46e90ede6ff8123b4d84462afda8
Instruction Fuzzy Hash: BC90027120100402E10069D958096470109ABE0341F51D411A5015555EC6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 016697A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016697AA

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ebcd834e7331a3e470be0593bd031cef48be1e5758ad5a1d7beb91406beb646
Instruction ID: f4d70074179660d00a780723423afb42a9c78ae94439a09da750f5ed3c2e1313
Opcode Fuzzy Hash: 1ebcd834e7331a3e470be0593bd031cef48be1e5758ad5a1d7beb91406beb646
Instruction Fuzzy Hash: 6590026130100003E140759958196074109FBE1341F51D411E0405554CD95588566262

Uniqueness

Uniqueness Score: -1.00%

Function 01669780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0166978A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3726c4443f82630d7941897cb1b25cd0948b5cdf3fb264c95039442da0ea36b9
Instruction ID: 6024f3bb3764a7275f690d78e5c990575fd7dd9941186ef6a3d9cfaf24140d0a
Opcode Fuzzy Hash: 3726c4443f82630d7941897cb1b25cd0948b5cdf3fb264c95039442da0ea36b9
Instruction Fuzzy Hash: FF90026921300002E1807599580960B0109ABD1242F91D815A0006558CC95588696361

Uniqueness

Uniqueness Score: -1.00%

Function 01669660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0166966A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c053d0607ce535d3b7aa0bc93dbb6a0b66d85357260057cd22388b5ec1b2fbc
Instruction ID: 005c10d7e018414e348443fc90b590a7bc4ade48a797e3477f45d43931b337f0
Opcode Fuzzy Hash: 7c053d0607ce535d3b7aa0bc93dbb6a0b66d85357260057cd22388b5ec1b2fbc
Instruction Fuzzy Hash: 2490027120100802E1807599480564B0109ABD1341F91C415A0016654DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 016696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016696EA

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b89755669673f18c9e163e68eb869f9203f9d089a38bf6c8c26eb9347e27d638
Instruction ID: 63e6a4c36fa03743358e5b7162632170ffedb0f7bf3282dcd066677c04f19ce1
Opcode Fuzzy Hash: b89755669673f18c9e163e68eb869f9203f9d089a38bf6c8c26eb9347e27d638
Instruction Fuzzy Hash: 4490027120108802E1106599880574B0109ABD0341F55C811A4415658DC6D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateExitHeapProcess
String ID: 6EA
API String ID: 1054155344-1400015478
Opcode ID: c3123d709d38d9f83e46b640b650e69df9437cf15598d6851a3867bcc30c3be0
Instruction ID: 459d3a16fafabc5b37b9a36c3f105fb01f7a9599344e70e3b906059359b44ae7
Opcode Fuzzy Hash: c3123d709d38d9f83e46b640b650e69df9437cf15598d6851a3867bcc30c3be0
Instruction Fuzzy Hash: 9DF062B1601204AFDB10DF69CC85EE777A8EF88314F1585A9BD0C9B202D635E922CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040830E, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040830E(signed int __eax, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t15;
				int _t16;
				void* _t19;
				long _t24;
				int _t29;
				void* _t32;
				void* _t34;
				signed char _t39;

				_t39 = __eax |  *(__eax - 0x7c1374ab);
				_t32 = _t34;
				_push(0x3f);
				_push(0);
				_push( &_v67);
				_v68 = 0;
				E0041BE60();
				E0041CA00( &_v68, 3);
				_t15 = E0040ACF0(_t19, _t39, _a4 + 0x1c,  &_v68); // executed
				_t16 = E00414E50(_a4 + 0x1c, _t15, 0, 0, 0xc4e7b6d6);
				_t29 = _t16;
				if(_t29 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t41 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t29(_t24, 0x8003, _t32 + (E0040A480(_t41, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
				}
				return _t16;
			}

0x0040830e
0x00408311
0x00408317
0x0040831c
0x0040831e
0x0040831f
0x00408323
0x0040832e
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cef883a8625870c0e54ccd17e5ce419f66f05ed56934763f3aed53b436688ee6
Instruction ID: bdc87d108a5e24cf852c4f3d4aa208f7ad83bd5798e7ad66eb720659fd186bd9
Opcode Fuzzy Hash: cef883a8625870c0e54ccd17e5ce419f66f05ed56934763f3aed53b436688ee6
Instruction Fuzzy Hash: 5201FC71A803287AE721A6909C43FFE7B2C9F41F54F04015EFF04BA1C1D6A9290647E5

Uniqueness

Uniqueness Score: -1.00%

Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00408310(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_push(0x3f);
				_push(0);
				_push( &_v67);
				_v68 = 0;
				E0041BE60();
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A480(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00408310
0x00408317
0x0040831c
0x0040831e
0x0040831f
0x00408323
0x0040832e
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x00000000
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408308, Relevance: 1.5, APIs: 1, Instructions: 48
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00408308() {
				void* _t10;
				int _t11;
				void* _t14;
				long _t19;
				int _t23;
				void* _t25;
				void* _t31;

				 *((char*)(_t25 - 0x40)) = 0;
				E0041BE60();
				E0041CA00(_t25 - 0x40, 3);
				_t10 = E0040ACF0(_t14, _t31,  *((intOrPtr*)(_t25 + 8)) + 0x1c, _t25 - 0x40); // executed
				_t11 = E00414E50( *((intOrPtr*)(_t25 + 8)) + 0x1c, _t10, 0, 0, 0xc4e7b6d6);
				_t23 = _t11;
				if(_t23 != 0) {
					_t19 =  *(_t25 + 0xc);
					_t11 = PostThreadMessageW(_t19, 0x111, 0, 0); // executed
					_t33 = _t11;
					if(_t11 == 0) {
						_t11 =  *_t23(_t19, 0x8003, _t25 + (E0040A480(_t33, 1, 8) & 0x000000ff) - 0x40, _t11);
					}
				}
				return _t11;
			}

0x0040831f
0x00408323
0x0040832e
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f46d6919ec2a1059f2b1d1fabc35dda329cc0bb171ed904e4dd6b6e870570ec2
Instruction ID: 9166c8e950c385ac99b9f6e227422f28cabad6e6ce656cbc3f4f7f6c38b927e9
Opcode Fuzzy Hash: f46d6919ec2a1059f2b1d1fabc35dda329cc0bb171ed904e4dd6b6e870570ec2
Instruction Fuzzy Hash: 47F0A931A8032876E72166515C42FFE67185B80F54F05015EFF04BA1C1DABD690646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A665, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A665(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t12;
				void* _t18;

				asm("popad");
				asm("sbb ebx, [edi]");
				asm("lahf");
				asm("popfd");
				asm("sbb edx, [ebp-0x75]");
				_t9 = _a4;
				_t3 = _t9 + 0xc74; // 0xc74
				E0041AF60(_t18, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}

0x0041a668
0x0041a66a
0x0041a66c
0x0041a66e
0x0041a66f
0x0041a673
0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7a0eab46fa65ecf14616b1e3d01a6a1f06fc21be4227800ece0f1ccedb0360b3
Instruction ID: c03a260435487878e5a4e0970114512480fd024bead551fe6ab5a63b7d05c308
Opcode Fuzzy Hash: 7a0eab46fa65ecf14616b1e3d01a6a1f06fc21be4227800ece0f1ccedb0360b3
Instruction Fuzzy Hash: 17E06DB1200204AFCB14DFB9CCC6EEB7769EF89764F218659F94D97246C631E814CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a7ea
0x0041a800
0x0041a804

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a6b3
0x0041a6ca
0x0041a6d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 0000000A.00000002.370759398.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0166967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01669694

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62788ee0f85626fa7ea6af96358dc6e5d2e66addf6def06f7a2292ef831ed2be
Instruction ID: bb9560fde6d34c67ef3b647cdf3193900f81a6514fb9c13ef31c866d6f41cf1e
Opcode Fuzzy Hash: 62788ee0f85626fa7ea6af96358dc6e5d2e66addf6def06f7a2292ef831ed2be
Instruction Fuzzy Hash: A1B02B718010C0C9F601D7A00F087173A047BC0300F12C011D1020240B4338C080F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 016DB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This failed because of error %Ix., xrefs: 016DB446
an invalid address, %p, xrefs: 016DB4CF
The resource is owned exclusively by thread %p, xrefs: 016DB374
read from, xrefs: 016DB4AD, 016DB4B2
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 016DB38F
*** Inpage error in %ws:%s, xrefs: 016DB418
The instruction at %p tried to %s , xrefs: 016DB4B6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 016DB323
*** enter .cxr %p for the context, xrefs: 016DB50D
*** A stack buffer overrun occurred in %ws:%s, xrefs: 016DB2F3
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 016DB314
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 016DB3D6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 016DB484
a NULL pointer, xrefs: 016DB4E0
The instruction at %p referenced memory at %p., xrefs: 016DB432
*** An Access Violation occurred in %ws:%s, xrefs: 016DB48F
The resource is owned shared by %d threads, xrefs: 016DB37E
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 016DB47D
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 016DB305
*** Resource timeout (%p) in %ws:%s, xrefs: 016DB352
<unknown>, xrefs: 016DB27E, 016DB2D1, 016DB350, 016DB399, 016DB417, 016DB48E
write to, xrefs: 016DB4A6
Go determine why that thread has not released the critical section., xrefs: 016DB3C5
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 016DB39B
The critical section is owned by thread %p., xrefs: 016DB3B9
*** enter .exr %p for the exception record, xrefs: 016DB4F1
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 016DB476
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 016DB53F
*** then kb to get the faulting stack, xrefs: 016DB51C
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 016DB2DC

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 406f41d13c2e43279519eabac01722cc20c941e8b78aa73e548e3a3c4f070e23
Instruction ID: 8cb526e7211507becbfeaa21dcd7bf8c743417aa3a3fbf9616589fcdfd72e335
Opcode Fuzzy Hash: 406f41d13c2e43279519eabac01722cc20c941e8b78aa73e548e3a3c4f070e23
Instruction Fuzzy Hash: D3814335E00210FFDB229E4A8C89DBF3F26AF57A51F4A405CF5065B21ED3628552DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 016E1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E016E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x16048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0162B150();
				} else {
					E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x171589c);
				E0162B150("Heap error detected at %p (heap handle %p)\n",  *0x17158a0);
				_t27 =  *0x1715898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M016E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0162B150();
				} else {
					E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0162B150("Error code: %d - %s\n",  *0x1715898);
				_t113 =  *0x17158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0162B150("Parameter1: %p\n",  *0x17158a4);
				}
				_t115 =  *0x17158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0162B150("Parameter2: %p\n",  *0x17158a8);
				}
				_t117 =  *0x17158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0162B150("Parameter3: %p\n",  *0x17158ac);
				}
				_t119 =  *0x17158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x17158b4);
					E0162B150("Last known valid blocks: before - %p, after - %p\n",  *0x17158b0);
				} else {
					_t120 =  *0x17158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0162B150();
				} else {
					E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0162B150("Stack trace available at %p\n", 0x17158c0);
			}

0x016e1c10
0x016e1c16
0x016e1c1e
0x016e1c3d
0x016e1c3e
0x016e1c20
0x016e1c35
0x016e1c3a
0x016e1c44
0x016e1c55
0x016e1c5a
0x016e1c65
0x016e1c67
0x00000000
0x016e1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x016e1c67
0x016e1cdc
0x016e1ce5
0x016e1d04
0x016e1d05
0x016e1ce7
0x016e1cfc
0x016e1d01
0x016e1d0b
0x016e1d17
0x016e1d1f
0x016e1d25
0x016e1d30
0x016e1d4f
0x016e1d50
0x016e1d32
0x016e1d47
0x016e1d4c
0x016e1d61
0x016e1d67
0x016e1d68
0x016e1d6e
0x016e1d79
0x016e1d98
0x016e1d99
0x016e1d7b
0x016e1d90
0x016e1d95
0x016e1daa
0x016e1db0
0x016e1db1
0x016e1db7
0x016e1dc2
0x016e1de1
0x016e1de2
0x016e1dc4
0x016e1dd9
0x016e1dde
0x016e1df3
0x016e1df9
0x016e1dfa
0x016e1e00
0x016e1e0a
0x016e1e13
0x016e1e32
0x016e1e33
0x016e1e15
0x016e1e2a
0x016e1e2f
0x016e1e39
0x016e1e4a
0x016e1e02
0x016e1e02
0x016e1e08
0x00000000
0x00000000
0x016e1e08
0x016e1e5b
0x016e1e7a
0x016e1e7b
0x016e1e5d
0x016e1e72
0x016e1e77
0x016e1e95

Strings

Parameter1: %p, xrefs: 016E1D5C
heap_failure_entry_corruption, xrefs: 016E1C83
heap_failure_block_not_busy, xrefs: 016E1CA6
heap_failure_buffer_overrun, xrefs: 016E1C98
Heap error detected at %p (heap handle %p), xrefs: 016E1C50
heap_failure_listentry_corruption, xrefs: 016E1CD0
heap_failure_usage_after_free, xrefs: 016E1CBB
HEAP[%wZ]: , xrefs: 016E1C30, 016E1CF7, 016E1D42, 016E1D8B, 016E1DD4, 016E1E25, 016E1E6D
Error code: %d - %s, xrefs: 016E1D12
Parameter2: %p, xrefs: 016E1DA5
heap_failure_lfh_bitmap_mismatch, xrefs: 016E1CD7
heap_failure_internal, xrefs: 016E1C6E
heap_failure_virtual_block_corruption, xrefs: 016E1C91
HEAP: , xrefs: 016E1C16, 016E1C3D, 016E1D04, 016E1D4F, 016E1D98, 016E1DE1, 016E1E32, 016E1E7A
heap_failure_invalid_allocation_type, xrefs: 016E1CB4
heap_failure_generic, xrefs: 016E1C7C
Stack trace available at %p, xrefs: 016E1E86
heap_failure_freelists_corruption, xrefs: 016E1CC9
Last known valid blocks: before - %p, after - %p, xrefs: 016E1E45
heap_failure_invalid_argument, xrefs: 016E1CAD
heap_failure_buffer_underrun, xrefs: 016E1C9F
Parameter3: %p, xrefs: 016E1DEE
heap_failure_unknown, xrefs: 016E1C75
heap_failure_multiple_entries_corruption, xrefs: 016E1C8A
heap_failure_cross_heap_operation, xrefs: 016E1CC2

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 55b39cd9c9ef846abe801d19d60f565cd365e906641be0297e0970aa5bd4c4e1
Instruction ID: 0f0c4406279c90ae81d873b17d80fed868cbc8abc9dd52ddac2c303a71fecc6c
Opcode Fuzzy Hash: 55b39cd9c9ef846abe801d19d60f565cd365e906641be0297e0970aa5bd4c4e1
Instruction Fuzzy Hash: A761F433592551CFD316AB89DC8CE2173E5EB06E31B5D812EFC0A9B341D63698919F0D

Uniqueness

Uniqueness Score: -1.00%

Function 016E4AEF, Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E016E4AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E0162B150();
						} else {
							E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E0162B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E016DFA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E0162B150();
						} else {
							E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E0162B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E0162B150();
									} else {
										E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E0162B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E016DFA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E0162B150();
										} else {
											E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0167D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E016EA80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E0164E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E016EA80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E0164E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E0164A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E0164A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E0164BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E016D23E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E01621F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x016e4af7
0x016e4afb
0x016e4afd
0x016e4b01
0x016e4b03
0x016e4b08
0x016e4b0a
0x016e4b0f
0x016e4eb5
0x016e4eb5
0x016e4ebb
0x016e50d5
0x016e50d8
0x016e4ff6
0x00000000
0x016e4ff6
0x016e50de
0x016e50e4
0x016e50e8
0x016e5107
0x016e510c
0x016e50ea
0x016e50ff
0x016e5104
0x016e5112
0x016e5115
0x016e5118
0x016e5119
0x016e50cb
0x016e50cb
0x016e50af
0x00000000
0x016e50af
0x016e4ecb
0x016e50b6
0x016e50bb
0x016e4ed1
0x016e4ee6
0x016e4eeb
0x016e50c1
0x016e50c2
0x016e50c5
0x016e50c6
0x00000000
0x00000000
0x00000000
0x00000000
0x016e4b15
0x016e4b15
0x016e4b1c
0x016e4b1e
0x016e4b23
0x016e4b27
0x016e4b33
0x016e4b38
0x016e4b3a
0x016e4b3c
0x016e4b41
0x016e4b41
0x016e4b3a
0x016e4b52
0x016e5045
0x016e504b
0x016e504f
0x016e506e
0x016e5073
0x016e5051
0x016e5066
0x016e506b
0x016e5083
0x016e5088
0x016e5088
0x016e508a
0x016e5091
0x016e5099
0x016e5099
0x016e509d
0x016e50a7
0x016e50ad
0x016e50ad
0x016e50ad
0x00000000
0x016e509d
0x016e4b58
0x016e4b5b
0x016e4b5e
0x016e4b63
0x016e4b66
0x016e4b69
0x016e4b6f
0x016e4be4
0x016e4bf0
0x016e4bf2
0x016e4bf5
0x016e4dc3
0x016e4dc6
0x016e4dc9
0x016e4dce
0x016e4dce
0x016e4dd0
0x016e4dd0
0x016e4dd5
0x016e4def
0x016e4dd7
0x016e4de7
0x016e4de7
0x016e4df3
0x016e5001
0x016e5007
0x016e500b
0x016e502a
0x016e502f
0x016e500d
0x016e5022
0x016e5027
0x016e5039
0x016e503a
0x016e503b
0x00000000
0x016e4df9
0x016e4dfd
0x016e4e90
0x016e4e94
0x016e4e9e
0x016e4ea4
0x016e4ea4
0x016e4ea4
0x016e4ea6
0x016e4ea6
0x00000000
0x016e4ea6
0x016e4e03
0x016e4e08
0x016e4f88
0x016e4f92
0x016e4f99
0x016e4f9c
0x016e4fe0
0x016e4fe4
0x016e4fee
0x016e4ff4
0x016e4ff4
0x016e4ff4
0x00000000
0x016e4fe4
0x016e4f9e
0x016e4fa4
0x016e4fa8
0x016e4fc7
0x016e4fcc
0x016e4faa
0x016e4fbf
0x016e4fc4
0x016e4fd2
0x016e4fd5
0x016e4fd6
0x016e4f34
0x016e4f34
0x00000000
0x016e4f39
0x016e4e0e
0x016e4e14
0x016e4e1b
0x016e4e25
0x016e4e2b
0x016e4e2b
0x016e4e33
0x016e4e38
0x016e4e8a
0x016e4e8a
0x00000000
0x016e4e3a
0x016e4e3e
0x016e4e43
0x016e4e47
0x016e4e53
0x016e4e58
0x016e4e5a
0x016e4e5c
0x016e4e61
0x016e4e61
0x016e4e5a
0x016e4e6e
0x016e4f41
0x016e4f47
0x016e4f4b
0x016e4f6a
0x016e4f6f
0x016e4f4d
0x016e4f62
0x016e4f67
0x016e4f7f
0x016e4f80
0x016e4f81
0x00000000
0x016e4e74
0x016e4e78
0x016e4e82
0x016e4e88
0x016e4e88
0x00000000
0x016e4e78
0x016e4e6e
0x016e4e38
0x016e4df3
0x016e4bfe
0x016e4c01
0x016e4c04
0x016e4c07
0x016e4c09
0x016e4c0c
0x016e4c0e
0x016e4c0e
0x016e4c11
0x016e4c11
0x016e4c0c
0x016e4c14
0x016e4c17
0x016e4dae
0x016e4db2
0x016e4db7
0x016e4dba
0x016e4dbd
0x016e4ef1
0x016e4ef7
0x016e4efb
0x016e4f1a
0x016e4f1f
0x016e4efd
0x016e4f12
0x016e4f17
0x016e4f2b
0x016e4f2b
0x016e4f2d
0x016e4f2e
0x016e4f2f
0x00000000
0x016e4f2f
0x00000000
0x016e4c1d
0x016e4c1d
0x016e4c20
0x016e4c23
0x016e4c26
0x016e4c29
0x016e4c2c
0x016e4c2e
0x016e4d91
0x016e4d91
0x016e4d92
0x016e4d97
0x016e4d9e
0x00000000
0x016e4d9e
0x016e4c34
0x016e4c37
0x016e4c39
0x016e4c3c
0x00000000
0x00000000
0x016e4c45
0x016e4c48
0x016e4c4e
0x016e4c50
0x016e4c78
0x016e4c78
0x016e4c7b
0x016e4c7d
0x016e4c80
0x016e4c84
0x016e4cad
0x016e4cad
0x016e4cb0
0x016e4cb8
0x016e4cbb
0x016e4cbe
0x016e4cc1
0x016e4cc7
0x016e4cdc
0x016e4cc9
0x016e4cd2
0x016e4cd4
0x016e4cd4
0x016e4cde
0x016e4ce0
0x016e4d13
0x016e4d13
0x016e4d16
0x016e4d18
0x016e4d29
0x016e4d2a
0x016e4d2c
0x016e4d34
0x016e4d1a
0x016e4d1a
0x016e4d1a
0x016e4d1d
0x016e4d1f
0x016e4d22
0x016e4d24
0x016e4d24
0x016e4d3c
0x016e4d3f
0x016e4d45
0x016e4d47
0x016e4d6c
0x016e4d6c
0x016e4d70
0x016e4d7e
0x016e4d84
0x016e4d84
0x00000000
0x016e4d49
0x016e4d49
0x016e4d56
0x016e4d56
0x016e4d59
0x00000000
0x00000000
0x016e4d4e
0x016e4d50
0x016e4d52
0x016e4d8e
0x016e4d5d
0x016e4d5f
0x016e4d67
0x00000000
0x016e4d67
0x016e4d54
0x016e4d54
0x016e4d5b
0x00000000
0x016e4d5b
0x016e4ce2
0x016e4ce2
0x016e4ce5
0x016e4ce5
0x016e4ce7
0x016e4cfb
0x016e4ce9
0x016e4ce9
0x016e4cec
0x016e4cef
0x016e4cf1
0x016e4cf3
0x016e4cf3
0x016e4cf3
0x016e4cf6
0x016e4cf6
0x016e4d02
0x016e4d05
0x00000000
0x00000000
0x016e4d07
0x016e4d0f
0x016e4d11
0x00000000
0x00000000
0x00000000
0x016e4d11
0x00000000
0x016e4ce5
0x016e4ce0
0x016e4c8a
0x016e4c8f
0x016e4c91
0x00000000
0x00000000
0x016e4c9d
0x00000000
0x016e4c9d
0x016e4c52
0x016e4c5f
0x016e4c5f
0x016e4c62
0x00000000
0x00000000
0x016e4c57
0x016e4c59
0x016e4c5b
0x016e4caa
0x016e4c66
0x016e4c68
0x016e4c70
0x016e4c75
0x00000000
0x016e4c75
0x016e4c5d
0x016e4c5d
0x016e4c64
0x00000000
0x016e4c64
0x016e4c17
0x016e4b75
0x016e4bc4
0x016e4bc8
0x00000000
0x00000000
0x016e4bd9
0x00000000
0x00000000
0x00000000
0x016e4b77
0x016e4b7a
0x016e4b8c
0x016e4b7c
0x016e4b7e
0x016e4b83
0x016e4b86
0x016e4b86
0x016e4b90
0x016e4b93
0x00000000
0x00000000
0x016e4b95
0x016e4bab
0x016e4bb0
0x00000000
0x00000000
0x016e4bb2
0x016e4bb9
0x00000000
0x00000000
0x016e4bbb
0x016e4bbe
0x016e4bc1
0x016e4bc1
0x00000000
0x016e4bc1
0x016e4b97
0x016e4ba4
0x00000000
0x00000000
0x016e4ba6
0x00000000
0x016e4ba6
0x016e4ea9
0x016e4ea9
0x016e4eb2
0x00000000

Strings

Free Heap block %p modified at %p after it was freed, xrefs: 016E4F2F
Heap block at %p has incorrect segment offset (%x), xrefs: 016E503B
HEAP: , xrefs: 016E4F1A, 016E4F6A, 016E4FC7, 016E502A, 016E506E, 016E50B6, 016E5107
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 016E4F81
Heap block at %p is not last block in segment (%p), xrefs: 016E4FD6
HEAP[%wZ]: , xrefs: 016E4EE1, 016E4F0D, 016E4F5D, 016E4FBA, 016E501D, 016E5061, 016E50FA
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 016E508C
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 016E50C6
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 016E5119

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 31a3f926d8cd6bfc257ba056e5d62b6d2860366530ce0a7ff414bc6225f44d3d
Instruction ID: 537974da34dc4c17f618d91f6ff19ceef10c7751849d4fe722114eb113b74efe
Opcode Fuzzy Hash: 31a3f926d8cd6bfc257ba056e5d62b6d2860366530ce0a7ff414bc6225f44d3d
Instruction Fuzzy Hash: E012BE306026429FDB25DF69C898BB6BBE2EF48614F14865DE486CB741DB35E881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016E4496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E016E4496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E016E49A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x1716378 = _t267;
						asm("int3");
						 *0x1716378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0165174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E0162B150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E0162B150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x1716350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E01669660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0165174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E0162B150();
										} else {
											E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E0162B150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E0162B150();
									} else {
										E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E0162B150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E0162B150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E016E4AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E016DFA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E016D23E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x016e44a1
0x016e44a3
0x016e44a7
0x016e44ac
0x016e44af
0x016e44b2
0x016e44b9
0x016e44bc
0x016e47f2
0x016e47f2
0x016e47f8
0x016e47fc
0x016e47fe
0x016e4804
0x016e4805
0x016e4805
0x016e480c
0x016e4810
0x016e4812
0x016e4812
0x016e4812
0x016e4822
0x016e4822
0x016e4827
0x016e4827
0x00000000
0x016e4827
0x016e44c4
0x016e44d3
0x016e44d9
0x016e44dc
0x016e44de
0x016e44e0
0x016e4560
0x016e4520
0x016e4522
0x016e4525
0x016e4528
0x016e452b
0x016e452e
0x016e4530
0x016e4697
0x016e469d
0x016e46a1
0x016e46c0
0x016e46c5
0x016e46a3
0x016e46b8
0x016e46bd
0x016e46cb
0x016e46d4
0x016e4677
0x016e4677
0x016e4679
0x016e467c
0x016e468a
0x016e4690
0x016e4690
0x016e47f1
0x016e47f1
0x016e47f1
0x00000000
0x016e47f1
0x016e4536
0x016e4539
0x016e453c
0x016e4636
0x016e463c
0x016e4640
0x016e465f
0x016e4664
0x016e4642
0x016e4657
0x016e465c
0x016e4670
0x00000000
0x016e4542
0x016e4542
0x016e4546
0x016e4548
0x016e454b
0x016e4555
0x016e455b
0x016e455b
0x016e455b
0x016e455d
0x016e455d
0x016e455d
0x00000000
0x016e455d
0x016e453c
0x016e4579
0x016e457c
0x016e4587
0x016e4589
0x016e4591
0x016e4592
0x016e4597
0x016e4598
0x016e45a1
0x016e45ab
0x016e45ab
0x016e45a1
0x016e45ae
0x016e45b4
0x016e45b9
0x016e45bd
0x016e4759
0x016e4759
0x016e475f
0x016e4761
0x016e4763
0x016e4765
0x016e4768
0x016e476b
0x016e476d
0x016e479c
0x016e479c
0x016e479f
0x016e47a2
0x016e47a4
0x016e4830
0x016e4833
0x016e4879
0x016e487d
0x016e48f1
0x016e48f3
0x016e48f3
0x00000000
0x016e48f3
0x016e487f
0x016e4885
0x016e4887
0x016e48a8
0x016e48a8
0x016e48ae
0x016e48b0
0x016e48dc
0x016e48dc
0x016e48dc
0x016e48dc
0x016e48ec
0x00000000
0x016e48ec
0x016e48b2
0x016e48bc
0x016e48be
0x016e48c1
0x00000000
0x00000000
0x00000000
0x00000000
0x016e48c3
0x016e48c3
0x016e48c6
0x016e48c9
0x016e48cc
0x016e48d1
0x016e48d4
0x00000000
0x00000000
0x016e48d6
0x016e48d7
0x016e48da
0x00000000
0x00000000
0x00000000
0x016e48da
0x016e494f
0x016e4955
0x016e4959
0x016e4978
0x016e497d
0x016e495b
0x016e4970
0x016e4975
0x016e4986
0x016e4987
0x016e498a
0x016e498d
0x016e4997
0x016e47ef
0x016e47ef
0x016e47ef
0x00000000
0x016e47ef
0x016e4890
0x016e4890
0x016e4891
0x016e4891
0x016e4894
0x016e4897
0x016e489d
0x016e48a0
0x00000000
0x00000000
0x016e48a2
0x016e48a3
0x016e48a6
0x00000000
0x00000000
0x00000000
0x016e48a6
0x016e48fb
0x016e4901
0x016e4905
0x016e4924
0x016e4929
0x016e4907
0x016e491c
0x016e4921
0x016e492f
0x016e4935
0x016e4936
0x016e4939
0x016e4942
0x00000000
0x016e4947
0x016e4835
0x016e483b
0x016e483f
0x016e485e
0x016e4863
0x016e4841
0x016e4856
0x016e485b
0x016e4869
0x016e486c
0x016e486f
0x016e47e7
0x016e47e7
0x00000000
0x016e47ec
0x016e47aa
0x016e47b0
0x016e47b4
0x016e47d3
0x016e47d8
0x016e47b6
0x016e47cb
0x016e47d0
0x016e47de
0x016e47df
0x016e47e2
0x00000000
0x00000000
0x00000000
0x00000000
0x016e476f
0x016e476f
0x016e4778
0x016e4785
0x016e4787
0x016e478c
0x016e478e
0x00000000
0x00000000
0x016e4790
0x016e4792
0x016e4794
0x00000000
0x00000000
0x016e4796
0x016e4799
0x00000000
0x016e4799
0x00000000
0x016e45c3
0x016e45c3
0x016e45c7
0x016e45c7
0x016e45ca
0x016e45cf
0x016e45d3
0x016e45df
0x016e45e4
0x016e45e6
0x016e45e8
0x016e45ed
0x016e45ed
0x016e45f2
0x016e45f2
0x016e45f7
0x016e45fc
0x016e4602
0x016e4606
0x016e4609
0x016e460f
0x016e46de
0x016e46e3
0x016e46e5
0x016e46ec
0x016e46ee
0x016e46f6
0x016e46f6
0x016e46f6
0x016e46f6
0x016e46ec
0x016e4615
0x016e4615
0x016e461d
0x016e462e
0x016e462e
0x016e461d
0x016e460f
0x016e4609
0x016e46fd
0x00000000
0x00000000
0x016e4710
0x016e471a
0x016e4720
0x016e4720
0x016e4722
0x016e472c
0x00000000
0x016e472e
0x016e472e
0x00000000
0x016e472e
0x016e472c
0x016e4738
0x016e473c
0x016e474b
0x016e4751
0x016e4751
0x00000000
0x016e473c
0x016e48f4
0x016e48f4
0x00000000
0x016e48f4

Strings

Non-Dedicated free list element %p is out of order, xrefs: 016E466B
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 016E4992
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 016E486F
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 016E493D
HEAP: , xrefs: 016E465F, 016E46C0, 016E47D3, 016E485E, 016E4924, 016E4978
HEAP[%wZ]: , xrefs: 016E4652, 016E46B3, 016E47C6, 016E4851, 016E4917, 016E496B
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 016E47E2
dedicated (%04Ix) free list element %p is marked busy, xrefs: 016E46CF

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: e62e5642ffebf3f968ba5d42f74f1b06d3c02b54ea84a095697e351bf55c4522
Instruction ID: c354e8cf366179c4ed64f68c740f97c33cbeb53464c89a0f30de9b13ac8f0e82
Opcode Fuzzy Hash: e62e5642ffebf3f968ba5d42f74f1b06d3c02b54ea84a095697e351bf55c4522
Instruction Fuzzy Hash: 40F10E31602656DFDB25CFA9C888BAABBF2FF05300F198259E546D7641CB30A985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0164A309, Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0164A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x1718a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0164A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0164DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E01629373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E0162A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x1718748 - 1;
						if( *0x1718748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0162B150();
								__eflags =  *0x1717bc8;
								if( *0x1717bc8 == 0) {
									__eflags = 1;
									E016E2073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x1718748 - 1;
							if( *0x1718748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0165174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E01647D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E016E14FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E01629373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E01629819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x1718748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E0162B150();
											} else {
												E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0162B150();
											_pop(_t491);
											__eflags =  *0x1717bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E016E2073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E016EA80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0164A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E01647D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E01647D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E016E1411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E01647D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E01647D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x1718748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0162B150();
							__eflags =  *0x1717bc8;
							if( *0x1717bc8 == 0) {
								__eflags = 0;
								E016E2073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x1718748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E0162B150();
												} else {
													E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E0162B150();
												__eflags =  *0x1717bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E016E2073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E016EA80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0164A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0164B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0164A830(_t553, _v64, _v24);
								_t286 = E01647D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E01647D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E016E1411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E01647D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E01647D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E016E1411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0165174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0164B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E01647D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E016E14FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E016499BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0164A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0165ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x0164a309
0x0164a316
0x0164a319
0x0164a31d
0x0164a32d
0x0164a331
0x01691e0d
0x01691e10
0x0164a3cb
0x0164a3cb
0x0164a3bd
0x0164a3c3
0x0164a3c3
0x0164a33a
0x01691e17
0x01691e1b
0x01691e1d
0x01691e2f
0x01691e34
0x01691e36
0x01691e3c
0x01691e3c
0x01691e3c
0x01691e3c
0x01691e36
0x01691e42
0x01691e45
0x01691e47
0x0164a3f8
0x0164a3f8
0x0164a3fb
0x0164a3fd
0x01691e50
0x0164a403
0x0164a411
0x0164a411
0x0164a411
0x0164a41e
0x0164a420
0x0164a424
0x0164a427
0x0164a7c9
0x0164a7cd
0x0164a7d2
0x0164a7d9
0x0164a7e0
0x0164a7e3
0x0164a7ed
0x0164a7f3
0x0164a7f9
0x0164a7ff
0x0164a802
0x0164a807
0x0164a809
0x0164a809
0x0164a809
0x0164a80f
0x0164a80f
0x0164a812
0x0164a81c
0x0164a821
0x0164a824
0x0164a42d
0x0164a42d
0x0164a42d
0x0164a42d
0x0164a42d
0x0164a436
0x0164a43a
0x0164a609
0x0164a60d
0x0164a612
0x0164a616
0x0164a61a
0x01691e57
0x01691e59
0x00000000
0x00000000
0x01691e5f
0x0164a620
0x0164a627
0x01691e64
0x01691e66
0x01691e6c
0x01691e72
0x01691e76
0x01691e95
0x01691e9a
0x01691e78
0x01691e8d
0x01691e92
0x01691ea0
0x01691ea5
0x01691eaa
0x01691eb2
0x01691eb6
0x01691eb9
0x01691eb9
0x01691ebe
0x01691ec2
0x01691ec2
0x01691e66
0x0164a62d
0x0164a633
0x0164a636
0x0164a63a
0x0164a63c
0x0164a640
0x0164a642
0x0164a644
0x0164a644
0x0164a644
0x0164a64d
0x0164a64d
0x0164a651
0x0164a655
0x01691eca
0x01691ed1
0x00000000
0x00000000
0x01691ed7
0x00000000
0x0164a65b
0x0164a669
0x0164a66e
0x0164a670
0x00000000
0x00000000
0x0164a676
0x0164a67b
0x0164a680
0x0164a682
0x01691f1a
0x0164a688
0x0164a688
0x0164a688
0x0164a68a
0x0164a68d
0x01691f24
0x01691f2a
0x01691f31
0x01691f43
0x01691f43
0x01691f31
0x0164a693
0x0164a697
0x0164a69d
0x0164a6a0
0x0164a6a6
0x0164a6a8
0x0164a6a8
0x0164a6a8
0x0164a6a8
0x0164a6b2
0x0164a6b7
0x0164a6c1
0x0164a6c6
0x0164a6d2
0x0164a6d9
0x0164a6e3
0x0164a6e6
0x0164a6eb
0x0164a6ed
0x0164a6ed
0x0164a6ed
0x0164a6ed
0x0164a6f3
0x0164a6f8
0x0164a702
0x0164a70a
0x0164a70e
0x0164a71a
0x0164a71e
0x01691fcb
0x01691fcf
0x01691fdd
0x01691fe3
0x01691fe3
0x0164a724
0x0164a728
0x0164a72a
0x0164a72d
0x0164a737
0x0164a73a
0x0164a73c
0x0164a742
0x0164a748
0x01691f4d
0x01691f50
0x01691f56
0x01691f5c
0x01691f5f
0x01691f7e
0x01691f83
0x01691f61
0x01691f76
0x01691f7b
0x01691f89
0x01691f8e
0x01691f93
0x01691f94
0x01691f9a
0x01691f9c
0x01691f9e
0x01691fa1
0x01691fa1
0x01691fa6
0x01691fa6
0x01691f50
0x0164a74e
0x0164a751
0x0164a754
0x0164a75d
0x0164a75e
0x0164a762
0x0164a767
0x01691faf
0x01691fb0
0x01691fb9
0x01691fbe
0x01691fc2
0x01691fc2
0x0164a76d
0x0164a76d
0x0164a775
0x0164a778
0x0164a77d
0x0164a77d
0x0164a71e
0x0164a782
0x0164a787
0x0164a789
0x01691ff3
0x0164a78f
0x0164a78f
0x0164a78f
0x0164a791
0x0164a794
0x01691ffd
0x01692006
0x0169200c
0x01692017
0x01692019
0x01692024
0x01692024
0x01692024
0x01692047
0x01692047
0x0169200c
0x0164a79a
0x0164a79f
0x0164a7a4
0x0164a7a9
0x0164a7ab
0x0169205a
0x0164a7b1
0x0164a7b1
0x0164a7b1
0x0164a7b3
0x0164a7b6
0x00000000
0x0164a7bc
0x01692066
0x01692068
0x01692073
0x01692073
0x01692073
0x01692078
0x01692079
0x0169207d
0x00000000
0x0169207d
0x0164a7b6
0x0164a440
0x0164a440
0x0164a440
0x0164a446
0x0164a44c
0x0164a44f
0x0164a453
0x0164a455
0x016920b3
0x016920b9
0x016920b9
0x0164a45d
0x0164a460
0x0164a464
0x0164a466
0x0164a46b
0x0164a46f
0x0164a471
0x0164a471
0x0164a471
0x0164a474
0x0164a479
0x0164a47d
0x0164a47f
0x01692229
0x0169222f
0x0164a3c8
0x0164a3c8
0x0164a3ca
0x0164a3ca
0x00000000
0x0164a3ca
0x01692235
0x0169223a
0x0169223a
0x00000000
0x00000000
0x01692240
0x01692246
0x0169224a
0x01692269
0x0169226e
0x0169224c
0x01692261
0x01692266
0x01692274
0x01692279
0x0169227e
0x01692286
0x01692288
0x0169228d
0x0169228d
0x01692292
0x01692292
0x01692295
0x01692295
0x00000000
0x01692295
0x0164a485
0x0164a489
0x0164a48b
0x0164a48f
0x0164a493
0x0164a497
0x0164a49b
0x0164a4bb
0x0164a4bb
0x0164a4bd
0x0164a4ff
0x0164a4ff
0x0164a501
0x0164a505
0x0164a50f
0x0164a517
0x0164a51b
0x0164a527
0x0164a52b
0x01692182
0x01692185
0x01692193
0x01692199
0x01692199
0x0164a531
0x0164a535
0x0164a538
0x0164a548
0x0164a54b
0x0164a54d
0x0164a553
0x0164a559
0x01692100
0x01692103
0x01692109
0x0169210f
0x01692112
0x01692131
0x01692136
0x01692114
0x01692129
0x0169212e
0x0169213c
0x01692141
0x01692147
0x0169214d
0x01692151
0x01692154
0x01692154
0x01692159
0x01692159
0x01692103
0x0164a55f
0x0164a562
0x0164a565
0x0164a567
0x01692162
0x0164a56d
0x0164a574
0x0164a575
0x0164a579
0x0164a57e
0x01692169
0x0169216a
0x01692170
0x01692175
0x01692179
0x01692179
0x0164a57e
0x0164a584
0x0164a58f
0x0164a58f
0x0164a52b
0x0164a5ad
0x0164a5bc
0x0164a5c1
0x0164a5c6
0x0164a5cb
0x0164a5cd
0x016921a9
0x0164a5d3
0x0164a5d3
0x0164a5d3
0x0164a5d5
0x0164a5d8
0x016921b3
0x016921bc
0x016921c2
0x016921cd
0x016921cf
0x016921da
0x016921da
0x016921da
0x016921f7
0x016921f7
0x016921c2
0x0164a5de
0x0164a5e3
0x0164a5e8
0x0164a5ea
0x0169220a
0x0164a5f0
0x0164a5f0
0x0164a5f0
0x0164a5f2
0x0164a5f5
0x01692219
0x0169221b
0x0169208c
0x0169208c
0x0169208c
0x01692095
0x01692096
0x01692097
0x01692098
0x016920a4
0x016920a5
0x016920a9
0x016920a9
0x00000000
0x0164a5f5
0x0164a4bf
0x0164a4d3
0x0164a4d8
0x0164a4da
0x01691ede
0x01691ede
0x01691ee4
0x01691ee9
0x00000000
0x00000000
0x01691f07
0x00000000
0x01691f07
0x0164a4e0
0x0164a4e5
0x0164a4e7
0x016920cb
0x0164a4ed
0x0164a4ed
0x0164a4ed
0x0164a4f2
0x0164a4f5
0x016920d5
0x016920de
0x016920e4
0x016920f6
0x016920f6
0x016920e4
0x0164a4fb
0x00000000
0x0164a4fb
0x0164a4a1
0x0164a4a4
0x0164a4a8
0x00000000
0x00000000
0x0164a4aa
0x0164a4ac
0x00000000
0x00000000
0x0164a4b2
0x0164a4b5
0x00000000
0x00000000
0x00000000
0x0164a4b5
0x0164a43a
0x0164a340
0x0164a346
0x0164a600
0x00000000
0x0164a600
0x0164a34f
0x0164a351
0x0164a358
0x0164a3c6
0x00000000
0x0164a371
0x0164a37a
0x0164a37f
0x0164a382
0x0164a384
0x0164a394
0x00000000
0x0164a396
0x0164a399
0x0164a3a7
0x0164a3b0
0x0164a3b4
0x0164a3bb
0x0164a3d2
0x0164a3da
0x0164a3df
0x0164a3e1
0x0164a3e5
0x0164a3ea
0x0164a3f0
0x0164a3f0
0x0164a3e1
0x00000000
0x0164a3bb
0x0164a394

Strings

(UCRBlock != NULL), xrefs: 01691EA0
HEAP: , xrefs: 01691E95, 01691F7E, 01692131, 01692269
(!TrailingUCR), xrefs: 01692274
HEAP[%wZ]: , xrefs: 01691E88, 01691F71, 01692124, 0169225C
(LONG)FreeEntry->Size > 1, xrefs: 0169213C
((LONG)FreeEntry->Size > 1), xrefs: 01691F89

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 6f555d18efe0a183ac37ce3301aa3c25c08c97ed996920cb854049b613eb3950
Instruction ID: a58218d68883bb604f2bbf9ab8a1bdff1839293b13ab0011d1eb6539b736bb00
Opcode Fuzzy Hash: 6f555d18efe0a183ac37ce3301aa3c25c08c97ed996920cb854049b613eb3950
Instruction Fuzzy Hash: 74421031244742AFDB15CF68CC94B2ABBEAFF84214F14896DE586CB352D734D981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016E2D82, Relevance: 7.7, Strings: 6, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E016E2D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1700e80);
				E0167D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E016240E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E016E30C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E0162B150();
						} else {
							E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E0162B150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E0163EEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E016E4496(_t181, 0);
						_t177 = L01644620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E016E49A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E016DFA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E01621F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E016516C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E016E4496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x1716360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x1716364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x1716366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E016CD455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E0162B150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E0162B150("Just allocated block at %p for %Ix bytes\n",  *0x1716360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x1716378 = 1;
									 *0x17160c0 = 0;
									asm("int3");
									 *0x1716378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x1715708; // 0x0
					 *0x171b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E0167D130(0, _t177, _t181);
				}
			}

0x016e2d82
0x016e2d84
0x016e2d89
0x016e2d8e
0x016e2d90
0x016e2d92
0x016e2d97
0x016e2d9a
0x016e2da4
0x016e2dc0
0x016e2dc3
0x016e2dd1
0x016e2dd6
0x016e2dd8
0x016e30a7
0x016e30a7
0x016e30aa
0x016e30aa
0x016e30ad
0x016e30b4
0x00000000
0x016e30b9
0x016e2de3
0x016e2de8
0x016e2deb
0x016e2dee
0x016e2df1
0x016e2df3
0x016e2dfb
0x016e2dfb
0x016e2df5
0x016e2df5
0x016e2df5
0x016e2e04
0x016e2e0a
0x016e2e0d
0x016e2e11
0x016e2e11
0x016e2e12
0x016e2e15
0x016e2e18
0x016e2e1a
0x016e3027
0x016e3027
0x016e302d
0x016e3030
0x016e304f
0x016e3054
0x016e3032
0x016e3047
0x016e304c
0x016e305a
0x016e3063
0x00000000
0x016e2e20
0x016e2e20
0x016e2e23
0x00000000
0x00000000
0x016e2e29
0x016e2e2b
0x016e2e47
0x016e2e2d
0x016e2e33
0x016e2e38
0x016e2e3f
0x016e2e42
0x016e2e42
0x016e2e4e
0x016e2e5d
0x016e2e5f
0x016e2e62
0x016e2e66
0x016e2e6b
0x016e2e6d
0x00000000
0x016e2e73
0x016e2e73
0x016e2e76
0x016e2e7a
0x016e2e83
0x016e2e83
0x016e2e83
0x016e2e85
0x016e2e87
0x016e2e8a
0x016e2e8d
0x016e2e92
0x016e2e9c
0x016e2e9f
0x016e2ea1
0x016e2ea2
0x016e2ea6
0x016e2ea6
0x016e2e9f
0x016e2eab
0x016e2eaf
0x016e2edf
0x016e2ee2
0x016e2ee5
0x016e2eb1
0x016e2eb3
0x016e2eb8
0x016e2ebd
0x016e2ec4
0x016e2ed6
0x016e2ec6
0x016e2ec7
0x016e2ecc
0x016e2ecf
0x016e2ed2
0x016e2ed2
0x016e2ed9
0x016e2ed9
0x016e2ee8
0x016e2eeb
0x016e2eef
0x016e2ef2
0x016e2efe
0x016e2f04
0x016e2f04
0x016e2f04
0x016e2f06
0x016e2f0d
0x016e2f0f
0x016e2f13
0x016e2f13
0x016e2f1b
0x016e2f21
0x016e2f27
0x016e2f95
0x016e2f98
0x016e2f9b
0x016e2fa0
0x00000000
0x00000000
0x016e2fa6
0x016e2fa9
0x016e2fac
0x00000000
0x00000000
0x016e2fb2
0x016e2fb9
0x00000000
0x00000000
0x016e2fc3
0x016e2fca
0x00000000
0x00000000
0x016e2fd0
0x016e2fd6
0x016e2fd9
0x016e2ff8
0x016e2ffd
0x016e2fdb
0x016e2ff0
0x016e2ff5
0x016e300e
0x016e300f
0x016e301a
0x00000000
0x016e2f29
0x016e2f29
0x016e2f2c
0x016e2f4b
0x016e2f50
0x016e2f2e
0x016e2f43
0x016e2f48
0x016e2f56
0x016e2f64
0x016e2f6c
0x016e2f6c
0x016e2f72
0x016e2f76
0x016e2f7c
0x016e2f83
0x016e2f89
0x016e2f8a
0x016e2f8a
0x00000000
0x016e2f76
0x016e2f27
0x016e2e6d
0x016e2da6
0x016e2dab
0x016e2db3
0x016e2db9
0x016e30bc
0x016e30c1
0x016e30c1

Strings

RtlAllocateHeap, xrefs: 016E2DCA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 016E305E
HEAP: , xrefs: 016E2F4B, 016E2FF8, 016E304F
HEAP[%wZ]: , xrefs: 016E2F3E, 016E2FEB, 016E3042
Just allocated block at %p for %Ix bytes, xrefs: 016E2F5F
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 016E3015

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 8b5542c3e36e2f6cf28d481346079a72588a7f2152a66c4f39843187869ea29d
Instruction ID: 5e4a8988300ccab08feed0086c2caef76e05b8b24dd72e6c60a84f629369f680
Opcode Fuzzy Hash: 8b5542c3e36e2f6cf28d481346079a72588a7f2152a66c4f39843187869ea29d
Instruction Fuzzy Hash: 5E911F31602641DFDB26DFA8CC58AADBFF2FF49610F18815CE5465B391C7329882CB08

Uniqueness

Uniqueness Score: -1.00%

Function 01633D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01633D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01631B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01631B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01631B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01631B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01631B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01644620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0166F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01671370(_t276, 0x1604e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0166BB40(0,  &_v68, _t170);
									if(L016343C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0166BB40(_t257,  &_v68, _t243);
								if(L016343C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01671370(_t278, 0x1604e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01644620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0166F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01671370(_v16, 0x1604e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0166BB40(_t262,  &_v68, _t244);
								if(L016343C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01671370(_t282, 0x1604e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0166BB40(_t262,  &_v68, _t201);
							if(L016343C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01644620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0166F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01671370(_t280, 0x1604e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0166BB40(_t267,  &_v68, _t245);
							if(L016343C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01671370(_t284, 0x1604e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0166BB40(_t267,  &_v68, _t224);
						if(L016343C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01633d3c
0x01633d42
0x01633d44
0x01633d46
0x01633d49
0x01633d4c
0x01633d4f
0x01633d52
0x01633d55
0x01633d58
0x01633d5b
0x01633d5f
0x01633d61
0x01633d66
0x01688213
0x01688218
0x01634085
0x01634088
0x0163408e
0x01634094
0x0163409a
0x016340a0
0x016340a6
0x016340a9
0x016340af
0x016340b6
0x016340bd
0x016340bd
0x01633d83
0x0168821f
0x01688229
0x01688238
0x01688238
0x0168823d
0x0168823d
0x01633da0
0x01633daf
0x01633db5
0x01633dba
0x01633dba
0x01633dd4
0x01633e94
0x01633eab
0x01633f6d
0x01633f84
0x0163406b
0x0163406b
0x0163406e
0x0163406e
0x01634070
0x01634074
0x01688351
0x01688351
0x0163407a
0x0163407f
0x0168835d
0x01688370
0x01688377
0x01688379
0x0168837c
0x0168837c
0x0168835d
0x00000000
0x0163407f
0x01633f8a
0x01633f8d
0x01633f90
0x01633f95
0x0168830d
0x0168830f
0x01633f9b
0x01633fac
0x01633fae
0x01633fb1
0x01633fb1
0x01633fb6
0x01688317
0x0168831a
0x00000000
0x01633fbc
0x01633fc1
0x01633fc9
0x01633fd7
0x01633fda
0x01633fdd
0x01634021
0x01634021
0x01634029
0x01634030
0x01634044
0x01634046
0x01634046
0x01634044
0x01634049
0x01688327
0x01688334
0x01688339
0x0168833c
0x0163404f
0x0163404f
0x0163404f
0x01634051
0x01634056
0x01634063
0x01634063
0x01634068
0x00000000
0x01634068
0x01633fdf
0x01633fe2
0x01633fe4
0x01633fe7
0x01633fef
0x01634003
0x01634005
0x01634005
0x0163400c
0x01634013
0x01634016
0x01634017
0x0163401b
0x0163401e
0x00000000
0x0163401e
0x01633fb6
0x01633eb1
0x01633eb4
0x01633eb7
0x01633ebc
0x016882a9
0x016882ab
0x01633ec2
0x01633ed3
0x01633ed5
0x01633ed8
0x01633ed8
0x01633edd
0x016882b3
0x016882b6
0x00000000
0x01633ee3
0x01633ee8
0x01633eed
0x01633ef0
0x01633ef3
0x01633f02
0x01633f05
0x01633f08
0x016882c0
0x016882c3
0x016882c5
0x016882c8
0x016882d0
0x016882e4
0x016882e6
0x016882e6
0x016882ed
0x016882f4
0x016882f7
0x016882f8
0x016882fc
0x016882ff
0x016882ff
0x01633f0e
0x01633f11
0x01633f16
0x01633f1d
0x01633f31
0x01688307
0x01688307
0x01633f31
0x01633f39
0x01633f48
0x01633f4d
0x01633f50
0x01633f50
0x01633f53
0x01633f58
0x01633f65
0x01633f65
0x01633f6a
0x00000000
0x01633f6a
0x01633edd
0x01633dda
0x01633ddd
0x01633de0
0x01633de5
0x01688245
0x01633deb
0x01633df7
0x01633dfc
0x01633dfe
0x01633e01
0x01633e01
0x01633e06
0x0168824d
0x0168824f
0x01688254
0x00000000
0x01633e0c
0x01633e11
0x01633e16
0x01633e19
0x01633e29
0x01633e2c
0x01633e2f
0x0168825c
0x0168825f
0x01688261
0x01688264
0x0168826c
0x01688280
0x01688282
0x01688282
0x01688289
0x01688290
0x01688293
0x01688294
0x01688298
0x0168829b
0x0168829b
0x01633e35
0x01633e38
0x01633e3d
0x01633e44
0x01633e58
0x016882a3
0x016882a3
0x01633e58
0x01633e60
0x01633e6f
0x01633e74
0x01633e77
0x01633e77
0x01633e7a
0x01633e7f
0x01633e8c
0x01633e8c
0x01633e91
0x00000000
0x01633e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 01633D8C
Kernel-MUI-Language-SKU, xrefs: 01633F70
Kernel-MUI-Language-Allowed, xrefs: 01633DC0
Kernel-MUI-Language-Disallowed, xrefs: 01633E97
WindowsExcludedProcs, xrefs: 01633D6F

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 6725f12d423d8326447c862f200f8d537a7c31247b54521cad2ed9c7c0061660
Instruction ID: 84063ce7a656c5c34615c87a0e3f82173667e252c1451ddaf401c219e724ee58
Opcode Fuzzy Hash: 6725f12d423d8326447c862f200f8d537a7c31247b54521cad2ed9c7c0061660
Instruction Fuzzy Hash: EBF13A72D00619EBCB16DF98CD80AEEBBBEFF58650F14416AE505A7350DB349E01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016240E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E016240E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0162B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0162B150(", passed to %s", _t29);
					}
					_push("\n");
					E0162B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1716378 = 1;
						asm("int3");
						 *0x1716378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x016240e6
0x016240e8
0x016240f1
0x0168042d
0x0168044c
0x01680451
0x0168042f
0x01680444
0x01680449
0x0168045d
0x01680466
0x0168046e
0x01680474
0x01680475
0x0168047a
0x0168048a
0x0168048c
0x01680493
0x01680494
0x01680494
0x00000000
0x0168049b
0x00000000

Strings

RtlAllocateHeap, xrefs: 01680468
Invalid heap signature for heap at %p, xrefs: 01680458
HEAP: , xrefs: 0168044C
HEAP[%wZ]: , xrefs: 0168043F
, passed to %s, xrefs: 01680469

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 4c159c11eb69f13a9dc181f861bd957682f1910306bccf1b92bddb0a063ca1e8
Instruction ID: f1d267a009c9c3ff19f9290a593ceee4999fb9d7bc8278f5f3e1f401d788f02e
Opcode Fuzzy Hash: 4c159c11eb69f13a9dc181f861bd957682f1910306bccf1b92bddb0a063ca1e8
Instruction Fuzzy Hash: D7014C32142A51EED32AA76DEC0DF537BA4DB01B31F29842DF00547781CBE49494C728

Uniqueness

Uniqueness Score: -1.00%

Function 0164A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0164A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1718748 - 1;
					if( *0x1718748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
									_t260 = _t257 + 4;
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0162B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1717bc8;
								if(__eflags == 0) {
									E016E2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E016EA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0167D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0164AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E016EA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E016EA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1718748 - 1;
					if( *0x1718748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0162B150();
							__eflags =  *0x1717bc8;
							if(__eflags == 0) {
								_t131 = E016E2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x0164a83a
0x0164a83c
0x0164a83e
0x0164a841
0x0164a844
0x0164a84a
0x0164aa53
0x0164aa59
0x0164aa59
0x0164a858
0x0164a85e
0x0164aaf5
0x0164aafc
0x0169229e
0x016922a2
0x016922a8
0x016922b3
0x016922b5
0x016922bb
0x016922c1
0x016922c5
0x016922e6
0x016922eb
0x016922f0
0x016922c7
0x016922dc
0x016922e1
0x016922e1
0x016922f3
0x016922f8
0x016922fd
0x01692300
0x01692307
0x0169230e
0x0169230e
0x01692313
0x01692313
0x016922b5
0x016922a2
0x0164aafc
0x0164a864
0x0164a869
0x0164aa5c
0x0164aa5e
0x0164a86f
0x0164a87f
0x0164a885
0x0164a885
0x0164a88b
0x0164a890
0x0164a896
0x0164ab0c
0x0164ab0f
0x0164ab15
0x01692320
0x01692320
0x0164ab1b
0x0164a89c
0x0164a89f
0x0164a8a2
0x0164a8a2
0x0164a8a5
0x0164a8af
0x0164a8b3
0x0164a8b8
0x0164aa66
0x0164a8be
0x0164a8c5
0x0164a8c6
0x0164a8ce
0x01692328
0x01692332
0x01692337
0x01692337
0x0164a8ce
0x0164a8d4
0x0164a8d8
0x0164a8db
0x0164a8de
0x0164a8e1
0x0164a8e5
0x0164a8e8
0x0164a8f0
0x0164a8f3
0x0169234c
0x01692350
0x01692355
0x01692359
0x01692359
0x0164a8f9
0x0164a901
0x0164aae4
0x0164aae4
0x0164aaea
0x00000000
0x0164a907
0x0164a90a
0x0164a91d
0x0164a91d
0x00000000
0x0164a910
0x0164a910
0x0164a910
0x0164a914
0x0164a924
0x0164a924
0x0164a924
0x0164a924
0x0164a916
0x0164a91b
0x00000000
0x00000000
0x00000000
0x0164a91b
0x0164a925
0x0164a925
0x0164a932
0x0164a936
0x0164a93c
0x0164a93c
0x0164a93c
0x0164ab22
0x0164ab24
0x0164ab27
0x0164ab27
0x0164a942
0x0164a944
0x0164aaba
0x0164aabd
0x0164aac0
0x0164aac0
0x0164aac2
0x0164ab2f
0x0164aac4
0x0164aac4
0x0164aac7
0x0164aaca
0x0164aacc
0x0164aace
0x0164aace
0x0164aace
0x0164aad1
0x0164aad1
0x0164aad7
0x0164aad9
0x00000000
0x00000000
0x01692361
0x01692369
0x0169236b
0x00000000
0x01692371
0x00000000
0x01692371
0x00000000
0x0169236b
0x0164aac0
0x0164a94a
0x0164a94a
0x0164a94d
0x0164a94d
0x0164a950
0x0164a954
0x01692376
0x01692380
0x0164a95a
0x0164a95a
0x0164a95c
0x0164a95f
0x0164a961
0x0164a961
0x0164a967
0x0164a96a
0x0164a972
0x0164aa02
0x0164aa06
0x0164aa10
0x0164aa16
0x0164aa16
0x0164aa1b
0x0164aa21
0x0164aa24
0x0164aa27
0x0164aa29
0x0164aa2c
0x0164aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x0164a978
0x0164a978
0x0164a97b
0x0164a981
0x0164a996
0x0164a998
0x0164a99f
0x0164a9a2
0x0169238a
0x0164a9a8
0x0164a9a8
0x0164a9a8
0x0164a9aa
0x0164a9ad
0x0164a9b0
0x0164a9bb
0x0164a9be
0x0164a9c7
0x0164a9c9
0x0164a9c9
0x0164a9cc
0x0164a9d1
0x0164aa6d
0x0164aa70
0x0164aa73
0x0164aa75
0x0164aa79
0x0164aa7e
0x0164aa82
0x0164aa8f
0x0164aa94
0x0164aa96
0x01692392
0x016923a1
0x016923a1
0x0164aa9c
0x0164aa9f
0x0164aaa2
0x0164aaa2
0x0164aaa8
0x0164aaab
0x0164aaaf
0x00000000
0x0164aab5
0x00000000
0x0164aab5
0x0164a9d7
0x0164a9d7
0x0164a9da
0x0164a9e0
0x0164a9e3
0x0164a9e6
0x0164a9e9
0x0164a9eb
0x0164a9fd
0x0164a9fd
0x00000000
0x0164a9eb
0x00000000
0x00000000
0x00000000
0x0164a983
0x0164a983
0x0164a983
0x0164a987
0x0164a995
0x0164a995
0x0164a995
0x0164a995
0x0164a989
0x0164a98e
0x00000000
0x0164a990
0x00000000
0x0164a990
0x0164a98e
0x00000000
0x0164a983
0x0164a972
0x0164a90a
0x0164aa34
0x0164aa34
0x0164aa40
0x0164aa43
0x0164aa46
0x0164aa4d
0x016923ab
0x016923b2
0x016923b8
0x016923be
0x016923c3
0x016923c5
0x016923cb
0x016923d1
0x016923d5
0x016923f6
0x016923fb
0x016923d7
0x016923ec
0x016923f1
0x01692403
0x01692408
0x01692410
0x01692417
0x01692422
0x01692422
0x01692417
0x016923c5
0x016923b2
0x00000000

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 016922F3
HEAP: , xrefs: 016922E6, 016923F6
HEAP[%wZ]: , xrefs: 016922D7, 016923E7
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01692403

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 797aeedcdbbd17f30b254386bf4459370ec0da079ccdcceaba0ea770fbd39c76
Instruction ID: 6cbbb5fd96b32e3e380146cec5e72e02796218d1aeac8ab3811fe86483317cba
Opcode Fuzzy Hash: 797aeedcdbbd17f30b254386bf4459370ec0da079ccdcceaba0ea770fbd39c76
Instruction Fuzzy Hash: 03D1C274640645AFEB19CFA8C990BBABBF6FF48300F15856DD9579B342E330A981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0164A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0164A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0164DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01669730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E016EA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01669660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0162B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01647D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E016E138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01647D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01647D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E016E1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01647D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01647D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E016E1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0167D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x0164a229
0x0164a231
0x0164a23f
0x0164a242
0x0164a244
0x0164a24c
0x0164a255
0x0164a25a
0x0164a25f
0x01691c76
0x01691c78
0x01691c7e
0x01691c7f
0x01691c81
0x01691c82
0x01691c84
0x01691c89
0x01691c8b
0x01691c9e
0x01691c9e
0x01691cab
0x01691cb2
0x00000000
0x01691cb2
0x01691c8d
0x01691c92
0x00000000
0x00000000
0x01691c94
0x01691c98
0x00000000
0x00000000
0x00000000
0x01691c98
0x0164a265
0x0164a265
0x0164a266
0x0164a26f
0x0164a270
0x0164a276
0x0164a277
0x0164a279
0x0164a27e
0x0164a282
0x01691db5
0x01691dbb
0x01691dc1
0x01691dc5
0x01691de4
0x01691de9
0x01691dc7
0x01691ddc
0x01691de1
0x01691def
0x01691df3
0x01691df7
0x01691dfe
0x01691e06
0x0164a302
0x0164a308
0x0164a308
0x0164a288
0x0164a28d
0x0164a294
0x01691cc1
0x0164a29a
0x0164a29a
0x0164a29a
0x0164a29f
0x01691ccb
0x01691cd1
0x01691cd8
0x01691cea
0x01691cea
0x01691cd8
0x0164a2a9
0x0164a2af
0x0164a2bc
0x01691cfd
0x0164a2c2
0x0164a2c2
0x0164a2c2
0x0164a2c7
0x01691d07
0x01691d0d
0x01691d14
0x01691d1f
0x01691d21
0x01691d2c
0x01691d2c
0x01691d2c
0x01691d47
0x01691d47
0x01691d14
0x0164a2cd
0x0164a2d2
0x0164a2d9
0x01691d5a
0x0164a2df
0x0164a2df
0x0164a2df
0x0164a2e4
0x01691d69
0x01691d6b
0x01691d76
0x01691d76
0x01691d76
0x01691d91
0x01691d91
0x0164a2ea
0x0164a2f0
0x0164a2f5
0x01691da8
0x01691dad
0x01691dad
0x0164a2fd
0x0164a300
0x00000000

Strings

`, xrefs: 01691C8D
HEAP: , xrefs: 01691DE4
HEAP[%wZ]: , xrefs: 01691DD7
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01691DF9

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: e1b45d452ac4524cc7bdeba4f56cc2f7012735850a25deed1f38ea4fa1280f60
Instruction ID: d1e5a9e87a6a3a289513d56bc0cdc551f2bb00536d3e1391c7e4b603667a2cf7
Opcode Fuzzy Hash: e1b45d452ac4524cc7bdeba4f56cc2f7012735850a25deed1f38ea4fa1280f60
Instruction Fuzzy Hash: EB510532245682AFE712DBA8CC48F677BE9EF85760F180868F952CB391D734D805CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01658E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01658E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x171d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1718464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1715780 & 0x00000003) != 0) {
							E016A5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1715780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0166B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1717984; // 0x11c2ac0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1718464; // 0x74e10110
					 *0x171b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01659B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1715780 & 0x00000005) != 0) {
						_push(_t49);
						E016A5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01658e0f
0x01658e16
0x01658e19
0x01658e1b
0x01658e21
0x01658e7f
0x01658e85
0x01699354
0x0169936c
0x01699371
0x0169937b
0x01699381
0x01699381
0x0169937b
0x01658e9d
0x01658e9d
0x01658e29
0x01658e2c
0x01658e38
0x01658e3e
0x01658e43
0x01658eb5
0x01658eb9
0x016992aa
0x016992af
0x016992e8
0x016992e8
0x016992af
0x01658eb9
0x01658e45
0x01658e53
0x01658e5b
0x01658e5f
0x01658e78
0x01658e78
0x01658e7d
0x01658ec3
0x01658ecd
0x01658ed2
0x01658ed2
0x01658ec5
0x01658ec5
0x00000000
0x01658e7d
0x01658e67
0x01658ea4
0x0169931a
0x00000000
0x00000000
0x01699320
0x01658ea4
0x01658e70
0x01699325
0x01699340
0x01699345
0x01699345
0x01658e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0169932A
LdrpFindDllActivationContext, xrefs: 01699331, 0169935D
minkernel\ntdll\ldrsnap.c, xrefs: 0169933B, 01699367
Querying the active activation context failed with status 0x%08lx, xrefs: 01699357

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: def2b98634658c98af58b39d9f5d21dbe265d9de407243c21a7bab3c2e3caa35
Instruction ID: 9e6c8140a968b58666795a693f75d30df32a553a6cbb64c0b3c5846437c2d1b4
Opcode Fuzzy Hash: def2b98634658c98af58b39d9f5d21dbe265d9de407243c21a7bab3c2e3caa35
Instruction Fuzzy Hash: C0417D31A003119FEFB6AB0FCC49A3677BDBB40318F06856DDD4497A92E7B05C819781

Uniqueness

Uniqueness Score: -1.00%

Function 016E49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 016E4AD6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 016E4A61
HEAP: , xrefs: 016E4A4A, 016E4A5D, 016E4A5F, 016E4AC4
HEAP[%wZ]: , xrefs: 016E4A3D, 016E4AB7

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: c8baa1472cba264fee9725e2df9140826eb689fc66ddc401cde81c47dc783aff
Instruction ID: 18e30b1244c23a92d2623dd536444d3fa822626a83eadb139402a13f8910175b
Opcode Fuzzy Hash: c8baa1472cba264fee9725e2df9140826eb689fc66ddc401cde81c47dc783aff
Instruction Fuzzy Hash: 4B31E031202514AFD322DBADCC8DF6777E9EB04631F254259F906DB285DA70E884CB69

Uniqueness

Uniqueness Score: -1.00%

Function 016499BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E016499BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E016DFA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E016EA80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E0167D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E0162B150();
										} else {
											E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E0162B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x1716378 = 1;
											asm("int3");
											 *0x1716378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0164A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0164A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0164BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E016EA80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0164A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0164A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E0167D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E0162B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x1716378 = 1;
									asm("int3");
									 *0x1716378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E016DFA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E016EA80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E0167D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E0162B150();
													} else {
														E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E0162B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x1716378 = 1;
														asm("int3");
														 *0x1716378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0164A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0164A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0164BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E016EA80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E0167D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E0162B150();
													} else {
														E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E0162B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x1716378 = 1;
														asm("int3");
														 *0x1716378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0164A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0164A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0164BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0164BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x016499ca
0x016499cc
0x016499df
0x016499e3
0x016499f8
0x016499fb
0x016499fb
0x00000000
0x01649a48
0x01649a48
0x01649a4c
0x01649a51
0x01649a55
0x01649a61
0x01649a66
0x01649a68
0x01691457
0x0169145c
0x0169145c
0x01649a68
0x01649a6e
0x01649a71
0x01649a74
0x01649a76
0x01691466
0x01691469
0x01691469
0x0169146c
0x0169146e
0x01691471
0x01691474
0x01691477
0x01691479
0x0169159c
0x0169159c
0x0169159d
0x016915a6
0x016915ab
0x016915ab
0x00000000
0x016915ab
0x0169147f
0x01691481
0x00000000
0x00000000
0x0169148a
0x0169148d
0x01691493
0x01691495
0x016914c0
0x016914c0
0x016914c3
0x016914c6
0x016914c8
0x016914cb
0x016914cf
0x016914f2
0x016914f2
0x016914f5
0x016914f8
0x01691501
0x01691508
0x0169150b
0x0169150e
0x01691510
0x01691513
0x01691515
0x01691515
0x01691518
0x01691518
0x01691513
0x01691521
0x01691525
0x0169152a
0x0169152d
0x01691530
0x01691532
0x01691539
0x0169153d
0x0169155d
0x01691562
0x0169153f
0x01691555
0x0169155a
0x01691570
0x01691577
0x0169157c
0x01691582
0x01691585
0x01691589
0x0169158b
0x01691592
0x01691593
0x01691593
0x01691589
0x01691530
0x00000000
0x016914f8
0x016914d5
0x016914da
0x016914dc
0x00000000
0x016914de
0x016914e8
0x00000000
0x016914e8
0x01691497
0x01691497
0x016914a4
0x016914a4
0x016914a7
0x016914a9
0x016914ab
0x016914ab
0x0169149c
0x0169149e
0x016914a0
0x016914b0
0x016914b0
0x00000000
0x016914a2
0x016914a2
0x00000000
0x016914a2
0x016914a0
0x016914b3
0x016914bb
0x00000000
0x016914bb
0x01691495
0x01649a7c
0x01649a7c
0x01649a7f
0x01649a7f
0x01649a82
0x01649a84
0x01649a87
0x01649a8a
0x01649a8d
0x01649a8f
0x0169166a
0x0169166a
0x0169166b
0x01691674
0x00000000
0x01691674
0x01649a95
0x01649a97
0x00000000
0x00000000
0x01649aa0
0x01649aa3
0x01649aa9
0x01649aab
0x01649ad7
0x01649ad7
0x01649ada
0x01649add
0x01649adf
0x01649ae2
0x01649ae6
0x01649b22
0x01649b27
0x01649b29
0x00000000
0x01649b2b
0x016915be
0x00000000
0x016915be
0x01649b29
0x01649ae8
0x01649ae8
0x01649aeb
0x01649aee
0x016915cb
0x016915d2
0x016915d5
0x016915d7
0x016915da
0x016915dc
0x016915dc
0x016915dc
0x016915da
0x016915e5
0x016915e9
0x016915ee
0x016915f1
0x016915f3
0x016915f9
0x01691600
0x01691604
0x01691624
0x01691629
0x01691606
0x0169161c
0x01691621
0x01691637
0x0169163e
0x01691643
0x01691649
0x0169164c
0x01691650
0x01691656
0x0169165d
0x0169165e
0x0169165e
0x01691650
0x016915f3
0x01649af4
0x01649af7
0x01649afc
0x01649b00
0x01649b04
0x01649b08
0x01649b14
0x016499fe
0x01649a04
0x01649a07
0x00000000
0x01649a29
0x0169169c
0x016916a0
0x016916a5
0x016916a9
0x016916b5
0x016916ba
0x016916bc
0x016916be
0x016916c3
0x016916c3
0x016916bc
0x016916c8
0x016916cc
0x0169181b
0x0169181b
0x0169181e
0x0169181e
0x01691821
0x01691823
0x01691826
0x01691829
0x0169182c
0x0169182e
0x01691688
0x01691688
0x01691689
0x0169168b
0x0169168c
0x0169168d
0x0169168f
0x01691692
0x00000000
0x01691692
0x01691834
0x01691836
0x00000000
0x00000000
0x0169183f
0x01691842
0x01691848
0x0169184a
0x01691875
0x01691875
0x01691878
0x0169187b
0x0169187d
0x01691880
0x01691884
0x016918a7
0x016918a7
0x016918aa
0x016918ad
0x016918b6
0x016918bd
0x016918c0
0x016918c3
0x016918c5
0x016918c8
0x016918ca
0x016918ca
0x016918cd
0x016918cd
0x016918c8
0x016918d5
0x016918da
0x016918df
0x016918e2
0x016918e5
0x016918e7
0x016918ee
0x016918f2
0x01691912
0x01691917
0x016918f4
0x0169190a
0x0169190f
0x01691925
0x0169192c
0x01691931
0x0169193a
0x0169193e
0x01691940
0x01691947
0x01691948
0x01691948
0x0169193e
0x016918e5
0x0169194f
0x01691952
0x01691956
0x0169195d
0x01691961
0x0169196d
0x00000000
0x0169196d
0x0169188a
0x0169188f
0x01691891
0x00000000
0x00000000
0x0169189d
0x00000000
0x0169189d
0x0169184c
0x01691859
0x01691859
0x0169185c
0x00000000
0x00000000
0x01691851
0x01691853
0x01691855
0x01691865
0x01691865
0x01691866
0x01691868
0x01691870
0x00000000
0x01691870
0x01691857
0x01691857
0x0169185e
0x00000000
0x016916d2
0x016916d2
0x016916d5
0x016916d5
0x016916d8
0x016916da
0x016916dd
0x016916e0
0x016916e3
0x016916e5
0x01691808
0x01691808
0x01691809
0x01691812
0x01691817
0x01691817
0x00000000
0x01691817
0x016916eb
0x016916ed
0x00000000
0x00000000
0x016916f6
0x016916f9
0x016916ff
0x01691701
0x0169172c
0x0169172c
0x0169172f
0x01691732
0x01691734
0x01691737
0x0169173b
0x0169175e
0x0169175e
0x01691761
0x01691764
0x0169176d
0x01691774
0x01691777
0x0169177a
0x0169177c
0x0169177f
0x01691781
0x01691781
0x01691784
0x01691784
0x0169177f
0x0169178c
0x01691791
0x01691796
0x01691799
0x0169179c
0x0169179e
0x016917a5
0x016917a9
0x016917c9
0x016917ce
0x016917ab
0x016917c1
0x016917c6
0x016917dc
0x016917e3
0x016917e8
0x016917ee
0x016917f1
0x016917f5
0x016917f7
0x016917fe
0x016917ff
0x016917ff
0x016917f5
0x0169179c
0x00000000
0x01691764
0x01691741
0x01691746
0x01691748
0x00000000
0x00000000
0x01691754
0x00000000
0x01691754
0x01691703
0x01691710
0x01691710
0x01691713
0x00000000
0x00000000
0x01691708
0x0169170a
0x0169170c
0x0169171c
0x0169171c
0x0169171d
0x0169171f
0x01691727
0x00000000
0x01691727
0x0169170e
0x0169170e
0x01691715
0x00000000
0x01691715
0x016916cc
0x01649a45
0x01649a45
0x01649a0e
0x01649a1c
0x01649a23
0x0169167e
0x0169167f
0x01691681
0x01691683
0x01691684
0x00000000
0x01691684
0x00000000
0x01649aad
0x01649aad
0x01649ab0
0x01649ab3
0x01649ab3
0x01649ab6
0x00000000
0x00000000
0x01649ab8
0x01649aba
0x01649abc
0x01649ac8
0x01649ac8
0x00000000
0x01649abe
0x01649abe
0x01649ac0
0x00000000
0x01649ac0
0x01649abc
0x01649ad2
0x00000000
0x01649ad2
0x01649aab

Strings

HEAP: , xrefs: 0169155D, 01691624, 016917C9, 01691912
HEAP[%wZ]: , xrefs: 01691550, 01691617, 016917BC, 01691905
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01691572, 01691639, 016917DE, 01691927

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 1befcb687715da1fee43f63a51106db8a63a7022c7e3cbac19d260acb69e26c6
Instruction ID: 424ce0efc8fce39af467f509e2dfc6a38ca5b1867c4f6cf4a4ac87e81f2a50c9
Opcode Fuzzy Hash: 1befcb687715da1fee43f63a51106db8a63a7022c7e3cbac19d260acb69e26c6
Instruction Fuzzy Hash: 3322F3706002469FEB25CF6DCC94B7ABBB9EF46714F28856DE8468B382D731D881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0164B477, Relevance: 4.2, Strings: 3, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0164B477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0x171d360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E0164B8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E0166B640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0x1718748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E0162B150();
						} else {
							E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E0162B150();
						__eflags =  *0x1717bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E016E2073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0x1718a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0x171b1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E01669730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E016EA80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E01669660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E016E138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E016DFA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E016EA80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E016EA80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E01647D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E016E1582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E01647D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E016E1582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E0164B73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E0164BC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E016EA80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x0164b486
0x0164b48a
0x0164b48e
0x0164b491
0x0164b493
0x0164b49a
0x0164b49c
0x0164b4a2
0x0164b4a7
0x0164b6fc
0x0164b6fc
0x0164b6b3
0x0164b6c3
0x0164b6c3
0x0164b4b4
0x0169294f
0x01692951
0x01692957
0x0169295d
0x01692961
0x01692980
0x01692985
0x01692963
0x01692978
0x0169297d
0x0169298b
0x01692990
0x01692995
0x0169299d
0x016929a1
0x016929a2
0x016929a2
0x016929a7
0x016929a7
0x01692951
0x0164b4ba
0x0164b4ba
0x0164b4bd
0x0164b4c2
0x0164b6d4
0x0164b4c8
0x0164b4c8
0x0164b4c8
0x0164b4cd
0x0164b4d0
0x0164b4d9
0x0164b4df
0x0164b4e2
0x016929b7
0x016929bd
0x00000000
0x0164b4e8
0x0164b4e8
0x0164b4ef
0x0164b4fa
0x0164b703
0x0164b709
0x0164b70b
0x0164b711
0x0164b711
0x0164b70b
0x0164b503
0x0164b50c
0x0164b511
0x0164b514
0x0164b519
0x016929c5
0x016929c7
0x016929cc
0x016929cd
0x016929cf
0x016929d0
0x016929d2
0x016929d7
0x016929d9
0x016929ee
0x016929ee
0x016929f4
0x016929fa
0x01692a01
0x00000000
0x01692a01
0x016929db
0x016929df
0x00000000
0x00000000
0x016929e1
0x016929e4
0x00000000
0x00000000
0x016929e6
0x016929e6
0x0164b51f
0x0164b51f
0x0164b520
0x0164b525
0x0164b52b
0x0164b52d
0x0164b52e
0x0164b530
0x0164b535
0x0164b53b
0x0164b53d
0x01692a07
0x00000000
0x01692a07
0x0164b549
0x0164b54e
0x01692a12
0x01692a15
0x00000000
0x00000000
0x01692a24
0x0164b559
0x0164b55c
0x01692a34
0x01692a3b
0x01692a4d
0x01692a4d
0x01692a3b
0x0164b566
0x0164b56b
0x0164b56f
0x0164b57b
0x0164b582
0x01692a57
0x01692a5c
0x01692a5c
0x0164b582
0x0164b58b
0x0164b58e
0x0164b592
0x0164b596
0x0164b599
0x0164b59b
0x0164b59e
0x0164b5a3
0x0164b5a6
0x0164b5a9
0x01692a66
0x01692a67
0x01692a73
0x01692a78
0x0164b5b8
0x0164b5b8
0x0164b5bb
0x0164b5bd
0x0164b5bd
0x0164b5c4
0x0164b5f7
0x0164b5f7
0x0164b600
0x0164b606
0x0164b60c
0x0164b612
0x0164b618
0x0164b621
0x0164b623
0x0164b629
0x0164b629
0x0164b62c
0x0164b62f
0x0164b633
0x0164b636
0x0164b639
0x0164b71d
0x0164b720
0x0164b736
0x0164b660
0x0164b660
0x0164b662
0x0164b665
0x0164b66a
0x0164b6e6
0x0164b6e7
0x0164b6ea
0x0164b6ef
0x01692ad1
0x01692ad2
0x01692ad8
0x01692add
0x01692add
0x0164b6f5
0x0164b6f5
0x0164b672
0x0164b675
0x0164b67a
0x01692ae5
0x01692ae8
0x00000000
0x00000000
0x01692af4
0x01692afc
0x00000000
0x0164b680
0x0164b680
0x0164b680
0x0164b685
0x0164b687
0x0164b68a
0x01692b06
0x01692b0c
0x01692b13
0x01692b1e
0x01692b20
0x01692b2b
0x01692b2b
0x01692b2b
0x01692b34
0x01692b45
0x01692b45
0x01692b13
0x0164b696
0x0164b69b
0x0164b6a0
0x01692b4f
0x01692b52
0x00000000
0x00000000
0x01692b61
0x00000000
0x0164b6a6
0x0164b6a6
0x0164b6a6
0x0164b6a8
0x0164b6ab
0x01692b70
0x01692b72
0x01692b7d
0x01692b7d
0x01692b7d
0x01692b86
0x01692b97
0x01692b97
0x0164b6b1
0x00000000
0x0164b6b1
0x0164b6a0
0x0164b67a
0x0164b722
0x0164b722
0x0164b655
0x0164b65d
0x00000000
0x0164b5c6
0x0164b5c6
0x0164b5ce
0x01692a83
0x01692a97
0x01692a97
0x01692a9a
0x00000000
0x00000000
0x01692a88
0x01692a8a
0x01692a8c
0x01692a8f
0x01692a92
0x01692aa1
0x01692aa1
0x01692aa2
0x01692aab
0x01692ab0
0x00000000
0x01692ab0
0x01692a94
0x01692a94
0x00000000
0x01692a9c
0x0164b5d4
0x0164b5d4
0x0164b5d6
0x0164b5d9
0x0164b5de
0x0164b5e1
0x0164b5e4
0x01692ab8
0x01692ab9
0x01692ac4
0x01692ac9
0x0164b5f2
0x0164b5f2
0x0164b5f4
0x0164b5f4
0x00000000
0x0164b5e4
0x0164b5c4
0x0164b554
0x0164b554
0x00000000
0x0164b554

Strings

HEAP: , xrefs: 01692980
HEAP[%wZ]: , xrefs: 01692973
(UCRBlock->Size >= *Size), xrefs: 0169298B

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 9b68e5afe73d1c932ef9fcf1d51afef27c7479d460e7962a835dd010388ba16f
Instruction ID: 8ed93872c5f21cffea9204f024247eef49d7efe537980483da2189c4526596db
Opcode Fuzzy Hash: 9b68e5afe73d1c932ef9fcf1d51afef27c7479d460e7962a835dd010388ba16f
Instruction Fuzzy Hash: C8E16A71A00645AFDB19CF68CC94BBABBBAFF44304F1481ADE5169B391D734E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01638794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01638794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0163934A() != 0) {
								_t159 = E016AA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1715780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E016A5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1715780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0163849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01638999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01638999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1715c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1715c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01642280(_t92, 0x17186cc);
															_t94 = E016F9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E016561A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1715c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01638A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1715c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1715c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0166F380(_t136, 0x1601184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01642280(_t108, 0x17186cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E016561A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E016F9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0163FFB0(_t118, _t156, 0x17186cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01669A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01638799
0x0163879d
0x016387a1
0x016387a3
0x016387a8
0x016387c3
0x016387c3
0x016387c8
0x016387d1
0x016387d4
0x016387d8
0x016387e5
0x016387ec
0x01689bfe
0x01689c00
0x01689c02
0x01689c08
0x01689c0d
0x01689c0f
0x01689c14
0x01689c2d
0x01689c32
0x01689c37
0x01689c3a
0x01689c3c
0x01689c42
0x01689c42
0x01689c3c
0x01689c02
0x016387da
0x016387df
0x016387e3
0x00000000
0x00000000
0x016387e3
0x016387f2
0x00000000
0x016387fb
0x016387fd
0x016387fe
0x0163880e
0x0163880f
0x01638810
0x01638814
0x0163881a
0x0163881c
0x0163881f
0x01638821
0x01638822
0x01638824
0x01638826
0x0163882c
0x0163882e
0x01689c48
0x01689c48
0x01638834
0x01638834
0x01638837
0x00000000
0x00000000
0x01638837
0x0163882e
0x0163883d
0x01638840
0x01638843
0x01638846
0x01638849
0x0163884c
0x0163884e
0x01638850
0x01638852
0x01638854
0x01638857
0x016388b4
0x016388b6
0x016388b6
0x01638859
0x01638859
0x01638859
0x01638861
0x01638866
0x0163886a
0x0163893d
0x01638941
0x00000000
0x01638947
0x01638947
0x0163894a
0x0163894c
0x00000000
0x01638952
0x01638955
0x0163895a
0x0163895d
0x0163895d
0x0163895f
0x01638961
0x01638961
0x01638968
0x00000000
0x00000000
0x0163896a
0x0163896b
0x0163896e
0x00000000
0x01638970
0x01638970
0x01638970
0x01638970
0x01638972
0x01638972
0x01638974
0x00000000
0x0163897a
0x0163897a
0x0163897d
0x00000000
0x01638983
0x01689c65
0x01689c6d
0x01689c72
0x01689c75
0x01689c75
0x01689c82
0x01689c86
0x01689c87
0x01689c88
0x01689c89
0x01689c8c
0x01689c90
0x01689c95
0x01689c97
0x01689ca0
0x01689ca3
0x01689ca9
0x01689ca9
0x00000000
0x01689ca9
0x01689ca3
0x00000000
0x01689c97
0x0163897d
0x00000000
0x01638974
0x01638988
0x01638992
0x01638996
0x00000000
0x01638996
0x0163894c
0x00000000
0x01638870
0x0163887b
0x0163887d
0x0163887f
0x01638881
0x01638884
0x01638884
0x01638886
0x01638889
0x0163888c
0x0163888e
0x01638891
0x01638891
0x01638898
0x00000000
0x00000000
0x0163889a
0x0163889b
0x0163889e
0x00000000
0x00000000
0x016388a0
0x016388a8
0x016388b0
0x016388b2
0x016388d3
0x016388d5
0x00000000
0x016388d7
0x016388db
0x016388dc
0x016388e0
0x016388e8
0x016388ee
0x016388f0
0x016388f3
0x016388fc
0x01638901
0x01638906
0x0163890c
0x0163890c
0x0163890f
0x01638916
0x01638917
0x01638918
0x01638919
0x0163891a
0x0163891f
0x01638921
0x01689c52
0x01689c55
0x01689c5b
0x01689cac
0x01689cc0
0x01689cc0
0x01689c55
0x01638927
0x01638927
0x0163892f
0x01638933
0x00000000
0x016388f5
0x016388f5
0x00000000
0x016388f7
0x016388f7
0x016388fa
0x00000000
0x00000000
0x00000000
0x00000000
0x016388fa
0x016388f5
0x016388f3
0x00000000
0x016388d5
0x00000000
0x016388b2
0x016388c9
0x00000000
0x016388c9
0x0163887f
0x0163886a
0x01638857
0x01638852
0x016388bf
0x016388bf
0x016387aa
0x016387ad
0x016387ae
0x016387b4
0x016387b5
0x016387b6
0x016387b8
0x016387bd
0x016387c1
0x016387f4
0x016387fa
0x00000000
0x00000000
0x00000000
0x016387c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01689C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01689C18
LdrpDoPostSnapWork, xrefs: 01689C1E

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 2cf09ecb39b1beda4ec25a1004a501f1d63ad770d5f1e77840f00eacaa747797
Instruction ID: 542b62845ac682c51002d892b4db49df887dba626b8e675b289206334d860df1
Opcode Fuzzy Hash: 2cf09ecb39b1beda4ec25a1004a501f1d63ad770d5f1e77840f00eacaa747797
Instruction Fuzzy Hash: 3491E171A002169FEB29DF5DDC81ABAB7BAFFC4314B55426DE905AB241D730AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0165AC7B, Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0165AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E0167D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x1718a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E016696E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E016D3C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E016696E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E0162B150();
							} else {
								E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E0162B150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E016E14FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E01647D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E016E1411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E01647D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E016E1411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x0165ac85
0x0165ac88
0x0165ac8a
0x0165ac8d
0x0165ac91
0x0165ac99
0x0165ac9c
0x01699f57
0x01699f5b
0x01699f60
0x01699f60
0x0165aca8
0x0165acae
0x0165acda
0x0165acde
0x0165ace8
0x0165aceb
0x0165acee
0x00000000
0x0165acee
0x0165acf6
0x0165acb0
0x0165acb0
0x0165acbb
0x0165acbd
0x0165acc0
0x0165acc5
0x0165adae
0x0165adb4
0x0165adb4
0x0165acd4
0x0165acd8
0x0165acf9
0x0165acff
0x0165ad04
0x0165ad08
0x0165ad09
0x0165ad10
0x0165ad12
0x0165ad18
0x01699f6f
0x01699f74
0x01699f76
0x01699f7c
0x01699f84
0x01699f88
0x01699f89
0x01699f90
0x01699f90
0x01699f76
0x0165ad1e
0x0165ad24
0x0165ad26
0x0169a097
0x0169a09b
0x0169a0ba
0x0169a0bf
0x0169a09d
0x0169a0b2
0x0169a0b7
0x0169a0c5
0x0169a0c8
0x0169a0cb
0x0169a0d2
0x00000000
0x0165ad2c
0x0165ad2c
0x0165ad2f
0x0165ad34
0x0165ad36
0x01699f97
0x01699f9a
0x00000000
0x00000000
0x01699fa9
0x0165ad3e
0x0165ad3e
0x0165ad41
0x01699fb3
0x01699fb9
0x01699fc0
0x01699fd0
0x01699fd0
0x01699fc0
0x0165ad4a
0x0165ad50
0x0165ad5c
0x0165ad62
0x0165ad68
0x0165ad6b
0x0165ad6d
0x01699fda
0x01699fdd
0x00000000
0x00000000
0x01699fec
0x00000000
0x0165ad73
0x0165ad73
0x0165ad73
0x0165ad75
0x0165ad75
0x0165ad78
0x01699ff6
0x01699ffc
0x0169a003
0x0169a00e
0x0169a010
0x0169a01b
0x0169a01b
0x0169a01b
0x0169a038
0x0169a038
0x0169a003
0x0165ad84
0x0165ad89
0x0165ad8c
0x0165ad8e
0x0169a042
0x0169a045
0x00000000
0x00000000
0x0169a054
0x00000000
0x0165ad94
0x0165ad94
0x0165ad94
0x0165ad96
0x0165ad96
0x0165ad99
0x0169a063
0x0169a065
0x0169a070
0x0169a070
0x0169a070
0x0169a08d
0x0169a08d
0x0165ada4
0x0165ada6
0x00000000
0x0165ada6
0x0165ad8e
0x0165ad6d
0x0165ad3c
0x0165ad3c
0x00000000
0x0165ad3c
0x00000000
0x00000000
0x00000000
0x0165acd8

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0169A0CD
HEAP: , xrefs: 0169A0BA
HEAP[%wZ]: , xrefs: 0169A0AD

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 2eb92c21509241971cb10ff2461554eda5951bc65eaca046404442444dcbe535
Instruction ID: 902e2d581f73721d2451329116085639bfbee978e78a3118188295a23d8caecc
Opcode Fuzzy Hash: 2eb92c21509241971cb10ff2461554eda5951bc65eaca046404442444dcbe535
Instruction Fuzzy Hash: 50810632204684EFEB26DBACCD94BA9BBF8FF05314F1442A9E95187392D774E940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0164B73D, Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0164B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E016EA80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x1718748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E0162B150();
					__eflags =  *0x1717bc8;
					if(__eflags == 0) {
						E016E2073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E016EA80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x1718720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x1718720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E0164B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E016EA80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E0164E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x0164b746
0x0164b74b
0x0164b74d
0x0164b750
0x0164b755
0x0164b758
0x0164b758
0x0164b75e
0x0164b763
0x0164b764
0x0164b76a
0x0164b76d
0x0164b771
0x0164b776
0x0164b85c
0x0164b85d
0x0164b860
0x0164b865
0x01692ba1
0x01692ba2
0x01692ba9
0x01692bae
0x01692bae
0x0164b77c
0x0164b77c
0x0164b77c
0x0164b785
0x0164b788
0x01692bb6
0x01692bb9
0x00000000
0x00000000
0x01692bbf
0x01692bc5
0x01692bc9
0x01692be8
0x01692bed
0x01692bcb
0x01692be0
0x01692be5
0x01692bf3
0x01692bf8
0x01692bfd
0x01692c05
0x01692c0e
0x01692c0e
0x00000000
0x0164b78e
0x0164b78e
0x0164b78e
0x0164b791
0x0164b791
0x0164b797
0x0164b797
0x0164b79f
0x0164b7a9
0x0164b7af
0x0164b7af
0x0164b7b1
0x0164b7b6
0x0164b7e2
0x0164b7e2
0x0164b7e7
0x0164b880
0x0164b7ed
0x0164b7ed
0x0164b7ed
0x0164b7ef
0x0164b7f2
0x0164b7f2
0x0164b7f5
0x0164b7fa
0x01692c2d
0x01692c2e
0x01692c39
0x0164b800
0x0164b800
0x0164b802
0x0164b805
0x0164b808
0x0164b808
0x0164b80a
0x0164b80d
0x0164b816
0x0164b81c
0x0164b822
0x0164b82f
0x0164b88b
0x0164b892
0x0164b897
0x0164b899
0x0164b89b
0x0164b89e
0x0164b8a5
0x0164b8a8
0x0164b8aa
0x0164b8ac
0x0164b8ac
0x0164b8aa
0x0164b892
0x0164b831
0x0164b839
0x0164b83b
0x0164b83b
0x0164b844
0x0164b84b
0x0164b852
0x0164b7b8
0x0164b7ba
0x0164b7bf
0x0164b7c4
0x01692c18
0x01692c19
0x01692c23
0x0164b7ca
0x0164b7ca
0x0164b7cc
0x0164b7cf
0x0164b7d1
0x0164b7d1
0x0164b7d4
0x0164b7dc
0x0164b8bb
0x0164b8bb
0x0164b8be
0x0164b8be
0x0164b8c1
0x00000000
0x00000000
0x0164b8c3
0x0164b8c5
0x0164b8c7
0x0164b8e0
0x00000000
0x0164b8e0
0x0164b8cc
0x0164b8cc
0x00000000
0x0164b8cc
0x0164b8d6
0x0164b8d6
0x00000000
0x0164b7dc
0x0164b7b6

Strings

HEAP: , xrefs: 01692BE8
HEAP[%wZ]: , xrefs: 01692BDB
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01692BF3

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 4b23acfb07c71fbb062acfcf08f00f37bd6c8c445bd5fd5134397a2cee57466b
Instruction ID: 6042d5601a79bb971b9eff710753697e2ada9c3e60dfea9785d8f0e11434b3a5
Opcode Fuzzy Hash: 4b23acfb07c71fbb062acfcf08f00f37bd6c8c445bd5fd5134397a2cee57466b
Instruction Fuzzy Hash: E661B270600241DFEB29DF28CC85B6ABBE6FF44314F19856DE8498B346D770E892CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01637E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01637E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0163CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0162C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1715780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E016A5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1715780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01647D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01647D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E016A7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01647D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01647D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E016A7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0165A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0162B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01637e4c
0x01637e50
0x01637e55
0x01637e58
0x01637e5d
0x01637e71
0x01637f33
0x01637e77
0x01637e77
0x01637e79
0x01637e79
0x01637e7e
0x01637f45
0x01689848
0x00000000
0x01689848
0x01637f4e
0x01637f53
0x01637f5a
0x00000000
0x00000000
0x0168985a
0x01689862
0x01689866
0x00000000
0x0168986c
0x00000000
0x0168986c
0x01637e84
0x01637e84
0x01637e8d
0x01689871
0x01637eb8
0x01637ec0
0x01637ec0
0x01637e9a
0x0168987e
0x00000000
0x00000000
0x01689884
0x0168988b
0x016898a7
0x016898ac
0x016898b1
0x016898b6
0x016898b8
0x016898b8
0x016898b9
0x00000000
0x016898b9
0x01637ea0
0x01637ea7
0x00000000
0x00000000
0x01637eac
0x01637eb1
0x01637ec6
0x01637ed0
0x016898cc
0x01637ed6
0x01637ed6
0x01637ed6
0x01637ede
0x01637ee3
0x016898e3
0x016898f0
0x01689902
0x016898f2
0x016898fb
0x016898fb
0x01689907
0x0168991d
0x0168991d
0x01689907
0x016898e3
0x01637ef0
0x01637f14
0x01637f14
0x01637f1e
0x01689946
0x01637f24
0x01637f24
0x01637f24
0x01637f2c
0x0168996a
0x01689975
0x01689975
0x0168997e
0x01689993
0x01689993
0x0168997e
0x00000000
0x01637ef2
0x01637efc
0x01637f0a
0x01637f0e
0x01689933
0x00000000
0x01689933
0x00000000
0x01637f0e
0x00000000
0x00000000
0x00000000
0x01637eb1

Strings

LdrpCompleteMapModule, xrefs: 01689898
minkernel\ntdll\ldrmap.c, xrefs: 016898A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01689891

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 90c536bfc4825e2e4964e89f0c7a41fc099487e8df42b888999c078a08a8c0ee
Instruction ID: 7b99ad89cdb24a8f306c764da529a9a409f493f13342ee7a4a52c6fb8a39bb84
Opcode Fuzzy Hash: 90c536bfc4825e2e4964e89f0c7a41fc099487e8df42b888999c078a08a8c0ee
Instruction Fuzzy Hash: 185102B2A04746DBEB26DB6CCD44B2A7BE5FB80314F040AA9E9519B7D1D730ED01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 016D23E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E016D23E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x171874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x171874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E0167D4F0(_t83, 0x1606c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0162B150();
					} else {
						E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E0162B150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1716378 = 1;
						asm("int3");
						 *0x1716378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x016d23e3
0x016d23e8
0x016d23eb
0x016d23ee
0x016d23f3
0x016d259b
0x016d259b
0x016d259d
0x016d25a3
0x016d25a3
0x016d23fb
0x016d2424
0x016d244f
0x016d2460
0x016d2451
0x016d2451
0x016d2456
0x016d2458
0x016d2458
0x016d245b
0x016d245b
0x016d2426
0x016d2431
0x016d2436
0x016d2443
0x016d2438
0x016d2438
0x016d2438
0x016d2445
0x016d2445
0x016d2463
0x016d2469
0x016d246f
0x016d2480
0x016d2495
0x016d24a1
0x016d24ce
0x016d24df
0x016d24d0
0x016d24d0
0x016d24d5
0x016d24d7
0x016d24d7
0x016d24da
0x016d24da
0x016d24a3
0x016d24b0
0x016d24b5
0x016d24c2
0x016d24b7
0x016d24b7
0x016d24b7
0x016d24c4
0x016d24c4
0x016d24e8
0x016d2497
0x016d249a
0x016d249a
0x016d2482
0x016d2488
0x016d2488
0x016d2471
0x016d2479
0x016d2479
0x016d24ef
0x016d23fd
0x016d2401
0x016d2412
0x016d2403
0x016d2403
0x016d2408
0x016d240a
0x016d240a
0x016d240d
0x016d240d
0x016d241b
0x016d241b
0x016d24f1
0x016d24f6
0x016d2507
0x016d2510
0x00000000
0x016d2510
0x016d250b
0x00000000
0x016d24f8
0x016d24f8
0x016d24fc
0x016d2500
0x016d2512
0x016d2515
0x016d251a
0x016d2521
0x016d2524
0x016d2529
0x016d252f
0x00000000
0x00000000
0x016d253c
0x016d255c
0x016d2561
0x016d253e
0x016d2554
0x016d2559
0x016d256a
0x016d256d
0x016d2574
0x016d2586
0x016d2588
0x016d258f
0x016d2590
0x016d2590
0x016d2597
0x00000000
0x016d2597

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 016D256F
HEAP: , xrefs: 016D255C
HEAP[%wZ]: , xrefs: 016D254F

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: dfbfbc1ac80459bb9f092a2cba36dfaf4ef255307949cba428a9fe2f65f6c8b9
Instruction ID: ebec3ea87910d809e6f3bcdc52a1e6736063465e59eb73d53716fb7e1b85440b
Opcode Fuzzy Hash: dfbfbc1ac80459bb9f092a2cba36dfaf4ef255307949cba428a9fe2f65f6c8b9
Instruction Fuzzy Hash: 0C5103349012608AE375CF2ECC68B727BF1EB48645F55889DECC28B285D776D887DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0162E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0162E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0162F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E016695D0();
						}
						if(_t78 != 0) {
							L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0166FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0166BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01669600();
					if(_t97 < 0) {
						goto L6;
					}
					E0166BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0162F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0166BB40(_t83, _t102 + 0x24, _t78);
								if(L016343C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0166BB40(_t84, _t102 + 0x24, _t94);
									if(L016343C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0162e620
0x0162e628
0x0162e62f
0x0162e631
0x0162e635
0x0162e637
0x0162e63e
0x01685503
0x01685503
0x0162e64c
0x0162e64c
0x0162e651
0x00000000
0x00000000
0x0162e661
0x0162e665
0x0168542a
0x0162e715
0x0162e71a
0x0162e71c
0x0162e720
0x0162e720
0x0162e727
0x0162e736
0x0162e736
0x0162e743
0x0162e743
0x0162e673
0x0162e678
0x0162e67d
0x0162e682
0x0162e685
0x0162e692
0x0162e69b
0x0162e6a3
0x0162e6ad
0x0162e6b1
0x0162e6b2
0x0162e6bb
0x0162e6bf
0x0162e6c0
0x0162e6c8
0x0162e6cc
0x0162e6d5
0x0162e6d9
0x00000000
0x00000000
0x0162e6e5
0x0162e6ea
0x0162e6f9
0x0162e70b
0x0162e70f
0x01685439
0x0168545e
0x0168545e
0x00000000
0x0168545e
0x0168543b
0x0168543e
0x01685440
0x01685445
0x01685472
0x01685475
0x0168548d
0x01685493
0x016854a9
0x00000000
0x00000000
0x016854ab
0x016854b4
0x016854bc
0x016854c8
0x016854de
0x016854fb
0x016854e0
0x016854e6
0x016854eb
0x016854eb
0x016854de
0x00000000
0x016854bc
0x01685477
0x0168547a
0x01685480
0x01685483
0x01685486
0x0168548b
0x00000000
0x00000000
0x00000000
0x0168548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01685447
0x01685447
0x01685447
0x01685447
0x0168544e
0x00000000
0x00000000
0x01685450
0x01685452
0x01685455
0x0168545a
0x00000000
0x00000000
0x00000000
0x0168545c
0x0168546a
0x0168546d
0x0168546f
0x00000000
0x0168546f
0x0162e70f

Strings

InstallLanguageFallback, xrefs: 0162E6DB
@, xrefs: 0162E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0162E68C

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 6926b86c86b67588c578c202c68cd819c1853080fe98d5058a1a97f905eacf44
Instruction ID: 1ca0ffe770921a8ea183744744c34b990a89ae19c6b0f32f754d06765d11b189
Opcode Fuzzy Hash: 6926b86c86b67588c578c202c68cd819c1853080fe98d5058a1a97f905eacf44
Instruction Fuzzy Hash: F251C1726053169BD710EF68C850A7BB3E9AF98714F040A6EF986D7340EB35D904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0164EB9A, Relevance: 3.9, Strings: 3, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E0164EB9A(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				signed int _t63;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t77;
				signed int* _t91;
				intOrPtr _t92;
				signed int _t95;
				signed char _t109;
				signed int _t114;
				unsigned int _t119;
				intOrPtr* _t122;
				intOrPtr _t127;
				signed int _t130;
				void* _t135;

				_t92 = __ecx;
				_t122 = __edx;
				_v8 = __ecx;
				 *((intOrPtr*)(__ecx + 0xb4)) = __edx;
				if( *__edx != 0) {
					_t95 =  *((intOrPtr*)(__edx + 4)) -  *((intOrPtr*)(__edx + 0x14)) - 1;
					__eflags =  *(__edx + 8);
					if(__eflags != 0) {
						_t95 = _t95 + _t95;
					}
					 *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) =  *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) & 0x00000000;
					asm("btr eax, esi");
					_t92 = _v8;
				}
				_t62 = _t92 + 0xc0;
				_t127 =  *((intOrPtr*)(_t62 + 4));
				while(1) {
					L2:
					_v12 = _t127;
					if(_t62 == _t127) {
						break;
					}
					_t7 = _t127 - 8; // -8
					_t91 = _t7;
					if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
						_t119 =  *(_t92 + 0x50) ^  *_t91;
						 *_t91 = _t119;
						_t109 = _t119 >> 0x00000010 ^ _t119 >> 0x00000008 ^ _t119;
						if(_t119 >> 0x18 != _t109) {
							_push(_t109);
							E016DFA2B(_t91, _v8, _t91, _t122, _t127, __eflags);
						}
						_t92 = _v8;
					}
					_t114 =  *_t91 & 0x0000ffff;
					_t63 = _t122;
					_t135 = _t114 -  *((intOrPtr*)(_t122 + 4));
					while(1) {
						_v20 = _t63;
						if(_t135 < 0) {
							break;
						}
						_t130 =  *_t63;
						_v16 = _t130;
						_t127 = _v12;
						if(_t130 != 0) {
							_t63 = _v16;
							__eflags = _t114 -  *((intOrPtr*)(_t63 + 4));
							continue;
						}
						_v16 =  *((intOrPtr*)(_t63 + 4)) - 1;
						L10:
						if( *_t122 != 0) {
							_t64 =  *((intOrPtr*)(_t122 + 4));
							__eflags = _t114 - _t64;
							_t65 = _t64 - 1;
							__eflags = _t65;
							if(_t65 < 0) {
								_t65 = _t114;
							}
							E0164BC04(_t92, _t122, 1, _t127, _t65, _t114);
						}
						E0164E4A0(_v8, _v20, 1, _t127, _v16,  *_t91 & 0x0000ffff);
						if( *0x1718748 >= 1) {
							__eflags =  *( *((intOrPtr*)(_v20 + 0x1c)) + (_v16 -  *((intOrPtr*)(_v20 + 0x14)) >> 5) * 4) & 1 << (_v16 -  *((intOrPtr*)(_v20 + 0x14)) & 0x0000001f);
							if(__eflags == 0) {
								_t77 =  *[fs:0x30];
								__eflags =  *(_t77 + 0xc);
								if( *(_t77 + 0xc) == 0) {
									_push("HEAP: ");
									E0162B150();
								} else {
									E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))");
								E0162B150();
								__eflags =  *0x1717bc8;
								if(__eflags == 0) {
									__eflags = 1;
									E016E2073(_t91, 1, _t122, 1);
								}
							}
							_t127 = _v12;
						}
						_t92 = _v8;
						if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
							_t91[0] = _t91[0] ^ _t91[0] ^  *_t91;
							 *_t91 =  *_t91 ^  *(_t92 + 0x50);
						}
						_t127 =  *((intOrPtr*)(_t127 + 4));
						_t62 = _t92 + 0xc0;
						goto L2;
					}
					_v16 = _t114;
					goto L10;
				}
				return _t62;
			}

0x0164eb9a
0x0164eba5
0x0164eba7
0x0164ebaa
0x0164ebb3
0x0164eca0
0x0164eca1
0x0164eca5
0x0164ecd1
0x0164ecd1
0x0164ecaa
0x0164ecc3
0x0164ecc9
0x0164ecc9
0x0164ebb9
0x0164ebbf
0x0164ebc2
0x0164ebc2
0x0164ebc2
0x0164ebc7
0x00000000
0x00000000
0x0164ebd1
0x0164ebd1
0x0164ebd4
0x0164ebd9
0x0164ebdd
0x0164ebe9
0x0164ebf0
0x01694258
0x0169425e
0x0169425e
0x0164ebf6
0x0164ebf6
0x0164ebf9
0x0164ebfc
0x0164ebfe
0x0164ec01
0x0164ec01
0x0164ec04
0x00000000
0x00000000
0x0164ec0a
0x0164ec0e
0x0164ec11
0x0164ec14
0x0164ec8f
0x0164ec92
0x00000000
0x0164ec92
0x0164ec1a
0x0164ec1d
0x0164ec20
0x0164ec72
0x0164ec75
0x0164ec77
0x0164ec77
0x0164ec78
0x0164ec7a
0x0164ec7a
0x0164ec83
0x0164ec83
0x0164ec32
0x0164ec3e
0x01694281
0x01694284
0x01694286
0x0169428c
0x01694290
0x016942af
0x016942b4
0x01694292
0x016942a7
0x016942ac
0x016942ba
0x016942bf
0x016942c4
0x016942cc
0x016942d0
0x016942d1
0x016942d1
0x016942cc
0x016942d6
0x016942d6
0x0164ec44
0x0164ec4b
0x0164ec55
0x0164ec5b
0x0164ec5b
0x0164ec5d
0x0164ec60
0x00000000
0x0164ec60
0x0164ec8a
0x00000000
0x0164ec8a
0x0164ec71

Strings

HEAP: , xrefs: 016942AF
HEAP[%wZ]: , xrefs: 016942A2
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 016942BA

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: 741a8d3989a325dc3f1e5aebda194031c2a6d7104ef45a2dff3d7f4dc6a1f20e
Instruction ID: 3fe3aaa01ea680bd064d0c26d8e8ad678570fed1748a9ddbd40cc4d7f6548299
Opcode Fuzzy Hash: 741a8d3989a325dc3f1e5aebda194031c2a6d7104ef45a2dff3d7f4dc6a1f20e
Instruction Fuzzy Hash: E551DE31A00525EFCB18DF58C984B6ABBB6FF85314F2581A9E8159B342D736AC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0164B8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0164B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x1718748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E0162B150();
						} else {
							E0162B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E0162B150();
						__eflags =  *0x1717bc8;
						if(__eflags == 0) {
							E016E2073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E0164AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x0164b8f0
0x0164b8f2
0x0164b8f4
0x01692c4e
0x01692c50
0x01692c56
0x01692c5c
0x01692c60
0x01692c7f
0x01692c84
0x01692c62
0x01692c77
0x01692c7c
0x01692c8a
0x01692c8f
0x01692c94
0x01692c9c
0x01692ca5
0x01692ca5
0x01692c9c
0x01692c50
0x0164b8fa
0x0164b902
0x0164b921
0x0164b921
0x0164b924
0x0164b924
0x0164b927
0x00000000
0x00000000
0x0164b929
0x0164b92b
0x0164b92d
0x0164b940
0x00000000
0x0164b940
0x0164b932
0x0164b932
0x00000000
0x0164b932
0x00000000
0x0164b904
0x0164b904
0x0164b90a
0x0164b90c
0x0164b916
0x0164b919
0x0164b915
0x0164b915
0x0164b91b
0x0164b91b
0x00000000
0x0164b910

Strings

HEAP: , xrefs: 01692C7F
HEAP[%wZ]: , xrefs: 01692C72
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01692C8A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 5c8df625c62305eaab131ae0e41cbff6e552fd583a1b46c75b5adc4358f1460b
Instruction ID: 1c19a30d87cdb88cf0e422622f0380a4a9138c0db6e9af1084dd03b81237c4fb
Opcode Fuzzy Hash: 5c8df625c62305eaab131ae0e41cbff6e552fd583a1b46c75b5adc4358f1460b
Instruction Fuzzy Hash: 7C11E2353055029FEB2DDB19CC94B36B7AAEF41621F29812DE40BCB381D730D881CB49

Uniqueness

Uniqueness Score: -1.00%

Function 016EE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E016EE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E016EBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E016EBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E016EAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01669730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E016EA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E016EA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01669730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E016EA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E016EA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01642280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0163B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0163FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01647D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E016DFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x016ee547
0x016ee549
0x016ee54f
0x016ee553
0x016ee557
0x016ee55a
0x016ee55c
0x016ee55f
0x016ee561
0x016ee567
0x016ee56b
0x016ee7e2
0x00000000
0x016ee571
0x016ee575
0x016ee577
0x016ee57b
0x016ee57c
0x016ee57d
0x016ee57e
0x016ee57f
0x016ee588
0x016ee58f
0x016ee591
0x016ee592
0x016ee592
0x016ee596
0x016ee59e
0x016ee5a0
0x016ee5a6
0x016ee61d
0x016ee61d
0x016ee621
0x016ee623
0x016ee630
0x016ee630
0x016ee7e6
0x016ee7eb
0x016ee7ed
0x016ee7f4
0x016ee7fa
0x016ee7ff
0x016ee7ff
0x016ee80a
0x016ee812
0x016ee812
0x016ee5ab
0x016ee5b4
0x016ee5b9
0x016ee5be
0x016ee5c0
0x016ee5c2
0x016ee5c8
0x016ee5c9
0x016ee5cb
0x016ee5cc
0x016ee5d5
0x016ee5e4
0x016ee5f1
0x016ee5f8
0x016ee5f8
0x016ee5d5
0x016ee602
0x016ee616
0x016ee63d
0x016ee644
0x016ee64d
0x016ee652
0x016ee657
0x016ee659
0x016ee65b
0x016ee661
0x016ee662
0x016ee664
0x016ee665
0x016ee66e
0x016ee67d
0x016ee68a
0x016ee691
0x016ee691
0x016ee66e
0x016ee6b0
0x00000000
0x016ee6b6
0x016ee6bd
0x016ee6c7
0x016ee6d7
0x016ee6d9
0x016ee6db
0x016ee6de
0x016ee6e3
0x016ee6f3
0x016ee6fc
0x016ee700
0x016ee700
0x016ee704
0x016ee70a
0x016ee70a
0x016ee713
0x016ee716
0x016ee719
0x016ee720
0x016ee761
0x016ee76b
0x016ee774
0x016ee77a
0x016ee77a
0x016ee78a
0x016ee791
0x016ee799
0x016ee79b
0x016ee79f
0x016ee7aa
0x016ee7c0
0x016ee7ac
0x016ee7b2
0x016ee7b9
0x016ee7b9
0x016ee7c7
0x016ee806
0x00000000
0x016ee7c9
0x016ee7d1
0x016ee7d8
0x00000000
0x016ee7d8
0x00000000
0x00000000
0x016ee722
0x016ee72e
0x016ee748
0x016ee74c
0x016ee754
0x016ee756
0x016ee75c
0x016ee75c
0x00000000
0x016ee75c
0x016ee758
0x016ee758
0x00000000
0x016ee758
0x016ee750
0x00000000
0x00000000
0x016ee752
0x00000000
0x016ee752
0x016ee730
0x016ee735
0x016ee73d
0x016ee73f
0x00000000
0x00000000
0x016ee741
0x016ee741
0x00000000
0x016ee741
0x016ee739
0x00000000
0x00000000
0x016ee73b
0x00000000
0x016ee73b
0x016ee722
0x016ee720
0x016ee6b0
0x016ee618
0x00000000
0x016ee618

Strings

`, xrefs: 016EE5D7
`, xrefs: 016EE670

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: ab0ec8ac83e067ef5419767d180b486fc131d4215f4ae32044b96e766b239ba6
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: DF9192312053429FEB24CF69CC49B27BBE6AF84714F148A2DF695CB290E776E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016A51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E016A51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x17005f0);
				E0167D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0163EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E016A53CA(0);
						return E0167D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0166F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01643690(1, _t117, 0x1601810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0166AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01644620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0166AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E016A500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01669860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x016a51be
0x016a51c3
0x016a51c8
0x016a51cd
0x016a51d0
0x016a51d3
0x016a51d8
0x016a51db
0x016a51de
0x016a51e0
0x016a51e3
0x016a51e6
0x016a51e8
0x016a5342
0x016a5351
0x016a5356
0x016a535a
0x016a5360
0x016a5363
0x016a5366
0x016a5369
0x016a5369
0x016a536b
0x016a536b
0x016a5370
0x016a53a3
0x016a53a4
0x016a53a6
0x016a53ab
0x016a53ab
0x016a53ae
0x016a53ae
0x016a53b5
0x016a53bf
0x016a53bf
0x016a5375
0x016a5396
0x016a53a0
0x016a53a0
0x00000000
0x016a5396
0x016a5377
0x016a5379
0x016a537f
0x016a538c
0x016a5390
0x00000000
0x016a5390
0x016a51ee
0x016a51f1
0x016a5301
0x016a5310
0x016a5315
0x016a5318
0x016a531b
0x016a5320
0x016a532e
0x016a5331
0x00000000
0x016a5331
0x016a5328
0x016a5329
0x00000000
0x016a5329
0x016a51fa
0x016a5235
0x016a5236
0x016a5239
0x016a523f
0x016a5240
0x016a5241
0x016a5242
0x016a5246
0x016a5247
0x016a524e
0x016a5251
0x016a5267
0x016a5269
0x016a526e
0x016a527d
0x016a527e
0x016a5281
0x016a5282
0x016a5287
0x016a5288
0x016a528a
0x016a528f
0x016a5294
0x00000000
0x00000000
0x016a529a
0x016a529c
0x016a529e
0x016a529e
0x016a52a4
0x016a52b0
0x00000000
0x00000000
0x016a52ba
0x016a52bc
0x016a52bc
0x016a52d4
0x016a52d9
0x016a52dc
0x016a52e1
0x00000000
0x00000000
0x016a52e7
0x016a52f4
0x00000000
0x016a52f4
0x016a5270
0x00000000
0x016a5270
0x016a51fc
0x016a51fd
0x016a5202
0x016a5203
0x016a5205
0x016a520a
0x016a520f
0x00000000
0x00000000
0x016a521b
0x016a5226
0x016a522b
0x016a521d
0x016a521d
0x016a5222
0x016a5222
0x016a522d
0x00000000

Strings

Legacy, xrefs: 016A5226
UEFI, xrefs: 016A521D

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 39fc742b8cfa7d8ca342d030cd5787d090356ba5db6685da7b16ead7f8a85346
Instruction ID: 35405bca14efc40fca0285ba933405ccaf63f407cfbe37c2476a9a178db48fb3
Opcode Fuzzy Hash: 39fc742b8cfa7d8ca342d030cd5787d090356ba5db6685da7b16ead7f8a85346
Instruction Fuzzy Hash: F0516D71A006099FDB25DFA8CC40AAEBBF9BF88700F54406DE60AEB251E7719D01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0162B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0162B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x16ff7a8);
				E0167D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0167D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0166D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0166F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0167DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0166B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0166B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0166E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0166A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0162b171
0x0162b171
0x0162b171
0x0162b171
0x0162b171
0x0162b176
0x0162b17b
0x0162b180
0x0162b186
0x0162b18f
0x0162b198
0x0162b1a4
0x0162b1aa
0x01684802
0x01684802
0x01684805
0x0168480c
0x0168480e
0x0162b1d1
0x0162b1d3
0x0162b1de
0x0162b1de
0x01684817
0x0168481e
0x01684820
0x01684822
0x01684822
0x01684824
0x01684824
0x0168482a
0x00000000
0x00000000
0x01684835
0x0168483a
0x0168483d
0x0168483f
0x01684842
0x01684842
0x01684842
0x01684846
0x0168484c
0x0168484e
0x01684851
0x01684851
0x01684853
0x01684854
0x01684854
0x01684858
0x0168485a
0x0168485a
0x0168485d
0x0168485f
0x01684861
0x01684861
0x01684866
0x0168486b
0x0168486e
0x01684871
0x01684876
0x01684876
0x01684878
0x0168487b
0x01684884
0x01684884
0x00000000
0x0168487d
0x0168487d
0x01684882
0x01684889
0x01684889
0x0168488f
0x01684891
0x016848e0
0x016848e2
0x016848e4
0x016848e4
0x016848e7
0x016848e7
0x016848ed
0x016848f4
0x016848f6
0x01684951
0x01684951
0x01684953
0x01684953
0x01684956
0x01684956
0x01684958
0x01684959
0x01684959
0x0168495d
0x0168495d
0x0168495f
0x0168495f
0x01684965
0x01684969
0x016849ba
0x016849ba
0x016849c1
0x016849c5
0x016849cc
0x016849d4
0x016849d7
0x016849da
0x016849e4
0x016849e5
0x016849f3
0x01684a02
0x00000000
0x01684a02
0x01684972
0x01684974
0x00000000
0x00000000
0x01684976
0x01684979
0x01684982
0x01684983
0x01684984
0x0168498b
0x0168498d
0x01684991
0x01684993
0x01684999
0x0168499d
0x016849a2
0x016849a2
0x016849a2
0x01684999
0x016849ac
0x00000000
0x016849b3
0x016848f8
0x016848fe
0x00000000
0x00000000
0x00000000
0x016848fe
0x01684895
0x0168489c
0x016848ad
0x016848b2
0x016848b5
0x016848b7
0x016848ba
0x016848bc
0x016848c6
0x016848c6
0x016848cb
0x016848d1
0x016848d4
0x016848d8
0x016848d8
0x00000000
0x016848d8
0x016848be
0x016848c0
0x00000000
0x00000000
0x016848c2
0x00000000
0x00000000
0x00000000
0x016848c4
0x00000000
0x01684882
0x0168487b
0x01684904
0x01684906
0x00000000
0x00000000
0x01684908
0x0168490e
0x00000000
0x00000000
0x01684910
0x01684917
0x01684917
0x00000000
0x01684917
0x0162b1ba
0x016847f9
0x016847fc
0x00000000
0x00000000
0x00000000
0x016847fc
0x0162b1c0
0x0162b1c0
0x0162b1c3
0x0162b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 016848AD

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: a83c2ff30b5d141fc5b6349bc8294aae6a40a976bf7cbb982bdac26927e09299
Instruction ID: 8f74e3fa7af2f58e988d35bf9dcbcaa4d2c2fd370ead91ea9d8f653130d9295d
Opcode Fuzzy Hash: a83c2ff30b5d141fc5b6349bc8294aae6a40a976bf7cbb982bdac26927e09299
Instruction Fuzzy Hash: 7F51B371D1025A8ADF31EF68CC44BAEBBB1AF04710F1142ADD859AB382DB718945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0164B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0164B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x171d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01647D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E016F8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01669E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0166B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0166CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01647D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E016F8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0166AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1718628; // 0x0
								_v68 = _t77;
								_t78 =  *0x171862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1718628; // 0x0
							_t116 =  *0x171862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0164b94c
0x0164b956
0x0164b95c
0x0164b95e
0x0164b964
0x0164b969
0x0164b96d
0x0164b96d
0x0164b970
0x0164b974
0x0164b97a
0x0164badf
0x0164badf
0x0164bae2
0x0164bae4
0x0164bae6
0x0164baf0
0x01692cb8
0x0164baf6
0x0164baf6
0x0164baf6
0x0164bafd
0x0164bb1f
0x0164bb1f
0x0164baff
0x0164bb00
0x0164bb00
0x0164bb03
0x0164bb03
0x0164bacb
0x0164bacf
0x0164bad0
0x0164bad1
0x0164badc
0x0164badc
0x0164b980
0x0164b980
0x0164b988
0x0164b98b
0x0164b98d
0x0164b990
0x0164b993
0x0164b999
0x0164b99b
0x0164b9a1
0x0164b9a5
0x0164b9aa
0x0164b9b0
0x0164b9bb
0x0164b9c0
0x0164b9c3
0x0164b9ca
0x0164b9cc
0x0164b9cf
0x0164b9d3
0x0164b9d7
0x0164ba94
0x0164ba94
0x0164ba98
0x0164baa3
0x01692ccb
0x0164baa9
0x0164baa9
0x0164baa9
0x0164bab1
0x01692cd5
0x01692cdd
0x01692cdd
0x0164babb
0x0164babc
0x0164bac2
0x0164bac3
0x0164bac3
0x0164bac6
0x00000000
0x0164b9dd
0x0164b9dd
0x0164b9e7
0x0164b9e7
0x0164b9ec
0x0164b9ec
0x0164b9f1
0x0164b9f5
0x0164b9fa
0x0164ba00
0x0164ba0c
0x0164ba10
0x0164ba10
0x0164ba12
0x0164ba18
0x00000000
0x00000000
0x0164bb26
0x0164bb26
0x0164ba1e
0x0164ba1e
0x0164ba23
0x0164ba25
0x0164ba2c
0x0164ba30
0x0164ba35
0x0164ba35
0x0164ba41
0x0164ba46
0x0164ba4c
0x0164ba50
0x0164ba54
0x0164ba6a
0x0164ba6e
0x0164ba70
0x0164ba74
0x0164ba78
0x0164ba7a
0x0164ba7c
0x0164ba8e
0x0164ba90
0x0164ba92
0x0164bb14
0x0164bb14
0x0164bb16
0x0164bb16
0x00000000
0x0164ba7c
0x0164bb0a
0x0164bb0d
0x00000000
0x00000000
0x00000000
0x0164bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0164B9A5

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: f0c4c707dae90d387b0e92b134bd83a732f42ee7480609525f461d05ca6431f6
Instruction ID: 5b457fb3411fa6874a1398c9b420879bef3c9887100fa8fde3fa73108218fd0a
Opcode Fuzzy Hash: f0c4c707dae90d387b0e92b134bd83a732f42ee7480609525f461d05ca6431f6
Instruction Fuzzy Hash: 83515B71A08341CFC720CF6DC88092ABBFAFB88650F14896EFA9597355D771E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01652581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E01652581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				intOrPtr _v3;
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t231;
				signed int _t235;
				void* _t236;
				signed int _t238;
				signed int _t245;
				signed int _t247;
				intOrPtr _t249;
				signed int _t252;
				signed int _t259;
				signed int _t262;
				signed int _t270;
				intOrPtr _t276;
				signed int _t278;
				signed int _t280;
				void* _t281;
				void* _t282;
				signed int _t283;
				unsigned int _t286;
				signed int _t290;
				signed int* _t291;
				signed int _t292;
				signed int _t296;
				intOrPtr _t308;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t324;
				signed int _t325;
				void* _t328;
				signed int _t329;
				signed int _t331;
				signed int _t334;
				void* _t335;
				void* _t337;

				_t331 = _t334;
				_t335 = _t334 - 0x4c;
				_v8 =  *0x171d360 ^ _t331;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t324 = 0x171b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t286 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t337 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t276 = 0x48;
				_t306 = 0 | _t337 == 0x00000000;
				_t317 = 0;
				_v37 = _t337 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t276 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t325 = 0xc0000106;
						goto L32;
					} else {
						_t324 = L01644620(_t286,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t276);
						_v52 = _t324;
						__eflags = _t324;
						if(_t324 == 0) {
							_t325 = 0xc0000017;
							goto L32;
						} else {
							 *(_t324 + 0x44) =  *(_t324 + 0x44) & 0x00000000;
							_t50 = _t324 + 0x48; // 0x48
							_t319 = _t50;
							_t306 = _v32;
							 *((intOrPtr*)(_t324 + 0x3c)) = _t276;
							_t278 = 0;
							 *((short*)(_t324 + 0x30)) = _v48;
							__eflags = _t306;
							if(_t306 != 0) {
								 *(_t324 + 0x18) = _t319;
								__eflags = _t306 - 0x1718478;
								 *_t324 = ((0 | _t306 == 0x01718478) - 0x00000001 & 0xfffffffb) + 7;
								E0166F3E0(_t319,  *((intOrPtr*)(_t306 + 4)),  *_t306 & 0x0000ffff);
								_t306 = _v32;
								_t335 = _t335 + 0xc;
								_t278 = 1;
								__eflags = _a8;
								_t319 = _t319 + (( *_t306 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t270 = E016B39F2(_t319);
									_t306 = _v32;
									_t319 = _t270;
								}
							}
							_t290 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t325 = _v68;
								__eflags = 0;
								 *((short*)(_t319 - 2)) = 0;
								goto L32;
							} else {
								_t280 = _t324 + _t278 * 4;
								_v56 = _t280;
								do {
									__eflags = _t306;
									if(_t306 != 0) {
										_t231 =  *(_v60 + _t290 * 4);
										__eflags = _t231;
										if(_t231 == 0) {
											goto L30;
										} else {
											__eflags = _t231 == 5;
											if(_t231 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t280 =  *(_v60 + _t290 * 4);
										 *(_t280 + 0x18) = _t319;
										_t235 =  *(_v60 + _t290 * 4);
										__eflags = _t235 - 8;
										if(_t235 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t235 * 4 +  &M01652959))) {
												case 0:
													__ax =  *0x1718488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0166F3E0(__edi,  *0x171848c, __ax & 0x0000ffff);
														__eax =  *0x1718488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0166F3E0(_t319, _v80, _v64);
													_t265 = _v64;
													goto L26;
												case 2:
													 *0x1718480 & 0x0000ffff = E0166F3E0(__edi,  *0x1718484,  *0x1718480 & 0x0000ffff);
													__eax =  *0x1718480 & 0x0000ffff;
													__eax = ( *0x1718480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0166F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0166F3E0(_t319, _v76, _v36);
														_t265 = _v36;
													}
													L26:
													_t335 = _t335 + 0xc;
													_t319 = _t319 + (_t265 >> 1) * 2 + 2;
													__eflags = _t319;
													L27:
													_push(0x3b);
													_pop(_t267);
													 *((short*)(_t319 - 2)) = _t267;
													goto L28;
												case 6:
													__ebx = "\\Wow\\Wow";
													__eflags = __ebx - "\\Wow\\Wow";
													if(__ebx != "\\Wow\\Wow") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0166F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\Wow\\Wow";
														} while (__ebx != "\\Wow\\Wow");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1718478 & 0x0000ffff = E0166F3E0(__edi,  *0x171847c,  *0x1718478 & 0x0000ffff);
													__eax =  *0x1718478 & 0x0000ffff;
													__eax = ( *0x1718478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E016B39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1716e58 & 0x0000ffff = E0166F3E0(__edi,  *0x1716e5c,  *0x1716e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1716e58 & 0x0000ffff;
													__eax = ( *0x1716e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t290 = _v16;
													_t306 = _v32;
													L29:
													_t280 = _t280 + 4;
													__eflags = _t280;
													_v56 = _t280;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t290 = _t290 + 1;
									_v16 = _t290;
									__eflags = _t290 - _v48;
								} while (_t290 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t235 =  *(_v60 + _t317 * 4);
						if(_t235 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t235 * 4 +  &M01652935))) {
							case 0:
								__ax =  *0x1718488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t306 =  &_v64;
								_v80 = E01652E3E(0,  &_v64);
								_t276 = _t276 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1718480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1718480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0163EEF0(0x17179a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0163EB70(__ecx, 0x17179a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t209 = _v72;
											__eflags = _t209;
											if(_t209 != 0) {
												L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
											}
											_t210 = _v52;
											__eflags = _t210;
											if(_t210 != 0) {
												__eflags = _t325;
												if(_t325 < 0) {
													L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t210);
													_t210 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t286 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1717b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01644620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0163EB70(__ecx, 0x17179a0);
										__eax = _v52;
										L36:
										_pop(_t318);
										_pop(_t326);
										__eflags = _v8 ^ _t331;
										_pop(_t277);
										return E0166B640(_t210, _t277, _v8 ^ _t331, _t306, _t318, _t326);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t272 = _v56;
								if(_v56 != 0) {
									_t306 =  &_v36;
									_t274 = E01652E3E(_t272,  &_v36);
									_t286 = _v36;
									_v76 = _t274;
								}
								if(_t286 == 0) {
									goto L44;
								} else {
									_t276 = _t276 + 2 + _t286;
								}
								goto L14;
							case 6:
								__eax =  *0x1715764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1718478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1718478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1716e58 & 0x0000ffff;
								__eax = ( *0x1716e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t317 = _t317 + 1;
								if(_t317 >= _v48) {
									goto L16;
								} else {
									_t306 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t291 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *[gs:esi+0x28] =  *[gs:esi+0x28] + _t335;
					_t236 = _t235 + _t335;
					asm("daa");
					 *[gs:esi] =  *[gs:esi] + _t331;
					 *[gs:esi+0x28] =  *[gs:esi+0x28] + _t236;
					 *[gs:0x1f016526] =  *[gs:0x1f016526] + _t236;
					_pop(_t281);
					_t238 =  *_t291 * 0x01652894 ^ 0x0201695b;
					_v3 = _v3 - _t335;
					 *_t238 =  *_t238 - 0x65;
					asm("daa");
					 *[gs:esi] =  *[gs:esi] + _t281;
					_v3 = _v3 - _t238;
					_t328 = _t324 + _t324 - 1;
					_v3 = _v3 - _t238;
					asm("daa");
					_pop(_t282);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x16fff00);
					E0167D08C(_t282, _t319, _t328);
					_v44 =  *[fs:0x18];
					_t320 = 0;
					 *_a24 = 0;
					_t283 = _a12;
					__eflags = _t283;
					if(_t283 == 0) {
						_t245 = 0xc0000100;
					} else {
						_v8 = 0;
						_t329 = 0xc0000100;
						_v52 = 0xc0000100;
						_t247 = 4;
						while(1) {
							_v40 = _t247;
							__eflags = _t247;
							if(_t247 == 0) {
								break;
							}
							_t296 = _t247 * 0xc;
							_v48 = _t296;
							__eflags = _t283 -  *((intOrPtr*)(_t296 + 0x1601664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t262 = E0166E5C0(_a8,  *((intOrPtr*)(_t296 + 0x1601668)), _t283);
									_t335 = _t335 + 0xc;
									__eflags = _t262;
									if(__eflags == 0) {
										_t329 = E016A51BE(_t283,  *((intOrPtr*)(_v48 + 0x160166c)), _a16, _t320, _t329, __eflags, _a20, _a24);
										_v52 = _t329;
										break;
									} else {
										_t247 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t247 = _t247 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t329;
						__eflags = _t329;
						if(_t329 < 0) {
							__eflags = _t329 - 0xc0000100;
							if(_t329 == 0xc0000100) {
								_t292 = _a4;
								__eflags = _t292;
								if(_t292 != 0) {
									_v36 = _t292;
									__eflags =  *_t292 - _t320;
									if( *_t292 == _t320) {
										_t329 = 0xc0000100;
										goto L76;
									} else {
										_t308 =  *((intOrPtr*)(_v44 + 0x30));
										_t249 =  *((intOrPtr*)(_t308 + 0x10));
										__eflags =  *((intOrPtr*)(_t249 + 0x48)) - _t292;
										if( *((intOrPtr*)(_t249 + 0x48)) == _t292) {
											__eflags =  *(_t308 + 0x1c);
											if( *(_t308 + 0x1c) == 0) {
												L106:
												_t329 = E01652AE4( &_v36, _a8, _t283, _a16, _a20, _a24);
												_v32 = _t329;
												__eflags = _t329 - 0xc0000100;
												if(_t329 != 0xc0000100) {
													goto L69;
												} else {
													_t320 = 1;
													_t292 = _v36;
													goto L75;
												}
											} else {
												_t252 = E01636600( *(_t308 + 0x1c));
												__eflags = _t252;
												if(_t252 != 0) {
													goto L106;
												} else {
													_t292 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t329 = E01652C50(_t292, _a8, _t283, _a16, _a20, _a24, _t320);
											L76:
											_v32 = _t329;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0163EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t329 = _a24;
									_t259 = E01652AE4( &_v36, _a8, _t283, _a16, _a20, _t329);
									_v32 = _t259;
									__eflags = _t259 - 0xc0000100;
									if(_t259 == 0xc0000100) {
										_v32 = E01652C50(_v36, _a8, _t283, _a16, _a20, _t329, 1);
									}
									_v8 = _t320;
									E01652ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t245 = _t329;
					}
					L70:
					return E0167D0D1(_t245);
				}
				L108:
			}

0x01652584
0x01652586
0x01652590
0x01652596
0x01652597
0x01652598
0x01652599
0x0165259e
0x016525a4
0x016525a9
0x016525ac
0x016525ae
0x016525b1
0x016525b2
0x016525b5
0x016525b8
0x016525bb
0x016525bc
0x016525bf
0x016525c2
0x016525c5
0x016525c6
0x016525cb
0x016525ce
0x016525d8
0x016525db
0x016525dd
0x016525de
0x016525e1
0x016525e3
0x016525e9
0x016526da
0x016526da
0x016526dd
0x016526e2
0x01695b56
0x00000000
0x016526e8
0x016526f9
0x016526fb
0x016526fe
0x01652700
0x01695b60
0x00000000
0x01652706
0x01652706
0x0165270a
0x0165270a
0x0165270d
0x01652713
0x01652716
0x01652718
0x0165271c
0x0165271e
0x01695b6c
0x01695b6f
0x01695b7f
0x01695b89
0x01695b8e
0x01695b93
0x01695b96
0x01695b9c
0x01695ba0
0x01695ba3
0x01695bab
0x01695bb0
0x01695bb3
0x01695bb3
0x01695ba3
0x01652724
0x01652726
0x01652729
0x0165272c
0x0165279d
0x0165279d
0x016527a0
0x016527a2
0x00000000
0x0165272e
0x0165272e
0x01652731
0x01652734
0x01652734
0x01652736
0x01695bc1
0x01695bc1
0x01695bc4
0x00000000
0x01695bca
0x01695bca
0x01695bcd
0x00000000
0x01695bd3
0x00000000
0x01695bd3
0x01695bcd
0x0165273c
0x0165273c
0x01652742
0x01652747
0x0165274a
0x0165274d
0x01652750
0x00000000
0x01652756
0x01652756
0x00000000
0x01652902
0x01652908
0x0165290b
0x00000000
0x01652911
0x0165291c
0x01652921
0x00000000
0x01652921
0x00000000
0x00000000
0x01652880
0x01652887
0x0165288c
0x00000000
0x00000000
0x01652805
0x0165280a
0x01652814
0x01652816
0x00000000
0x00000000
0x0165281e
0x01652821
0x01652823
0x00000000
0x01652829
0x01652829
0x01652831
0x0165283c
0x0165283e
0x00000000
0x0165283e
0x00000000
0x00000000
0x0165284e
0x01652850
0x01652851
0x01652854
0x01652857
0x0165285a
0x0165285c
0x0165285d
0x00000000
0x00000000
0x0165275d
0x01652761
0x00000000
0x01652767
0x0165276e
0x01652773
0x01652773
0x01652776
0x01652778
0x0165277e
0x0165277e
0x01652781
0x01652781
0x01652783
0x01652784
0x00000000
0x00000000
0x01695bd8
0x01695bde
0x01695be4
0x01695be6
0x01695be8
0x01695be9
0x01695bee
0x01695bf8
0x01695bff
0x01695c01
0x01695c04
0x01695c07
0x01695c0b
0x01695c0d
0x01695c0d
0x01695c15
0x01695c18
0x01695c1b
0x01695c1b
0x01695c1e
0x00000000
0x00000000
0x016528c3
0x016528c8
0x016528d2
0x016528d4
0x016528d8
0x016528db
0x01695c26
0x01695c28
0x01695c2d
0x01695c2d
0x00000000
0x00000000
0x01695c34
0x01695c36
0x01695c49
0x01695c4e
0x01695c54
0x01695c5b
0x01695c5d
0x01695c60
0x01652788
0x01652788
0x0165278b
0x0165278e
0x0165278e
0x0165278e
0x01652791
0x00000000
0x00000000
0x01652756
0x01652750
0x00000000
0x01652794
0x01652794
0x01652795
0x01652798
0x01652798
0x00000000
0x01652734
0x0165272c
0x01652700
0x016525ef
0x016525ef
0x016525ef
0x016525f2
0x016525f8
0x00000000
0x00000000
0x016525fe
0x00000000
0x016528e6
0x016528ec
0x016528ef
0x016528f5
0x016528f8
0x016528f8
0x00000000
0x016528f8
0x00000000
0x00000000
0x01652866
0x01652866
0x01652876
0x01652879
0x00000000
0x00000000
0x016527e0
0x016527e7
0x016527e9
0x016527eb
0x01695afd
0x00000000
0x01695afd
0x00000000
0x00000000
0x01652633
0x01652638
0x0165263b
0x0165263c
0x0165263e
0x01652640
0x01652642
0x01652647
0x01652649
0x0165264e
0x01652650
0x01652653
0x01652659
0x016526a2
0x016526a7
0x016526ac
0x016526b2
0x01695b11
0x01695b15
0x01695b17
0x00000000
0x016526b8
0x016526b8
0x016526ba
0x016527a6
0x016527a6
0x016527a9
0x016527ab
0x016527b9
0x016527b9
0x016527be
0x016527c1
0x016527c3
0x016527c5
0x016527c7
0x01695c74
0x01695c79
0x01695c79
0x016527c7
0x00000000
0x016526c0
0x016526c0
0x016526c3
0x016526c6
0x016526c6
0x016526c9
0x016526c9
0x00000000
0x016526c9
0x016526ba
0x0165265b
0x0165265b
0x0165265e
0x01652667
0x0165266d
0x01652677
0x0165267c
0x0165267f
0x01652681
0x01695b49
0x01695b4e
0x016527cd
0x016527d0
0x016527d1
0x016527d2
0x016527d4
0x016527dd
0x01652687
0x01652687
0x0165268a
0x0165268b
0x0165268e
0x0165268f
0x01652691
0x01652696
0x01652698
0x0165269d
0x0165269f
0x00000000
0x0165269f
0x01652681
0x00000000
0x00000000
0x01652846
0x00000000
0x00000000
0x01652605
0x0165260a
0x0165260c
0x01652611
0x01652616
0x01652619
0x01652619
0x0165261e
0x00000000
0x01652624
0x01652627
0x01652627
0x00000000
0x00000000
0x01695b1f
0x00000000
0x00000000
0x01652894
0x0165289b
0x0165289d
0x016528a1
0x01695b2b
0x01695b2e
0x01695b2e
0x016528a7
0x016528a9
0x01695b04
0x01695b09
0x01695b09
0x01695b09
0x00000000
0x00000000
0x01695b35
0x01695b3c
0x016528fb
0x016528fb
0x016526cc
0x016526cc
0x016526d0
0x00000000
0x016526d2
0x016526d2
0x00000000
0x016526d2
0x00000000
0x00000000
0x016525fe
0x0165292d
0x0165292f
0x01652930
0x01652935
0x01652937
0x0165293b
0x0165293e
0x0165293f
0x01652942
0x01652947
0x0165294e
0x01652955
0x0165295a
0x0165295d
0x01652962
0x01652963
0x01652966
0x01652969
0x0165296a
0x0165296e
0x01652972
0x01652981
0x01652982
0x01652983
0x01652984
0x01652985
0x01652986
0x01652987
0x01652988
0x01652989
0x0165298a
0x0165298b
0x0165298c
0x0165298d
0x0165298e
0x0165298f
0x01652990
0x01652992
0x01652997
0x016529a3
0x016529a6
0x016529ab
0x016529ad
0x016529b0
0x016529b2
0x01695c80
0x016529b8
0x016529b8
0x016529bb
0x016529c0
0x016529c5
0x016529c6
0x016529c6
0x016529c9
0x016529cb
0x00000000
0x00000000
0x016529cd
0x016529d0
0x016529d9
0x016529db
0x016529dd
0x01652a7f
0x01652a84
0x01652a87
0x01652a89
0x01695ca1
0x01695ca3
0x00000000
0x01652a8f
0x01652a8f
0x00000000
0x01652a8f
0x00000000
0x016529e3
0x016529e3
0x016529e3
0x00000000
0x016529e3
0x016529dd
0x00000000
0x016529db
0x016529e6
0x016529e9
0x016529eb
0x016529ed
0x016529f3
0x016529f5
0x016529f8
0x016529fa
0x01652a97
0x01652a9a
0x01652a9d
0x01652add
0x00000000
0x01652a9f
0x01652aa2
0x01652aa5
0x01652aa8
0x01652aab
0x01695cab
0x01695caf
0x01695cc5
0x01695cda
0x01695cdc
0x01695cdf
0x01695ce5
0x00000000
0x01695ceb
0x01695ced
0x01695cee
0x00000000
0x01695cee
0x01695cb1
0x01695cb4
0x01695cb9
0x01695cbb
0x00000000
0x01695cbd
0x01695cbd
0x00000000
0x01695cbd
0x01695cbb
0x01652ab1
0x01652ab1
0x01652ac4
0x01652ac6
0x01652ac6
0x00000000
0x01652ac6
0x01652aab
0x00000000
0x01652a00
0x01652a09
0x01652a0e
0x01652a21
0x01652a24
0x01652a35
0x01652a3a
0x01652a3d
0x01652a42
0x01652a59
0x01652a59
0x01652a5c
0x01652a5f
0x01652a5f
0x016529fa
0x016529f3
0x01652a64
0x01652a64
0x01652a6b
0x01652a6b
0x01652a6d
0x01652a72
0x01652a72
0x00000000

Strings

PATH, xrefs: 01652642, 01652691

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 0d6c06bb376d882a6e0c1084f0995554ac257d80c4fa305479100c461469e921
Instruction ID: dbf957dfdca679d70d0a6deac8c28a015ac42d0d8023ba950da50cf84d3bcaf5
Opcode Fuzzy Hash: 0d6c06bb376d882a6e0c1084f0995554ac257d80c4fa305479100c461469e921
Instruction Fuzzy Hash: CCC15AB1E00219DBDB65DF99DCA1ABEBBB5FF58710F04402DE901AB350DB34A942CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0165FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0165FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0163EEF0(0x1717b60);
					_t134 =  *0x1717b84; // 0x776f7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1717b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1717b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01636D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E016376E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E016C8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0162B150();
													}
													_t116 = E016C6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E016375CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1718638; // 0x0
																	_t122 = L016338A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E016376E2(_t154);
																			goto L41;
																		}
																	} else {
																		E016376E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0165FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L016370F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0165FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0165FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0165FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0165FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0165FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1717b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1717b84 = _t75;
						_t73 = E0163EB70(_t134, 0x1717b60);
						if( *0x1717b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0163FF60( *0x1717b20);
							}
						}
						goto L5;
					}
				}
			}

0x0165fab0
0x0165fab2
0x0165fab3
0x0165fab4
0x0165fabc
0x0165fac0
0x0165fb14
0x0165fb17
0x0165fac2
0x0165fac8
0x0165facd
0x0165fad3
0x0165fad3
0x0165fadd
0x0165fb18
0x0165fb1b
0x0165fb1d
0x0165fb1e
0x0165fb1f
0x0165fb20
0x0165fb21
0x0165fb22
0x0165fb23
0x0165fb24
0x0165fb25
0x0165fb26
0x0165fb27
0x0165fb28
0x0165fb29
0x0165fb2a
0x0165fb2b
0x0165fb2c
0x0165fb2d
0x0165fb2e
0x0165fb2f
0x0165fb3a
0x0165fb3b
0x0165fb3e
0x0165fb41
0x0165fb44
0x0165fb47
0x0165fb4a
0x0165fb4d
0x0165fb53
0x0169bdcb
0x0169bdcb
0x0165fb59
0x0165fb5b
0x0165fb5b
0x0165fb5e
0x0169bdd5
0x0169bdd8
0x00000000
0x0169bdda
0x00000000
0x0169bdda
0x0165fb64
0x0165fb64
0x0165fb64
0x0165fb67
0x0165fb6e
0x0165fb70
0x0165fb72
0x00000000
0x0165fb78
0x0165fb7a
0x0165fb7a
0x0165fb7d
0x0165fb80
0x0169bddf
0x0169bde1
0x00000000
0x0169bde3
0x00000000
0x0169bde3
0x0165fb86
0x0165fb86
0x0165fb86
0x0165fb8b
0x0165fb90
0x0165fb92
0x0165fb94
0x0165fb9a
0x0165fb9b
0x0165fba1
0x0169bde8
0x0169bdeb
0x0169bded
0x0169beb5
0x0169beb5
0x0169bebb
0x0169bebd
0x0169bec3
0x0169bed2
0x0169bedd
0x0169bedd
0x0169beed
0x00000000
0x0169bdf3
0x0169bdfe
0x0169be06
0x0169be0b
0x0169be0d
0x0169be0f
0x0169be14
0x0169be19
0x0169be20
0x0169be25
0x0169be27
0x0169be35
0x0169be39
0x0169be46
0x0169be4f
0x0169be54
0x0169be56
0x0169bef8
0x0169bef8
0x00000000
0x0169be5c
0x0169be5c
0x0169be60
0x00000000
0x0169be66
0x0169be66
0x0169be7f
0x0169be84
0x0169be87
0x0169be89
0x0169be8b
0x0169be99
0x0169be9d
0x0169bea0
0x0169beac
0x0169beaf
0x0169beb1
0x0169beb3
0x0169beb3
0x00000000
0x0169bea2
0x0169bea2
0x00000000
0x0169bea2
0x0169be8d
0x0169be8d
0x0169be92
0x00000000
0x0169be92
0x0169be8b
0x0169be60
0x0169be3b
0x0169be3b
0x0169be3e
0x00000000
0x0169be40
0x0169be40
0x0169be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0169be44
0x0169be3e
0x0169be29
0x0169be29
0x00000000
0x0169be29
0x0169be27
0x00000000
0x0165fba7
0x0165fba7
0x0165fbab
0x0169bf02
0x0165fbb1
0x0165fbb1
0x0165fbb8
0x0165fbbd
0x0165fbbd
0x0165fbbf
0x0165fbbf
0x0165fbc5
0x0165fbcb
0x0165fbf8
0x0165fbf8
0x0165fbfa
0x00000000
0x0165fc00
0x0165fc00
0x0165fc03
0x00000000
0x0165fc09
0x0165fc09
0x0165fc0f
0x0165fc15
0x0165fc23
0x0165fc23
0x0165fc25
0x0165fc27
0x0165fc75
0x0165fc7c
0x0165fc84
0x00000000
0x0165fc29
0x0165fc29
0x0165fc2d
0x0165fc30
0x0169bf0f
0x00000000
0x0165fc36
0x0165fc38
0x0165fc3b
0x0165fc41
0x0169bf17
0x0169bf19
0x0169bf48
0x0169bf4b
0x00000000
0x0169bf1b
0x0169bf22
0x0169bf24
0x0169bf26
0x00000000
0x0169bf2c
0x0169bf37
0x0169bf39
0x0169bf3b
0x00000000
0x0169bf41
0x0169bf41
0x0169bf41
0x0169bf41
0x0169bf45
0x00000000
0x0169bf45
0x0169bf3b
0x0169bf26
0x00000000
0x0165fc47
0x0165fc47
0x0165fc49
0x0165fcb2
0x0165fcb4
0x0165fcb6
0x0165fcdc
0x0165fcdc
0x00000000
0x0165fcb8
0x0165fcc3
0x0165fcc5
0x0165fcc7
0x00000000
0x0165fcc9
0x0165fcc9
0x0165fccd
0x00000000
0x0165fccd
0x0165fcc7
0x00000000
0x0165fc4b
0x0165fc4b
0x0165fc4e
0x0165fc4e
0x0165fc51
0x0165fc51
0x0165fc54
0x0165fc5a
0x0165fc5c
0x0165fc5f
0x0165fc61
0x0165fc63
0x0165fc65
0x0165fc67
0x0165fc6e
0x0165fc72
0x0165fc72
0x0165fc72
0x0165fc72
0x0165fc67
0x0165fc61
0x00000000
0x0165fc5a
0x0165fc49
0x0165fc41
0x0165fc30
0x0165fc27
0x0165fc03
0x0165fbcd
0x0165fbd3
0x0165fbd9
0x0165fbdc
0x0165fbde
0x0165fc99
0x0165fc9b
0x0165fc9d
0x0165fcd5
0x0165fcd5
0x0165fc89
0x0165fc89
0x00000000
0x0165fc9f
0x0165fc9f
0x0165fca3
0x00000000
0x0165fca3
0x00000000
0x0165fbe4
0x0165fbe4
0x0165fbe4
0x0165fbe4
0x0165fbe9
0x0165fbf2
0x00000000
0x0165fbf2
0x0165fbde
0x0165fbcb
0x0165fbab
0x0165fc8b
0x0165fc8b
0x0165fc8c
0x0165fb80
0x0165fb72
0x0165fb5e
0x0165fc8d
0x0165fc91
0x0165fadf
0x0165fadf
0x0165fae1
0x0165fae4
0x0165fae7
0x0165faec
0x0165faf8
0x0165fb00
0x0165fb07
0x0165fb0f
0x0165fb0f
0x0165fb07
0x00000000
0x0165faf8
0x0165fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0169BE0F

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 64732b5f389aba358531cf5125e85502d3179a33c80a88a1d06efc26124f88bd
Instruction ID: be721b9357b276afb43cbbaf3af4aefcd44d32d31b1f22ba88705462851701b7
Opcode Fuzzy Hash: 64732b5f389aba358531cf5125e85502d3179a33c80a88a1d06efc26124f88bd
Instruction Fuzzy Hash: B1A1D372B00606CBEB65DB6CCC50B7AB7AAAF44720F0445BDED46DB791DB34D8428B90

Uniqueness

Uniqueness Score: -1.00%

Function 01622D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01622D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1715350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1717bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E016697C0();
				}
				if( *0x17179c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x17179c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01651624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01647D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E016BFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01669520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0165E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0167DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1716901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1716901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01669980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E016695D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01647D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01647D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E016A7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E016BFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1715350;
							if(_t109 != 0x1715350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E016BFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E016B5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01622d8a
0x01622d8a
0x01622d92
0x01622d96
0x01622d9e
0x01622da0
0x01622da3
0x01622da5
0x01622da8
0x01622dab
0x01622db2
0x0167f9aa
0x0167f9ab
0x0167f9ae
0x0167f9ae
0x01622db8
0x01622dc2
0x0167f9b9
0x0167f9be
0x0167f9bf
0x0167f9bf
0x01622dcf
0x0167f9c9
0x01622dd5
0x01622dd5
0x01622dd5
0x01622dde
0x01622de1
0x01622e70
0x01622e72
0x01622e72
0x01622de7
0x01622deb
0x01622e7c
0x01622e83
0x01622e85
0x01622e8b
0x01622e8d
0x01622e92
0x01622e92
0x01622e85
0x01622df1
0x01622df7
0x01622df9
0x01622df9
0x01622dfc
0x01622dff
0x01622e02
0x00000000
0x01622e05
0x01622e0c
0x0167f9d9
0x01622e12
0x01622e12
0x01622e12
0x01622e1a
0x0167f9e3
0x0167f9e9
0x0167f9f0
0x0167f9f6
0x0167f9f8
0x0167f9f8
0x0167f9f0
0x01622e23
0x0167fa02
0x0167fa03
0x0167fa05
0x0167fa06
0x00000000
0x01622e29
0x01622e29
0x01622e2e
0x01622e34
0x01622e3e
0x00000000
0x00000000
0x01622e44
0x01622e47
0x01622e4d
0x00000000
0x00000000
0x01622e4f
0x01622e54
0x00000000
0x00000000
0x01622e5a
0x01622e5f
0x01622e9a
0x01622ea4
0x01622ea5
0x01622ea8
0x01622eaf
0x01622eb2
0x01622eb5
0x0167fae9
0x0167faeb
0x0167faed
0x0167faef
0x0167faf7
0x0167faf8
0x0167fafd
0x0167faff
0x0167fb04
0x0167fb04
0x0167faff
0x01622ec0
0x01622ec4
0x01622ec6
0x01622ec8
0x0167fb14
0x0167fb18
0x0167fb1e
0x0167fb21
0x0167fb21
0x01622ece
0x01622ece
0x01622ece
0x01622ed7
0x01622e61
0x01622e63
0x0167fa6b
0x0167fa71
0x0167fa76
0x0167fa78
0x0167fa8a
0x0167fa7a
0x0167fa83
0x0167fa83
0x0167fa8f
0x0167fa91
0x0167fa97
0x0167fa9d
0x0167faa4
0x0167faaa
0x0167faaf
0x0167fab1
0x0167fac3
0x0167fab3
0x0167fabc
0x0167fabc
0x0167fac8
0x0167facb
0x0167fadf
0x0167fadf
0x0167facb
0x0167faa4
0x0167fa91
0x01622e6f
0x01622e6f
0x01622e5f
0x0167fa13
0x0167fa15
0x0167fa17
0x0167fa1f
0x0167fa21
0x0167fa22
0x0167fa25
0x0167fa28
0x0167fa2f
0x0167fa2f
0x0167fa2a
0x0167fa2a
0x0167fa2a
0x0167fa31
0x0167fa34
0x0167fa36
0x0167fa3c
0x0167fa3e
0x0167fa41
0x0167fa43
0x0167fa45
0x0167fa45
0x0167fa41
0x0167fa3c
0x0167fa4a
0x0167fa4f
0x0167fa51
0x0167fa53
0x0167fa56
0x0167fa5b
0x0167fa5e
0x00000000
0x0167fa5e
0x01622e23

Strings

RTL: Re-Waiting, xrefs: 0167FA4A

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: f6c31af095f280c9ffb20cdce670076f30d0bf30b61617846559eef37041df4d
Instruction ID: 68cbf1464b92325758f6f69cec5b908bc7b86323e456486a8149e8617371c872
Opcode Fuzzy Hash: f6c31af095f280c9ffb20cdce670076f30d0bf30b61617846559eef37041df4d
Instruction Fuzzy Hash: 62612331A00A15DFEB32EB6CCC90B7EBBA6EB40724F1406ADE961973C1C7349941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016F0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E016F0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E016EFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E016F1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01669730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E016EA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E016EA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1718b04 >> 0x14) + (_v44 -  *0x1718b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01647D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E016E138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01647D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E016DFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1718724 & 0x00000008) != 0) {
						E016E52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E016F15B5(0x1718ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x016f0eb7
0x016f0eb9
0x016f0ec0
0x016f0ec2
0x016f0ecd
0x016f105b
0x016f105b
0x016f1061
0x016f1066
0x016f1066
0x016f106b
0x016f1073
0x016f1073
0x016f0ed3
0x016f0ed6
0x016f0edc
0x016f0ee0
0x016f0ee7
0x016f0ef0
0x016f0ef5
0x016f0efa
0x016f0efc
0x016f0efd
0x016f0f03
0x016f0f04
0x016f0f06
0x016f0f07
0x016f0f09
0x016f0f0e
0x016f0f14
0x016f0f23
0x016f0f2d
0x016f0f34
0x016f0f34
0x016f0f14
0x016f0f52
0x00000000
0x00000000
0x016f0f58
0x016f0f73
0x016f0f74
0x016f0f79
0x016f0f7d
0x016f0f80
0x016f0f86
0x016f0fab
0x016f0fb5
0x016f0fc6
0x016f0fd1
0x016f0fe3
0x016f0fd3
0x016f0fdc
0x016f0fdc
0x016f0feb
0x016f1009
0x016f1009
0x016f1015
0x016f1027
0x016f1017
0x016f1020
0x016f1020
0x016f102f
0x016f103c
0x016f103c
0x016f1048
0x016f1050
0x016f1050
0x016f1055
0x00000000
0x016f1055
0x016f0f88
0x016f0f9e
0x016f0fa2
0x016f0fa9
0x00000000
0x00000000
0x00000000
0x016f0fa9
0x00000000

Strings

`, xrefs: 016F0F16

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: f4d7f175287be0bb066c2340010f7fdb012ab99dab798cdb7251eea1ac990e0c
Instruction ID: 829cfeedf9c29a5831d429f0bc2e8dedaf21c81c6750806468f8d247a39fa4f1
Opcode Fuzzy Hash: f4d7f175287be0bb066c2340010f7fdb012ab99dab798cdb7251eea1ac990e0c
Instruction Fuzzy Hash: 08519D713043829FD324DF28DD84B1BBBE6EB85754F040A6CFA9697291DB70E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0165F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0165F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01644120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01669830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01669990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E016695D0();
							goto L11;
						} else {
							_t109 = L01644620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0166F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E016695D0();
										L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0165f0d3
0x0165f0d9
0x0165f0e0
0x0165f0e7
0x0165f0f2
0x0165f0f4
0x0165f0f8
0x0165f100
0x0165f108
0x0165f10d
0x0165f115
0x0165f116
0x0165f11f
0x0165f123
0x0165f124
0x0165f12c
0x0165f130
0x0165f134
0x0165f13d
0x0165f144
0x0165f14b
0x0165f152
0x0169bab0
0x0169bab0
0x0165f158
0x0165f158
0x0165f15a
0x0165f160
0x0165f165
0x0165f166
0x0165f16f
0x0165f173
0x0169baa7
0x0169baa7
0x0169baab
0x00000000
0x0165f179
0x0165f18d
0x0165f191
0x0169baa2
0x00000000
0x0165f197
0x0165f19b
0x0165f1a2
0x0165f1a9
0x0165f1af
0x0165f1b2
0x0165f1b6
0x0165f1b9
0x0165f1c4
0x0165f1d8
0x0165f1df
0x0165f1e3
0x0165f1eb
0x0165f1ee
0x0165f1f4
0x0165f20f
0x0169bab7
0x0169babb
0x0169bacc
0x0169bad1
0x0165f215
0x0165f218
0x0165f226
0x0165f22b
0x00000000
0x0165f22b
0x0165f1f6
0x0165f1f6
0x0165f1f9
0x0165f1fb
0x0165f1fb
0x0165f1f4
0x0165f191
0x0165f173
0x0165f152
0x0165f203

Strings

@, xrefs: 0165F124

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: e08b409f409e7132bbdf080632c2292c18c6b2e95213126d04cc9f0440189dbe
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 66517A71504711AFC320DF69C840A6BBBF9FF48750F00892EFA9597690E7B4E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 016A3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E016A3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x171d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01660BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E016A3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0166FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E016A3540;
						E0166FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0167DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E016B0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E016697C0();
					}
					return E0166B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E016A3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E016A3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0166FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01669650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E016A3787(_a4,  &_v352, _t80);
						}
					}
					L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E016695D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x016a3552
0x016a355a
0x016a355d
0x016a3566
0x016a3567
0x016a357e
0x016a358f
0x016a35a1
0x016a35a5
0x016a366b
0x016a366b
0x016a366d
0x016a3672
0x016a3679
0x016a3685
0x016a368d
0x016a369d
0x016a36a7
0x016a36b8
0x016a36c6
0x016a36c7
0x016a36dc
0x016a36e1
0x016a36e7
0x016a36e9
0x016a36e9
0x016a3703
0x016a3703
0x016a35b5
0x016a35c0
0x016a35c4
0x00000000
0x00000000
0x016a35ca
0x016a35d7
0x016a35e2
0x016a35e6
0x016a35e8
0x016a35f5
0x016a35fa
0x016a3603
0x016a3604
0x016a3609
0x016a360a
0x016a3612
0x016a3613
0x016a361e
0x016a3622
0x016a3628
0x016a362f
0x016a362f
0x016a3636
0x016a3638
0x016a363b
0x016a3642
0x016a3642
0x016a3636
0x016a3657
0x016a3657
0x016a365c
0x016a3662
0x016a3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 016A358F

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: c846e8069ebf9da890be95773df122c91691fa26a0bcec34dd6be6971c48b235
Instruction ID: 2f63872e68631eb02eb3ab39ce6539a402fca154bbf0f9d172c23d483a71750c
Opcode Fuzzy Hash: c846e8069ebf9da890be95773df122c91691fa26a0bcec34dd6be6971c48b235
Instruction Fuzzy Hash: 614134B2D0052D9BDB21DA54CC85FEEB77DAB54714F4045E9EA09AB240DB309E88CF98

Uniqueness

Uniqueness Score: -1.00%

Function 016F05AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E016F05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E016F07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01669730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E016EA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E016EA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E016F1293(_t79, _v40, E016F07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01647D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E016E138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x016f05c5
0x016f05ca
0x016f05d3
0x016f06db
0x016f06db
0x016f06dd
0x016f06e3
0x016f06e3
0x016f05dd
0x016f05e7
0x016f05f6
0x016f0600
0x016f0607
0x016f0610
0x016f0615
0x016f061a
0x016f061c
0x016f061e
0x016f0624
0x016f0625
0x016f0627
0x016f0628
0x016f0631
0x016f0640
0x016f064d
0x016f0654
0x016f0654
0x016f0631
0x016f066d
0x016f0674
0x00000000
0x00000000
0x016f0692
0x016f069e
0x016f06b0
0x016f06a0
0x016f06a9
0x016f06a9
0x016f06b8
0x016f06d6
0x016f06d6
0x00000000

Strings

`, xrefs: 016F0633

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 245c6719428f28e56a69c1e42f8b9b6f100ffd6d3c6d2fcc6ec222b0f5e0ef1f
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 4D31F132300356ABE720DE28CC84F9B7BDAEB84754F14422DFB589B281D770E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016A3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E016A3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01669650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01644620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01669650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x016a3893
0x016a3896
0x016a3899
0x016a389f
0x016a38a0
0x016a38a4
0x016a38a9
0x016a38ac
0x016a38ad
0x016a38ae
0x016a38af
0x016a38b1
0x016a38b4
0x016a38bb
0x016a38bc
0x016a38bd
0x016a38c4
0x016a38c8
0x016a38ca
0x016a38ca
0x016a38d5
0x016a393e
0x016a3940
0x016a3942
0x016a3952
0x016a3954
0x016a3961
0x016a3961
0x016a3967
0x016a396e
0x016a396e
0x016a3947
0x016a394c
0x00000000
0x016a394c
0x016a38ea
0x016a38ee
0x016a38f8
0x016a38f9
0x016a38ff
0x016a3900
0x016a3902
0x016a3903
0x016a390b
0x016a390f
0x016a3950
0x00000000
0x016a3950
0x016a3915
0x016a391d
0x016a391d
0x016a3922
0x016a3926
0x00000000
0x016a3928
0x016a392b
0x016a392b
0x016a3935
0x016a3937
0x016a3937
0x00000000
0x016a3935
0x016a3926
0x016a38f0
0x00000000

Strings

BinaryName, xrefs: 016A38B4

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 7ac3edfb7611abc995b1b57093c6ef743e4675721f149c2e6ea820f5d7b2da92
Instruction ID: 106b92232dbf05dd02ad048398bd4c778d4177bc123a79df8a72b06f98114b20
Opcode Fuzzy Hash: 7ac3edfb7611abc995b1b57093c6ef743e4675721f149c2e6ea820f5d7b2da92
Instruction Fuzzy Hash: E531E33290061AAFEB16DA58CD45E7BFB79FF80B20F414169E914A7391E7309E04CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0165D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0165D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x171d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01644120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0166B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E016698D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E016695D0();
					L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0165d29c
0x0165d2a6
0x0165d2b1
0x0165d2b5
0x0165d2b6
0x0165d2bc
0x0165d2bd
0x0165d2be
0x0165d2bf
0x0165d2c2
0x0165d2c4
0x0165d2cc
0x0165d384
0x0165d34b
0x0165d34f
0x0165d350
0x0165d351
0x0165d35c
0x0165d35c
0x0165d2d6
0x0165d2da
0x0165d2e1
0x0165d361
0x0165d369
0x0165d36d
0x0165d2e3
0x0165d2e3
0x0165d2e3
0x0165d2e5
0x0165d2ed
0x0165d2f5
0x0165d2fa
0x0165d302
0x0165d303
0x0165d30b
0x0165d30f
0x0165d313
0x0165d318
0x0165d31c
0x0165d320
0x0165d379
0x0165d37d
0x00000000
0x00000000
0x0169affe
0x0169b001
0x0169b011
0x00000000
0x0165d322
0x0165d322
0x0165d330
0x0165d337
0x0165d35d
0x0165d339
0x0165d33f
0x0165d38c
0x0165d38c
0x0165d33f
0x0165d349
0x00000000
0x0165d349

Strings

@, xrefs: 0165D303

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 850afac078ee3a6f97c9d69812550600d45123ce0464df06da0b64440f64b971
Instruction ID: 2f1c9c3bf9e0ea4ce3d90b3e62c22aba1c83726b40a4b26e20abaa599a5c9190
Opcode Fuzzy Hash: 850afac078ee3a6f97c9d69812550600d45123ce0464df06da0b64440f64b971
Instruction Fuzzy Hash: 5F319EB1509305DFC761DF68CC8096BBBE9EB96654F00092EF99483291D735DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01631B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01631B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0166BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0166A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0166A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L016477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01644620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01631b8f
0x01631b9a
0x01631b9c
0x01631b9e
0x01631ba3
0x01687010
0x01687010
0x00000000
0x01631ba9
0x01631ba9
0x01631bae
0x00000000
0x01631bc5
0x01631bca
0x01631bcf
0x01631bd0
0x01631bd1
0x01631bd2
0x01631bd6
0x01631bdc
0x01631be0
0x01686ffc
0x01687000
0x00000000
0x01687006
0x01687009
0x01687009
0x01631be6
0x01631bec
0x01631c0b
0x01631c0b
0x01631c0c
0x01631c11
0x01631c12
0x01631c15
0x01631c1b
0x01631c1f
0x01631c31
0x01631c33
0x01687026
0x01687026
0x01631c21
0x01631c24
0x01631c24
0x01631bee
0x01631bee
0x01631bf2
0x01631c3a
0x01631bf4
0x01631bf4
0x01631c05
0x01631c05
0x01631c09
0x01631c3e
0x00000000
0x00000000
0x00000000
0x01631c09
0x01631bec
0x01631be0
0x01631bae
0x01631c2e

Strings

WindowsExcludedProcs, xrefs: 01631BC5

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: fd7e4f718cf20861ba4d24018dceda117bef44e183eb2ea903049b4a0f00732d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 9C210A7A500129ABDB22AA59CC40F5B7BADEF82650F154525FE149B300DB38DC02D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 0164F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0164F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0164f71d
0x0164f722
0x0164f726
0x01694770
0x0164f765
0x0164f769
0x0164f769
0x0164f732
0x0169477a
0x00000000
0x0169477a
0x0164f738
0x0164f73a
0x0164f73c
0x0164f73f
0x0164f746
0x0164f778
0x0164f7a9
0x0164f7a9
0x0164f754
0x0164f75a
0x0164f75d
0x0164f75f
0x0164f761
0x0164f76f
0x0164f771
0x0164f771
0x0164f76f
0x0164f763
0x00000000
0x0164f763
0x0164f77d
0x0164f7a3
0x0164f7a5
0x00000000
0x0164f7a5
0x0164f77f
0x0164f782
0x0164f784
0x0164f786
0x00000000
0x00000000
0x00000000
0x0164f788
0x0164f748
0x0164f74d
0x0164f78d
0x0164f793
0x0164f7b7
0x0164f7bc
0x00000000
0x0164f7bc
0x0164f798
0x00000000
0x00000000
0x0164f79d
0x0164f7b0
0x00000000
0x0164f7b0
0x0164f79f
0x00000000
0x0164f74f
0x0164f74f
0x00000000
0x0164f74f

Strings

Actx , xrefs: 0164F73F

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: bab9ce06ef083de20ac0758a40abd9d22f8255bf078593306cb71230a98e121b
Instruction ID: 190b1df04301c10f37ba06850f02e9742c7c329a9ba5b3831fd8b246fb41ad67
Opcode Fuzzy Hash: bab9ce06ef083de20ac0758a40abd9d22f8255bf078593306cb71230a98e121b
Instruction Fuzzy Hash: 281104347487028BFB25CE1CAD9073676D9EB85224F2445BAE462CB791DB7CC8028740

Uniqueness

Uniqueness Score: -1.00%

Function 016D8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E016D8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1700d50);
				E0167D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E016B5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0167DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0167DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0167D130(_t34, _t39, _t40);
			}

0x016d8df1
0x016d8df1
0x016d8df1
0x016d8df1
0x016d8df1
0x016d8df1
0x016d8df3
0x016d8df8
0x016d8dfd
0x016d8e00
0x016d8e0e
0x016d8e2a
0x016d8e36
0x016d8e38
0x016d8e3c
0x016d8e46
0x016d8e46
0x016d8e36
0x016d8e50
0x016d8e56
0x016d8e59
0x016d8e5c
0x016d8e60
0x016d8e67
0x016d8e6d
0x016d8e73
0x016d8e74
0x016d8eb1
0x016d8ebd

Strings

Critical error detected %lx, xrefs: 016D8E21

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 06297f17eab8fb4b2e20805e4b51dcbc18297873025d27626a1969703cefe2e6
Instruction ID: 49c0f31ad219901217edc380b24e1197ba61b7fd8974d2996b7a42dff53cdf64
Opcode Fuzzy Hash: 06297f17eab8fb4b2e20805e4b51dcbc18297873025d27626a1969703cefe2e6
Instruction Fuzzy Hash: 111157B1D14348DADF26DFA899097DDBBB5BF18315F24466EE529AB382C3344602CF18

Uniqueness

Uniqueness Score: -1.00%

Function 016BFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 016BFF60

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: fa602748c219903b96acfdcd814288341d28a17e3a6cbf4f5266f47a0ed2627f
Instruction ID: 5bebac89330d510be6c2a42414c5d46adbf8e219a0c6d5b28c971471fdbff483
Opcode Fuzzy Hash: fa602748c219903b96acfdcd814288341d28a17e3a6cbf4f5266f47a0ed2627f
Instruction Fuzzy Hash: 2911C071910244EFDF26EF98CD89FD8BBB2FF09715F148498E5096B2A1C7399980DB90

Uniqueness

Uniqueness Score: -1.00%

Function 016F5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae6dfbf014f66fb8614edc15360fd5777dfe8f504042597d0813a5fb51eacaa
Instruction ID: 6580b97a50c3ced4978322007b87620b9cb4deddf92c832d8b3ddf744d38607d
Opcode Fuzzy Hash: 1ae6dfbf014f66fb8614edc15360fd5777dfe8f504042597d0813a5fb51eacaa
Instruction Fuzzy Hash: FA4237759002298FDB24CF68CC80BA9BBB1FF49304F1581AEDA4DAB342D7759A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01644120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1195d881ceccfe6c2515aa8f17b3b759581917388a3b8a44e62192f9eec64b
Instruction ID: 5f90dc378780ce26ca876332af912a2b20dc6ba2bb9cde9b5169c1eb9d742bfa
Opcode Fuzzy Hash: dd1195d881ceccfe6c2515aa8f17b3b759581917388a3b8a44e62192f9eec64b
Instruction Fuzzy Hash: F6F17C706082118BD724DF19C891B7AB7E1FF99714F04892EF986CB750EB35D881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016520A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd4a08fadf0ef197ed62e6566153dc7af771d09e25ec833b198242e4988c199
Instruction ID: fe53b5f4ff7270c1b711d1a3f2c75ede668cd0dafacbbbe14b9b28f3efacdbca
Opcode Fuzzy Hash: 3cd4a08fadf0ef197ed62e6566153dc7af771d09e25ec833b198242e4988c199
Instruction Fuzzy Hash: 24F1D135608341DFEB66CB2CCC5076B7BE6AB85364F04891EEE969B381D734D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0163D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e4bc780eb4c73ff03b1cd94135fd9ca92ecb00e6460c6b3b9ed7fff2361d41
Instruction ID: 63b70bddec4a4154a76a6f74f017297fbc52b43f5c977f6fb544f91ef3b508b0
Opcode Fuzzy Hash: a9e4bc780eb4c73ff03b1cd94135fd9ca92ecb00e6460c6b3b9ed7fff2361d41
Instruction Fuzzy Hash: D0E1CE70A0125A8FEB35DF6CCC90BB9BBB2BF86314F4542ADD90997391D730A981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0164B236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 243dc148d818d7ef28a594eddd0c3df3e63da754b66ebf376f4152e6ce7609f3
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: 65B1AE31B00606AFDB25DBA9CC90BBEBBFAAF48200F14456DE652DB385D730D945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0163849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5744675362da91c9734312dce856c424de496282beb9180d3e50edec905f097e
Instruction ID: 881dfcfcd1ab021e7dcb6bbea2fe75ac2ee13d719d91e0f2e3cf4a413598ece7
Opcode Fuzzy Hash: 5744675362da91c9734312dce856c424de496282beb9180d3e50edec905f097e
Instruction Fuzzy Hash: 9BB13C70E00219DFDB25DFA9CD84AEEBBBABF85304F10422DE505AB345D774A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0165513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057adf4452c98c57417b0e2225367bcd35d053d379178a882dc84130a90e0c1a
Instruction ID: ec69cb211479a199d8f05a1cd857bcf5bcc93c6cd884b3b7ea9c23aefe07e3fe
Opcode Fuzzy Hash: 057adf4452c98c57417b0e2225367bcd35d053d379178a882dc84130a90e0c1a
Instruction Fuzzy Hash: 54C113755083818FD755CF28C980A5AFBF1BF88304F148A6EF99A8B362D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 016503E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38cc3e8da8a100694d577ee98a1dd68d9caa1d6d3be0c7cbcd01c2eb264795d3
Instruction ID: a248b0550df47f67fdf1be500bc9e62cce20075a9eebb5429fec8f84360c4775
Opcode Fuzzy Hash: 38cc3e8da8a100694d577ee98a1dd68d9caa1d6d3be0c7cbcd01c2eb264795d3
Instruction Fuzzy Hash: BD910132E00615EFEF329A6CCE44BAD7BA9AB05724F050265FE10AB2D1DB74DD02C785

Uniqueness

Uniqueness Score: -1.00%

Function 0162C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6957365b1633d69853dcbb277fe582d94fb654e22ca3e0fd43f516f5018125
Instruction ID: aea53e7b683cbcfab525b1baa9e05b9e30bbd0a111c8c10ad0b602dc80fa92f4
Opcode Fuzzy Hash: 8d6957365b1633d69853dcbb277fe582d94fb654e22ca3e0fd43f516f5018125
Instruction Fuzzy Hash: 88819D756242068BDF26CE58CC80A7AB7ADFF84250F14496EEE459B345D334ED41CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0165138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 8195bf475be2cfb31e52b8ef72eec90bbe218e7ffac0de74c9a1fe8d70b5c238
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 51818D716013459FDB25CF68C844BAABBF9EF49300F14856EE956C7751D330EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016BB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd04bbafea35fa62260ec776fd53676790801300a12737a460bf27a65606392b
Instruction ID: 3aafd0da5c6b6e0fa222a3a056c99d5644905ae77a8a74faf356e9be1d42dd65
Opcode Fuzzy Hash: cd04bbafea35fa62260ec776fd53676790801300a12737a460bf27a65606392b
Instruction Fuzzy Hash: B671F132640702EFE732DF18CC85FA6BBA6EB40720F15492CEA55876A1DB71E981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016A6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: dad0ceefa39edb3dc9c80d6680bef4058b6f058031d30dc8fe5e1a48246f5ad4
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 22716B71A0021AEFDB10DFA8CD84AEEBBBAFF48714F544469E505A7250DB30AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 016252A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f38c8f7d36d7cb22b355100015cbe40466839aaff9f7bac6cf86287cc93f3f
Instruction ID: e36d54688c181f9f1e18dee60b7bc0d73b30e3f7115aa885691f0278cb03a2c3
Opcode Fuzzy Hash: e7f38c8f7d36d7cb22b355100015cbe40466839aaff9f7bac6cf86287cc93f3f
Instruction Fuzzy Hash: D451BE712057429BD322EF28CC40B67BBE6FF94710F14491EF99687691E774E808CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01652AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0954312c4f1f242390bced5f6be5ffb343dd22b2227c5e6f079e546723bf84c0
Instruction ID: fad5b7abdc27927bb0f2301bb1f6ae3fb05c4adc3e7353758e27c321e1dd2b2d
Opcode Fuzzy Hash: 0954312c4f1f242390bced5f6be5ffb343dd22b2227c5e6f079e546723bf84c0
Instruction Fuzzy Hash: B551AF76A00125CFCB59CF1CCCA09BDB7B1FB88704B19855EEC56AB315D734AA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016EAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e896cdb3e51bdf1e16720b36a1fd3954c1d7fdf208df86d8ee007553c1a5d8
Instruction ID: c9dbbd4de32afd05969f4065e28b445ace661928987d36f83060ee1cb8ec7652
Opcode Fuzzy Hash: f5e896cdb3e51bdf1e16720b36a1fd3954c1d7fdf208df86d8ee007553c1a5d8
Instruction Fuzzy Hash: 8A41B0B17026119BE7269BADCC9CB3BBBDAAF94620F04831DF956873D0DB34D801D691

Uniqueness

Uniqueness Score: -1.00%

Function 0164DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8cc469085d60bc50df5448c6082cd2966de33ebf6e26ebbb912e528492b949
Instruction ID: cd0405acb86cee3dabeabc049f1d910b483496208a581f608b04ae56210022fe
Opcode Fuzzy Hash: ce8cc469085d60bc50df5448c6082cd2966de33ebf6e26ebbb912e528492b949
Instruction Fuzzy Hash: 2B51DE72E00216CFCB15CFACC890AAEBBF6FF59310F20815AD995A7304DB30A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0163EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a095f44a84e991dfd6da76de6ec92936d50093c39987e71aca6e6577a63db549
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: D8510430E04649DFEB25CB6CC9A07AEFBB1AF85314F1881ACD54553382C7B6A989C752

Uniqueness

Uniqueness Score: -1.00%

Function 016F740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 93663e2e4eb91d92cc9469e79171e0c229a1af65c4aea9d07e1b9f5c4ca718e1
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 58519071600646EFDB16CF58D884A96BBB5FF45304F14C0AEEA08DF252EB71E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01652990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e88fd6d18ed8f21eaef6f8fb28e8a7812cef5730bf0e524de18c6d770e098a7
Instruction ID: 5964b7388d5917e1aa5a1f9cdfd674016ee2a26c5fbb03f880254b5c7df0a615
Opcode Fuzzy Hash: 1e88fd6d18ed8f21eaef6f8fb28e8a7812cef5730bf0e524de18c6d770e098a7
Instruction Fuzzy Hash: F7515771A0021ADFDF66DF99CC90ADEBBB6BF48350F058159ED01AB320C3359952CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01654BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bade290a37be359c74b238bdbc7fc7fb9bdfcb981f877e5eb85c58c14a067c48
Instruction ID: a0759f153dec1b30f614cfd0cf76b2c32559973b879ba9c4a58a86ba7a6dc36c
Opcode Fuzzy Hash: bade290a37be359c74b238bdbc7fc7fb9bdfcb981f877e5eb85c58c14a067c48
Instruction Fuzzy Hash: 3E41BF31A002299BDF21DF68CD40BEE77B9EF49710F4100E9E908AB341EB349E80CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01654D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1373eea0602b5e57cbbf8d64f7d6047371f61a3f7c744381317b7fe0ea2ba976
Instruction ID: 70659358f175ee2d2c53030309c8db400056f5492a0df43e6221f3906daaac24
Opcode Fuzzy Hash: 1373eea0602b5e57cbbf8d64f7d6047371f61a3f7c744381317b7fe0ea2ba976
Instruction Fuzzy Hash: 3741A471A443189FEB72DF18CC80FAAB7AAEB55610F0040D9ED4597381EB74ED84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01638A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb1225f63b861dc0a4bea35305b07c77633d071409ba0f901eaaa9ec7000f5b
Instruction ID: c3f4f2993dd8475e48a808b0576bf8582f4d7807780770d3f924173c4e6685e4
Opcode Fuzzy Hash: 3eb1225f63b861dc0a4bea35305b07c77633d071409ba0f901eaaa9ec7000f5b
Instruction Fuzzy Hash: D04152B1A0022D9BDB24DF59CC88AE9B7F9EB94300F1046E9E91997342D7709E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 016EAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: d905ec8cbeff43a9b9f6f9923ad8b56791300c0f4e537305ca6917afad5e6813
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 4131E332B01205ABEF159AA9CD89BBFFBEBEF80610F05456DE905A7391EB748D01C650

Uniqueness

Uniqueness Score: -1.00%

Function 016EFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: f27ecb40c104a5a577336a865870d509ffc6aa67bf1cf3a5cfc5d4798ec9a4d1
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: AD31F8322016416FD7229B6CCC4CF6A7BEAEBC5650F184698E5458B382DBB4EC41C754

Uniqueness

Uniqueness Score: -1.00%

Function 016EEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 4d14273f5d3b48e9eb76107195d4a649d9c24e9da3a823b9ae10b60955a32e35
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 2A31A3726057069BC719DF28CC84A5BB7EAFBC0610F044A2DF95687785DB31E805CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 016A69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f39a433b092f0bc9ba6a9906bd18fdacab3b56ffccc57c9090f7f3ac773e40
Instruction ID: e9bb99948151cd92979d9eeca490d7355e9c83f9ef6d8f7532f3f0e07200fac3
Opcode Fuzzy Hash: b2f39a433b092f0bc9ba6a9906bd18fdacab3b56ffccc57c9090f7f3ac773e40
Instruction Fuzzy Hash: 98417DB1D00209AFDB24CFA9D940BEEBBF9EF48714F18812EE915A3240DB70A905CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01625210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14437c80797a5babf0538ab6dd06cf6d66fa9943d668dc4ba0a8d10529c66173
Instruction ID: c12f3f649fc2dc3ec54c059bff25649f1bce5a6036106f3114a0bf3665a60b33
Opcode Fuzzy Hash: 14437c80797a5babf0538ab6dd06cf6d66fa9943d668dc4ba0a8d10529c66173
Instruction Fuzzy Hash: 6131F632242A11EBC736AF18CC51B7A77A6FF50760F118B1EF9560B2D0DB70E805CA94

Uniqueness

Uniqueness Score: -1.00%

Function 01663D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a58165d3801414cf2da3fff85398030b66b16727c48a8d55b7b7e398948ae8d
Instruction ID: 86f95f46861f53f161892f2ec75555627b9cb0b39123253187e3ebb95f8b96ad
Opcode Fuzzy Hash: 8a58165d3801414cf2da3fff85398030b66b16727c48a8d55b7b7e398948ae8d
Instruction Fuzzy Hash: A6318D32A05615DBDB29CF2DCC41A7ABBB9FF95710B05806EE94ACB360E730D841C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0165A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c64a3f56efb37293c3b431969811a9f33368f33f85c0a00836374687b01671
Instruction ID: a58e880d58d7f6a085324fc579b6c4d8935fa6a40542da33aaad111e7ba61f2b
Opcode Fuzzy Hash: 87c64a3f56efb37293c3b431969811a9f33368f33f85c0a00836374687b01671
Instruction Fuzzy Hash: B7416CB5A00215DFCB19CF98C890BAABBF6BF89314F15C1ADE905AB344C779A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0164C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: bdf4f7f2b704c463eeb7fc25edea346d327bf76fbd0a6976b6094f3a6c387357
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 1F310372A06547BBD705EBB8CC90BEAFB59BF52204F04815ED41C87301DB346A0AD7A5

Uniqueness

Uniqueness Score: -1.00%

Function 016A7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d708b0c87178e01334ee6799366e375b52f7a7e3027546d3e3559e3578a8ddb8
Instruction ID: 9b4af6fc2025217220cae8000656d442f31ff24be348c7979f62059efa766b8e
Opcode Fuzzy Hash: d708b0c87178e01334ee6799366e375b52f7a7e3027546d3e3559e3578a8ddb8
Instruction Fuzzy Hash: 4C31B1726047919BC320DF68CC50A6AB7EABF98700F444A2DF99587790E731ED14CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 016D3D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4a4331b486ece7cf747a06b827ba492878abd611a387ed42be9017901eaabe
Instruction ID: d23224886a71ead1b8a033991687ec91a707650364abb22643e3c70c20e25f13
Opcode Fuzzy Hash: 5f4a4331b486ece7cf747a06b827ba492878abd611a387ed42be9017901eaabe
Instruction Fuzzy Hash: 653157B2A09302CFC714DF18D98081ABBE1FB85610F04896EE4889B395D730DA04CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 0165A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd7eeb0dde920686ad315764c68dd62c22b5cfd014845b7a1ea81e8903169c2
Instruction ID: 3a49618a4f39fbe1b78d73cb3e4317960fec7163a899740412c159b1ce30f5cf
Opcode Fuzzy Hash: 1cd7eeb0dde920686ad315764c68dd62c22b5cfd014845b7a1ea81e8903169c2
Instruction Fuzzy Hash: 8531ADB57002059FD739CB5CEC80F6ABBFAFB84720F148A5AE60587348D774A901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016561A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caa4f6948aa0e5f0d48e5d44af4a257ad89584a9a6afa2268354a4b46d3dea0
Instruction ID: 40f2f4a972829a340474d0d6750d4ae035af70b657e6383914f9e512d8b45f55
Opcode Fuzzy Hash: 3caa4f6948aa0e5f0d48e5d44af4a257ad89584a9a6afa2268354a4b46d3dea0
Instruction Fuzzy Hash: 5C315A716157118FE760CF1DCC40B26BBE9FB88B10F45496DE99997351E770E804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0162AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7714ba00b28670da9acc14e2cc97570c34e155760dab52690a882eb3c74acfd3
Instruction ID: a2c4a4df9ebe6f06b7c3fc202883d2bc0288327c313fda73e8c09c69506efb57
Opcode Fuzzy Hash: 7714ba00b28670da9acc14e2cc97570c34e155760dab52690a882eb3c74acfd3
Instruction Fuzzy Hash: 5831B171A0062AABCF15AFA8CD81A7FB7B9EF04700F01456DF901E7250EB749A11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01664A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9518f52c601e332cbd85b53c29872464a782b76c9902874ec9a4db0f9995870f
Instruction ID: e76905e9fdb8316b46db100e5e99017fd34346e71c4161ba53a3cb3acbd4e2be
Opcode Fuzzy Hash: 9518f52c601e332cbd85b53c29872464a782b76c9902874ec9a4db0f9995870f
Instruction Fuzzy Hash: F131D132205251ABC7229F58CD44B2AFBA9FBC4B10F05496DED5647259CB70D801CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 01668EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa06cfe63543b9210bc5d571c5274ba84dde3bd962bf9aab7d45cc7afcd8ada
Instruction ID: 59738b5a0e0997cb9713dbecbc002e26329b8d027efbe5f9c650b6df7e48672d
Opcode Fuzzy Hash: 2aa06cfe63543b9210bc5d571c5274ba84dde3bd962bf9aab7d45cc7afcd8ada
Instruction Fuzzy Hash: C141A2B1D003189FDB24CFAAD980AADFBF9FB48310F5081AEE509A7240E7755A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0165E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631b16e21a36a08cde14037094bc39c3238ed76b8e7abd81202856a8cdfeb8d3
Instruction ID: b1b157de4db86bbd8a3403128a97a480d495e8a676ddb4af48ac37816d83e319
Opcode Fuzzy Hash: 631b16e21a36a08cde14037094bc39c3238ed76b8e7abd81202856a8cdfeb8d3
Instruction Fuzzy Hash: 4C315C75A14249AFDB44CF68D841B9AFBE8FB09314F14825AF904CB341D632ED90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0165BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836d17d48a543ab7f34531bee5c36d0e48c61a212ee88bb03c34729ef454771e
Instruction ID: c32a5084a47ead977a95f461a9757be98a6359d9799977a8917947c104033c62
Opcode Fuzzy Hash: 836d17d48a543ab7f34531bee5c36d0e48c61a212ee88bb03c34729ef454771e
Instruction Fuzzy Hash: 30310132A006169BCB51EF5CC8C0BA673B5FB18321F1541B8ED44DB305EBB4DA05CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01629100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6b840303580e7cea04e022525b8b161c9f70b84fdfd181eccc09712ddfbd0a
Instruction ID: 8f73c0631d230537f470714edab438d75061be14d2bb7a03dd9a1971a58b7708
Opcode Fuzzy Hash: 4a6b840303580e7cea04e022525b8b161c9f70b84fdfd181eccc09712ddfbd0a
Instruction Fuzzy Hash: 4C31B271A01A65DFEB26DB6DCC8C7ACBBB1BB99318F24855DC50467342C330A980CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0165F527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: 8a41ee09e59e0b881e7a3674d461bc6aa557bb5175ce0fb6f34e9d73e49ff45c
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: 5D316831600645EFDB21CF68C884F6AB7F9EF44354F1445A9E9558B290E770EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01651DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 243b216fa6abf2496facff3875871ba2b0e6297ee66fb7d1e163c5e3811472f9
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 98218E72601119EFD721DF99CC81FABBBBDEF86640F114099EA059B210DB34AE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01640050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb986143962ccee551d8fcafe6b68d64c4e5deb0c2778eda9df26131441dbd2f
Instruction ID: 35cd680e824f588035f2bbc5d710c44cf93c38d65a7f89443669c5bacc58f894
Opcode Fuzzy Hash: bb986143962ccee551d8fcafe6b68d64c4e5deb0c2778eda9df26131441dbd2f
Instruction Fuzzy Hash: 51315C31601B14CFD726CB2CCC44B96B7E6FF89714F14856DEA9687B90EB75A802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016A6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acf1eec9b4a6d6af9941afe6a34729d87ab4591776dcadd22f8124ca66699ab
Instruction ID: 1068bb4426eebbc6b8138ccbeadd8e5c0951c8e53941fafe429e94b0ea3f7368
Opcode Fuzzy Hash: 2acf1eec9b4a6d6af9941afe6a34729d87ab4591776dcadd22f8124ca66699ab
Instruction Fuzzy Hash: 04217AB2A00655AFD715DF68DC80E6AB7A8FF48740F184069F905D7791DB34ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 016690AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 7f3863aed1059b53172c0e13706e2b37268e60d80c5ec51fb48dad10838f32aa
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 8C214971A00205EFDB21DF69CD44AAAFBF8EF54754F2488AEE949A7250D730AD41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01653B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eeb9c066ee90def3bcf83509c035b756c40f96606f9d9f734eb0197e6df247a
Instruction ID: bff564908894162035f9d44cc7a7a8d6428239a8d08402ce60f528cfada750d9
Opcode Fuzzy Hash: 9eeb9c066ee90def3bcf83509c035b756c40f96606f9d9f734eb0197e6df247a
Instruction Fuzzy Hash: C1219F72A00109AFC710DF98CD81B6ABBBEFB44758F1540A8EA08AB251D771ED01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016A6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc951b8f7eec0479adec0651f20940e3cd6cc22880d3745e69911a3a8e89dbb
Instruction ID: 4a07a17e43962e85e71d7a698d455f898e0bbcbef91079021bed0c52ec064c95
Opcode Fuzzy Hash: 7dc951b8f7eec0479adec0651f20940e3cd6cc22880d3745e69911a3a8e89dbb
Instruction Fuzzy Hash: BB21F2735002469BD311EF28CD44B6BBBECEF91680F48095AFA50C7251E734D949CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 016F070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: a39f25407c0c9c46adf4e99a86b4c7394984e4275a8be005a26c277e6efd2cb9
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 222122362042009FD705DF18CC84B6ABBA7EBD4350F04866DFA948B382C730D809CB95

Uniqueness

Uniqueness Score: -1.00%

Function 016A7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f281d653b8d8fdc82a51b54e74d4c7dfe11b5bae14832dbb9cabadb654870c
Instruction ID: fe96b65a51ca095c3315c76bc31bbfd9237e8ba67513c9a93cde4614c405a298
Opcode Fuzzy Hash: b2f281d653b8d8fdc82a51b54e74d4c7dfe11b5bae14832dbb9cabadb654870c
Instruction Fuzzy Hash: 1E216D72900644ABC725DF69DC90EABBBA9EF48740F10456DEA0AD7750DB35ED00CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0164AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 5baa470d8b5dccef382ed55efc499289b511d4ce0c77d441f5deefe336abaf49
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3921D132601691AFEB26DB6CCD54B257BE9EF44640F1900A8EE058BBA2E734DC41C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0165FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 9bf3194a4b234d63a4cb0b9d038d45809ee19c26fc15db620a2e28a53a90e14a
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 5F217972600A45EBD771CF0DCA40E66F7E5EB94A10F2485AEE94987B11D731AC01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0165B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df282e53eda6adf630ec4de61dfd4526240a4aee38fa579714c1dc1cdbbb554
Instruction ID: 6e39cf737a80058f1e54a8741f40a2a1a2297341011b54e50f95fd5a0b7c1026
Opcode Fuzzy Hash: 2df282e53eda6adf630ec4de61dfd4526240a4aee38fa579714c1dc1cdbbb554
Instruction Fuzzy Hash: 3B1166333051209FCB29CA589D81A2BB29BEBC5770F38413DEE26D7381CA31AC02C695

Uniqueness

Uniqueness Score: -1.00%

Function 01629240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76a3671a6aa4d3a2777028174f5dd635f1d0961dcc2318dbd73e7d6607306ed2
Instruction ID: 6270b9850aecfa586cdad718f01601a539740ba811019901f6caea484f3d1e58
Opcode Fuzzy Hash: 76a3671a6aa4d3a2777028174f5dd635f1d0961dcc2318dbd73e7d6607306ed2
Instruction Fuzzy Hash: D3213972151A11DFC722EF68CE40F5AB7BABF18718F14496CE149866A2CB34E941CF88

Uniqueness

Uniqueness Score: -1.00%

Function 016B4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbd78c8ed5d21a5a6a3323ec73d3232ac2f17e58c3816b036e0550d44e6e91f
Instruction ID: e8108ed256d05ae470838be4ee146178fd001fd1f636b4bd906fbdbd66aa0892
Opcode Fuzzy Hash: 2fbd78c8ed5d21a5a6a3323ec73d3232ac2f17e58c3816b036e0550d44e6e91f
Instruction Fuzzy Hash: E5219D70941602CFC726DFACD880A94BBF1FF85364B14C26EC1569B39ADB31C492CB45

Uniqueness

Uniqueness Score: -1.00%

Function 01652397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee4412a7242a72ee14fadff313c455659615fc81540ced15315a99075306195
Instruction ID: 85554dc298efbfb6d7f2d6238d74747c367693261ddeeade22ce2a027b3120f9
Opcode Fuzzy Hash: 5ee4412a7242a72ee14fadff313c455659615fc81540ced15315a99075306195
Instruction Fuzzy Hash: 0F112B31744301EBE7759A2DEC90B16B79EBBA0720F14842EFE0397282CAB0D841C759

Uniqueness

Uniqueness Score: -1.00%

Function 016A46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 2df4613deda7c91145dafb9996a29ca7ba692a0d9ea299496493a51dbfdea224
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 6A11C272504208BBC7059F5C9C809BEBBBAEF95310F1080AEF94487351DE318D55D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0162C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9dc683e9c749af219801592709f459e22725ebf72ed5731f491e966917f781
Instruction ID: ca038bbac63207406f386284597b5e01ef4beda5fa82e6d73c27b2e2c7431c59
Opcode Fuzzy Hash: ff9dc683e9c749af219801592709f459e22725ebf72ed5731f491e966917f781
Instruction Fuzzy Hash: E9112131320746DFCB25AF2CDC85A2BB7EABF84610B00052CE84193650DB20EC00CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 016637F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5d8327b9622387fe42d3b23e545666987b1e90b7d8347b7493b2f990777370
Instruction ID: 9ad18dd85cb4c8726896937f1674fbb505c70869e8ee68bf1c8e5f986a01dca9
Opcode Fuzzy Hash: 1b5d8327b9622387fe42d3b23e545666987b1e90b7d8347b7493b2f990777370
Instruction Fuzzy Hash: B8018472A056119BC3378A1E9D40A6ABBBEFF86A60717446DE94D8B315D730D801C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0165002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 3f5b3b74347dbc1d736d5dc71e03aed8211d0b583b1bbc9d72ac18f82961b0d5
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 0F11C4336156818FEB239B2CDE54B357BD9EF41794F0900A0ED4487796DB29D843C664

Uniqueness

Uniqueness Score: -1.00%

Function 0163766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: e127aa26c03b15ada093239d5d71fd6688624aa74dfedcbf72331828c4f73850
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 12018872700129ABD7209E5ECC51E5B7BADEFC5660F240564BA08CB250DA30DD0197A4

Uniqueness

Uniqueness Score: -1.00%

Function 01629080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44290cdd658b36c24840e9eeac176c89a96cc0afc8eb1153d800abe416f984cc
Instruction ID: 30cd31c7997f5194d24f22c37ff86c8c11e15e0ebe58a35e5d721c230b16398a
Opcode Fuzzy Hash: 44290cdd658b36c24840e9eeac176c89a96cc0afc8eb1153d800abe416f984cc
Instruction Fuzzy Hash: 38018172505A288FD3299F1CDC40B12BBA9EBC6728F25816AE6059B795C378DC41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016BC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: ccf22815b2c1803df4978312e8a9a7945e69a3fc713328ae8a72818ad37ba5ad
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: C801B572140506BFE721AF69CD80EA2FB7EFF64394F004529F61442660CB35EDA1CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016F4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25da722ce737dbcd3b79dc44a147a2294a8be15f1e1b7d2534fca8921ae4c96
Instruction ID: 958f18d626aa7702c251cc115f8f079fcacff9f39317ab800584e068247e13e5
Opcode Fuzzy Hash: f25da722ce737dbcd3b79dc44a147a2294a8be15f1e1b7d2534fca8921ae4c96
Instruction Fuzzy Hash: E3018F726019467FD311AB6DCD80E13B7ADFB95760B00062DF60887A21CB24EC11CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 016E138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082867df6634c1be7ae5aaaca515b859ad08aabf57aec41d171faf2bdb722c2f
Instruction ID: ae9768e8001e27d31c0cea6c4cc638c685801040c54205ea7d0b224b6794458f
Opcode Fuzzy Hash: 082867df6634c1be7ae5aaaca515b859ad08aabf57aec41d171faf2bdb722c2f
Instruction Fuzzy Hash: D5015E71A01359AFDB14DFA9DC45EAEBBB8EF55710F00406AB904EB380DA749E01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016E14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2464612e831e4d62129f327c157363836aa8a58e413ce8cab99f089f0ac67fb9
Instruction ID: ea68f37c1b071b9a0c9c233b1b843111c18c0c59fb3c2cfbee791529b12a3159
Opcode Fuzzy Hash: 2464612e831e4d62129f327c157363836aa8a58e413ce8cab99f089f0ac67fb9
Instruction Fuzzy Hash: 4C019E71A01258EFCB10DFA9DC45EAEBBB8EF45710F40406AF904EB380DA70DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016258EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762ff2127c565c3d4394ebf183ca0e254e7fc8f9accaeec08a4aa95839c855af
Instruction ID: c865538e835c7ad7043a36cb21f8b9f09b69cf201d75e638123891dce3335e51
Opcode Fuzzy Hash: 762ff2127c565c3d4394ebf183ca0e254e7fc8f9accaeec08a4aa95839c855af
Instruction Fuzzy Hash: 2401DF71B00925ABC728EE6CDC009EFB7AAEB92130F94406DDA06D7284DF21DD02CA94

Uniqueness

Uniqueness Score: -1.00%

Function 016F1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1be93617f7be283d7a79fc91bf87842aa3b0a2a7462a7dab7739ed72c1158ce
Instruction ID: be50a4c17ae1838409bd2d00d0d6708332836dabbfcedaf30b9784973a5aa72b
Opcode Fuzzy Hash: c1be93617f7be283d7a79fc91bf87842aa3b0a2a7462a7dab7739ed72c1158ce
Instruction Fuzzy Hash: F8012872604742DBC710DF6CCD44B1ABBE6AB84250F04862DFA8583390DF30D541CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0163B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: ef942c9196e98bd2c8b444199b1c0f69738b5912dc677fcfbb56db1864b220ac
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 31018F722049809FE3229B5DCD88F66BBD8EBD5754F0900A2FA19CBB52D728DC81C624

Uniqueness

Uniqueness Score: -1.00%

Function 016DFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f9cc02e27b231d61eff29669ed5a2c1192d66d0843d347272d682b252d11d8
Instruction ID: e779ad73f23fc457af7bca19939df2113e292bdb07557f5a6c542a44833e338d
Opcode Fuzzy Hash: 49f9cc02e27b231d61eff29669ed5a2c1192d66d0843d347272d682b252d11d8
Instruction Fuzzy Hash: 7D018471E00259AFDB14DFA9DC45FAEBBB9EF54710F00406AB901EB381DA709A01C798

Uniqueness

Uniqueness Score: -1.00%

Function 016DFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee6a9e917b30b54fccab906be80656e15735f67195189e6737d86ad977c8da9
Instruction ID: a2294658573c55224affcf5b692faf240aa30af4218519a5a77be4454e04df10
Opcode Fuzzy Hash: dee6a9e917b30b54fccab906be80656e15735f67195189e6737d86ad977c8da9
Instruction Fuzzy Hash: 2A018471E00219AFDB14DFA9DC45FAEBBB8EF54710F0040AAB901EB380DA709A01C798

Uniqueness

Uniqueness Score: -1.00%

Function 016F8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d64a11d9112ecadada9cded9e7d34b9842e7dcb6f2e09c17b6eaa3f3f3ae472
Instruction ID: ecbb346f2d94982b612bf8d2e11bcd436291fb48f482cafe31da0a41c3a837de
Opcode Fuzzy Hash: 8d64a11d9112ecadada9cded9e7d34b9842e7dcb6f2e09c17b6eaa3f3f3ae472
Instruction Fuzzy Hash: 0C01EC71A0121DAFDB04DFA9D9459AEBBB8EF58710F10405AFA05E7351DB34AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 016F8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5e02e44c695b99a47f65eead4f3f7ca610f4260771faecbc4106c806cbe69e
Instruction ID: b4c206baf454780b628caa88116786a0987aa0f76a533f66defef0b295f1ea86
Opcode Fuzzy Hash: 5a5e02e44c695b99a47f65eead4f3f7ca610f4260771faecbc4106c806cbe69e
Instruction Fuzzy Hash: 86111E71A01259DFDB04DFA8D941BAEFBF4FF08300F0442AAE918EB381E6349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0162DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 6d988b2128fd279b2484779c83eb9744e6ad2606c79f9ae8a43ca60157f2c534
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 5BF0FC73605D339BD3326AD94CA0F67BA969FE2A61F160039F2059B344CF608C028ED5

Uniqueness

Uniqueness Score: -1.00%

Function 0162B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: cc80c5463c5690174be015367accfd37e51d36f2fab67400222573683d54ecee
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: A501F433201A91DBD322A75DCC04F69BB99EF52754F0944A1FE148B7B2DB79C800C728

Uniqueness

Uniqueness Score: -1.00%

Function 016BFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f95ea5d96e29aa19fe9dfc0a9a2631ced68d783656201a050ca9eff0e5a6114
Instruction ID: 16150cc2d9b29967e26f0f8a50d11db14b2030695ce62f77ea8ba4aecfeef89e
Opcode Fuzzy Hash: 3f95ea5d96e29aa19fe9dfc0a9a2631ced68d783656201a050ca9eff0e5a6114
Instruction Fuzzy Hash: 9A018671A0020DEFCB14DFA8D945A6EB7F4FF14704F104199B904DB392DA35DA02CB44

Uniqueness

Uniqueness Score: -1.00%

Function 016E131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bbf94f85b79fd17a30365da03e0a945a638b384c5b8f1ab1b7a3f1c6e2f532
Instruction ID: e3f054596c88adf1a0181552380124ae57eb909f9317b1e0e1c4344c00054e08
Opcode Fuzzy Hash: 21bbf94f85b79fd17a30365da03e0a945a638b384c5b8f1ab1b7a3f1c6e2f532
Instruction Fuzzy Hash: 30013C71A0125DAFCB04EFA9D949AAEB7F4FF18700F108059BD45EB381EA349A00DB54

Uniqueness

Uniqueness Score: -1.00%

Function 016F8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecb2e50ef795cf749ef74cfce95f23799f6a8b3f82ad4034fe2890cdc18cc3e
Instruction ID: 9c9b1a18f407e754aa043f360ac58019b5bf050e5ae26e981b26a49b6dc59044
Opcode Fuzzy Hash: 4ecb2e50ef795cf749ef74cfce95f23799f6a8b3f82ad4034fe2890cdc18cc3e
Instruction Fuzzy Hash: CB014475A0120DEFDB00DFA8D945AAEB7F9EF18300F108459B905EB381DB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016E1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6dccae943e7fc40b428f8728a8492ce710dd4df27df58209b0bc85f9f6ddcee
Instruction ID: d9db45dcd27b84a228909e588f8154a7164df9389abcbe452a0d1ec4d41b1566
Opcode Fuzzy Hash: d6dccae943e7fc40b428f8728a8492ce710dd4df27df58209b0bc85f9f6ddcee
Instruction Fuzzy Hash: A7F06271A01258EFDB14DFE8D815A6EB7F8FF14300F044159A905EB381EA349900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0164C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007c02d7eb93377054d2b8012de3979a4f9ca2fd71a1fbce1ac6346a1b0fc311
Instruction ID: eec87b95991a5b0e11993340e87dc7b2a7181f11e8dcd452cb89df040c8cd627
Opcode Fuzzy Hash: 007c02d7eb93377054d2b8012de3979a4f9ca2fd71a1fbce1ac6346a1b0fc311
Instruction Fuzzy Hash: CCF0E9B29176909FE73EC71CCC04B2A7FD89B05770F4584ABD51587342D7A4D8A0C2D4

Uniqueness

Uniqueness Score: -1.00%

Function 016E2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e49969888d86969331e64b7ae314cb32f1408bceb5cce4cdb85ec89cff2671
Instruction ID: 09949e99e175a342a0e3e8ec738a601382dbd1801c84bf7b5eaca82cfa333059
Opcode Fuzzy Hash: 98e49969888d86969331e64b7ae314cb32f1408bceb5cce4cdb85ec89cff2671
Instruction Fuzzy Hash: 04F0207B8171854BDF326B2C28292E12FEBD796120B09418DD8A017389CA388893CF29

Uniqueness

Uniqueness Score: -1.00%

Function 0166927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 6d92a4b4fe2edc1a4d9717746625a283c2da6b5c73eb6a12b4ce4b285ce1cb37
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 83E02232340601ABE721AE0ADCC0F5737AEEF92724F00807CB9001E282CAF6DC0887A4

Uniqueness

Uniqueness Score: -1.00%

Function 016F8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898727ed40c0435d26db27b143137c1510555a4096e462eb05509c9a975cd8af
Instruction ID: 1da06467a0a10841cb2690a7e665ab79fe9e2f61eeaeed535a15064a60f20900
Opcode Fuzzy Hash: 898727ed40c0435d26db27b143137c1510555a4096e462eb05509c9a975cd8af
Instruction Fuzzy Hash: 6AF0B471A046089FDB14EFB8D845A6EB7B8EF14300F10809DE905EB380DA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 016F8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80608c0f48cdf22f1f78df6636ade37e59578234115a8aa5b048ee406fed555f
Instruction ID: add96e6a4250ca9da2b98666e5d3d3b743c8591dfab3b3962ab2c7ec3a7612cc
Opcode Fuzzy Hash: 80608c0f48cdf22f1f78df6636ade37e59578234115a8aa5b048ee406fed555f
Instruction Fuzzy Hash: 4CF082B1A1425DAFDB10EBA8DD06E6EB7B8EF14300F04049DBA05DB380EB34D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 0164746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df576a58911947865fcfcac9e5117c38b9f942dc914450680fa4942f2d3b061
Instruction ID: b48a5b1851cc34e28269a4c01618e68fb16d6506fc5589276d0199b8ef4461b3
Opcode Fuzzy Hash: 7df576a58911947865fcfcac9e5117c38b9f942dc914450680fa4942f2d3b061
Instruction Fuzzy Hash: D5F02738902145EBDF12FB7CCC40F79BFB2AF04314F040669D991AB2A1E725D802C799

Uniqueness

Uniqueness Score: -1.00%

Function 016F8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768caa150081dce4b1b3cce8ad811eb302868daa06862789d5d29560c155efef
Instruction ID: 21e5d3d1433cba7d64e44c81dcb6460cb5d0ae8d14768cd813102dc0733d7fa9
Opcode Fuzzy Hash: 768caa150081dce4b1b3cce8ad811eb302868daa06862789d5d29560c155efef
Instruction Fuzzy Hash: F6F08271A04659AFDB04DBA8ED45E6E77B8EF18300F10419DE915EB3C0EA34D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 01624F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead9d0e162a37e88ad5760c705c50a0003848e184b0f7eb2e125b052cdbc2894
Instruction ID: 9b348ddeecfcc8c8c5003d6256b3668eb79751efdd4cd8838f13ee6d5ea386bf
Opcode Fuzzy Hash: ead9d0e162a37e88ad5760c705c50a0003848e184b0f7eb2e125b052cdbc2894
Instruction Fuzzy Hash: F7F0E2325666968FE772EF1CCD44F22B7D8AB107B8F054A78E40587B22CB25EC48C680

Uniqueness

Uniqueness Score: -1.00%

Function 0165A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc13735e4c0d254f67d773521c3aba6e6710b5087277fb31adf08ef309b573a
Instruction ID: b9e59a3e3a808f83cdcc13b3cdec3426e68d2fee112b5abf17b44c96f1f468a6
Opcode Fuzzy Hash: dbc13735e4c0d254f67d773521c3aba6e6710b5087277fb31adf08ef309b573a
Instruction Fuzzy Hash: 0EE09272A02421ABD3215A98BD00F66779EEBE4A51F094139FA04C7214DA28DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0162F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: ccd3bde20cd95943586e7614235c30b3fb8d2cddba541b2c1dcd78634f747210
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: D2E0D832A40128FBDB21A6D99D05F9ABFBDDB54AA0F0001D5FA04D7150D9609D00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0163FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5b92ad4fed7ff67063e8add9c454c48e3b529e7b7f4dfd5cafcad4ef6d0a0e
Instruction ID: 214a20988eed26f472c4b9a18597631b5453d5fbc2f5185aad67f92bb3e4a4a7
Opcode Fuzzy Hash: 0f5b92ad4fed7ff67063e8add9c454c48e3b529e7b7f4dfd5cafcad4ef6d0a0e
Instruction Fuzzy Hash: D7E0DFB0A052049FD73ADF5DDC40F273B9C9B92721F1A80DDE8084B202CB21D881C28B

Uniqueness

Uniqueness Score: -1.00%

Function 016B41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09ab9b5fa1603bcc65f40b01569a833c97e5fd74e1fb12139d72fa9621c8773
Instruction ID: c293523084bf6cdd0cf341220aef39228a10998bacc62cb42ade393e2dd04a62
Opcode Fuzzy Hash: a09ab9b5fa1603bcc65f40b01569a833c97e5fd74e1fb12139d72fa9621c8773
Instruction Fuzzy Hash: 3CF01E78860701CECBB2EFEDA94075876A5FB94361F10C12B9101A728ACB3445A1DF1A

Uniqueness

Uniqueness Score: -1.00%

Function 016DD380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: dea13337a1426a598fc4de436ef6d09bfe48d89bcdd1cddc9a9f920f964ba034
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 3CE0C231680615BBDB226E84CC00F797B17EB507A0F124035FE089A7D0CA759C91DAC8

Uniqueness

Uniqueness Score: -1.00%

Function 0165A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0beb19b3add0122eda54419b08767d4608ba6772bba2f844849bdc042eb141
Instruction ID: 15132c02e442c997a89bc907942a75f096cd331f25aa8d4de9d7978ad8fa79ac
Opcode Fuzzy Hash: cc0beb19b3add0122eda54419b08767d4608ba6772bba2f844849bdc042eb141
Instruction Fuzzy Hash: 1AD02E611650001BC73E63A88D14B213613F780B61F344A2CF3030FAA8EAE088D4C20C

Uniqueness

Uniqueness Score: -1.00%

Function 016516E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f299ed1ffdb91c4bff9458c236f8f01cc3ef425b6ac4d8e725b9d6208f6bdc8
Instruction ID: e39f089d829fc03d1e4cd6ca85bcc44461a3701c7fa28bdc661ca9d42a1a03df
Opcode Fuzzy Hash: 8f299ed1ffdb91c4bff9458c236f8f01cc3ef425b6ac4d8e725b9d6208f6bdc8
Instruction Fuzzy Hash: 97D0A931240201A2EB2E6B189C14B242A52EB91B81F38006CFA1B599C0CFB0CCA2E46C

Uniqueness

Uniqueness Score: -1.00%

Function 016A53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: a9dc1bf1c16e8ceba886c9a70e3b091c195be02759e1c0784715b3ae59f1aa7a
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: FAE08C319006809FCF12DB48CA50F5EBBF6FF84B00F140408A5095F720C724EC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0163AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 927f33e2fa5deae2046d488497613c79400f2f018439fbf096b42fcc38c14f8e
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: DCD0C935352980CFD617CB4CC954B0533A4FB44B40FC50490E940CB722E72CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 016535A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: bd5e8e638c52f2ecc5eaf2578ed34defc96362c34a171c390ff41e315ae68777
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 99D0A9314011819AEB82AB24CA387683BB2BF00B8CF58306988030EB52C33A8A0AC604

Uniqueness

Uniqueness Score: -1.00%

Function 0162DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 7dbee2969f4053718137fa957fd7199414d8e1ef3c77e98f1d66b600b571f8d0
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: C2C08C70280A11ABEB222F20CD02B403AA1BB10B02F4400A0A300DA0F0DF78D801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 016AA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 2f7d4568ad6095e056e5bc80b47cdca1b2b6f7fc4f4d5650ed5c2203a5ad65b2
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 8FC01232080248BBCB226F81CC00F067F2AEBA4B60F008014BA080B5608632E970EA88

Uniqueness

Uniqueness Score: -1.00%

Function 01643A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 42d546f33d33bde5ae5a56cdc1bf779854b7eed7089a962814f6638ec3196db5
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 86C04C32180648BBC7126E45DD01F557B6AE7A4B60F154025B6040A5618976ED61D59C

Uniqueness

Uniqueness Score: -1.00%

Function 0162AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: cc5e1e7bd2b32c7ef4ad752f7b2eb433703fd619be59dd81c5033bbd6af65b30
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 26C08C32080248BBC712AA45CD00F117B2AE7A0B60F000020F6040A6618A32E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 016376E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 9e0ca016e1dc891b630efe16394c83fd2108061da7d4e98304f8b616548ba18c
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 57C08CB01411805BEB2A970CCE30B303A91AB49608F88019CEB01296A3C368A802D208

Uniqueness

Uniqueness Score: -1.00%

Function 016536CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 873e1a32259812205de4aa9e6b9506a031bbd8d8287174eb442229629daabc80
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 77C02B70150440FBD7152F30CD01F157254F700F61F64035C7220456F0DE289C00E104

Uniqueness

Uniqueness Score: -1.00%

Function 01647D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 9263b7b35dc5c96dccd475275d5197581f661376c0bde7fb83e4afc9ffab3c56
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 49B092363119408FCF16DF28C480B1533E4FB44A40B8400D0E400CBA21D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01652ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: b19373cefe9989480268cb850507d9644d7f1f7b3d8cb5f47c9a85409e88019f
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 41B092328104418BCF06AB40CA10B197332AB40650F0544949002279208229AC01CA50

Uniqueness

Uniqueness Score: -1.00%

Function 01669950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daa18d86fb035e80cf578624b0c123ebf7a0bf41404a5abc4612d15e4f73d78
Instruction ID: 6ba179e8db29523badb7aaa0d7a0992a4c8d92bb3cf3271b48836704a1291a8e
Opcode Fuzzy Hash: 4daa18d86fb035e80cf578624b0c123ebf7a0bf41404a5abc4612d15e4f73d78
Instruction Fuzzy Hash: DA9002A120140403E14069994C056070109ABD0342F51C411A2055555ECA698C517175

Uniqueness

Uniqueness Score: -1.00%

Function 016699D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9f1a997581a26454cf7ed05b3a8225f832c4a1926b10968ed7a6c9ca5de342
Instruction ID: 1df0e60ac55d9a0ad12bd007528b9fde91f7c1774b666385966e587e532da214
Opcode Fuzzy Hash: ed9f1a997581a26454cf7ed05b3a8225f832c4a1926b10968ed7a6c9ca5de342
Instruction Fuzzy Hash: 6D9002A121100042E104659948057070149ABE1241F51C412A2145554CC5698C616165

Uniqueness

Uniqueness Score: -1.00%

Function 0166B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001244e9d65371d23a2ac804870c8b91f8101baecda47feaa2d94b3a668cecff
Instruction ID: 2d4ebce7e9dea323dba25b777313216d9f0758877e90b675a450ef6e80612011
Opcode Fuzzy Hash: 001244e9d65371d23a2ac804870c8b91f8101baecda47feaa2d94b3a668cecff
Instruction Fuzzy Hash: BB9002A1601140435540B5994C054075119BBE1341391C521A0445560CC6A88855A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 01669820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96636a707fb6d01c0d542704a87c57d1e6511ed273dea0c030bcedf81ca7dd0
Instruction ID: c2bd6a9db21e24cd9d171b2942eadd1609406e8e9b40e4aff7da2aa5bb5f1d80
Opcode Fuzzy Hash: a96636a707fb6d01c0d542704a87c57d1e6511ed273dea0c030bcedf81ca7dd0
Instruction Fuzzy Hash: 0A90027124100402E14175994805607010DBBD0281F91C412A0415554EC6958A56BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 016698A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403640f1091aa97e797e8c0007ba30bcff8e61a2b0895bd8d6e79e4e75b0be32
Instruction ID: 6ee87e913fdd82fbeb488262bbbd788cfc76aad530361b29b81b60ebb3757911
Opcode Fuzzy Hash: 403640f1091aa97e797e8c0007ba30bcff8e61a2b0895bd8d6e79e4e75b0be32
Instruction Fuzzy Hash: DD90026130100402E10265994815607010DEBD1385F91C412E1415555DC6658953B172

Uniqueness

Uniqueness Score: -1.00%

Function 01669B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049e64242d50935beb68ec01fa980c84607a84b72ac3e8f550051bf3a68a8c83
Instruction ID: 136f0786caa02370e09b0ea31dfec39aa428624a96d036dca490d7e8f2fbfa12
Opcode Fuzzy Hash: 049e64242d50935beb68ec01fa980c84607a84b72ac3e8f550051bf3a68a8c83
Instruction Fuzzy Hash: E490026124100802E14075998815707010AEBD0641F51C411A0015554DC656896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 0166A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8709d80826463bcd7d9b77fb722a9d96e4f098873482dfc745ea01b5263c94
Instruction ID: e425114436a612044864edf274967c2973fb880d294440043ba2b99cf554982b
Opcode Fuzzy Hash: be8709d80826463bcd7d9b77fb722a9d96e4f098873482dfc745ea01b5263c94
Instruction Fuzzy Hash: 6A90027120144002E1407599884560B5109BBE0341F51C811E0416554CC6558856A261

Uniqueness

Uniqueness Score: -1.00%

Function 01669A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f83bdce8981c83f8454a9ebaf35fe3a51da42ded94bce675abb5dc3bb1b273
Instruction ID: 7a1523b8f387751be29d0b0477bf27080b6dcc561c7a401d9b308ab465d27f71
Opcode Fuzzy Hash: 89f83bdce8981c83f8454a9ebaf35fe3a51da42ded94bce675abb5dc3bb1b273
Instruction Fuzzy Hash: 2990027120140402E10065994C097470109ABD0342F51C411A5155555EC6A5C8917571

Uniqueness

Uniqueness Score: -1.00%

Function 01669A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cbd23a0031658d41a83a7b3e771ea789c0e431c6dfedbf5f5edc9121f992fe
Instruction ID: ae272c195b4efb2b3d7da921e11de43ddab22d6be2fb4b1919f0c9360381fff4
Opcode Fuzzy Hash: d8cbd23a0031658d41a83a7b3e771ea789c0e431c6dfedbf5f5edc9121f992fe
Instruction Fuzzy Hash: 5E90026120144442E14066994C05B0F4209ABE1242F91C419A4147554CC95588556761

Uniqueness

Uniqueness Score: -1.00%

Function 01669560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942e4601b8628dbb246315da614f6f932afbd2a9aae7905a45fa3daf0aada173
Instruction ID: b0dc06cf9073030efb1981ab098b8f37513667faa4ce6f01945e57b350e797e7
Opcode Fuzzy Hash: 942e4601b8628dbb246315da614f6f932afbd2a9aae7905a45fa3daf0aada173
Instruction Fuzzy Hash: 14900265221000021145A9990A0550B0549BBD6391391C415F1407590CC66188656361

Uniqueness

Uniqueness Score: -1.00%

Function 01669520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebe9fbea620b6e4bd59d04cfb691e29c2457523597f52fbf66df8e4d9747071
Instruction ID: ba22ce99068caf5ed34afa89a05c33f7da10a7fcedf942b41aef759ebbbd204b
Opcode Fuzzy Hash: 2ebe9fbea620b6e4bd59d04cfb691e29c2457523597f52fbf66df8e4d9747071
Instruction Fuzzy Hash: FF9002E1201140925500A6998805B0B4609ABE0241B51C416E1045560CC5658851A175

Uniqueness

Uniqueness Score: -1.00%

Function 0166AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bae916f2294ba0f79cf4aeae623d68a87b51d266df2cdf665e65714622061f
Instruction ID: d8711bc65aad8bbafb4edd42bfc9fb78270a05c3cd363902417aaeafd24a3c19
Opcode Fuzzy Hash: 97bae916f2294ba0f79cf4aeae623d68a87b51d266df2cdf665e65714622061f
Instruction Fuzzy Hash: 62900271A0500012A14075994C15647410ABBE0781B55C411A0505554CC9948A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 016695F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2c5f4bc6f0463aa7d0664f90156e6c1a6eee0f9d033c3b9d2a474e686b780a
Instruction ID: ee32f15cf5019380e12c4f02fc1b004edbd94eef0059f1696ce34a8d36ed105e
Opcode Fuzzy Hash: 9d2c5f4bc6f0463aa7d0664f90156e6c1a6eee0f9d033c3b9d2a474e686b780a
Instruction Fuzzy Hash: E490027120100802E10465994C056870109ABD0341F51C411A6015655ED6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 01669760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa9cd5a132163cb6892d9898eae0a92f49e2a5869be02b1827806dad6e04de2
Instruction ID: e77730862b128e4a34311217fe11c4a612a0a485cf9e71d40ac4e4965fc7e587
Opcode Fuzzy Hash: afa9cd5a132163cb6892d9898eae0a92f49e2a5869be02b1827806dad6e04de2
Instruction Fuzzy Hash: 6C90027120100403E100659959097070109ABD0241F51D811A0415558DD69688517161

Uniqueness

Uniqueness Score: -1.00%

Function 0166A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17088131aa908bc81fe215d86acafc7c0fca916b2be5c4b32d3f6f2830ee9dd5
Instruction ID: c114e22093fd74b4ae79cce1f885ff0fcdd6b3280249401bf55a2e2b63cce0fe
Opcode Fuzzy Hash: 17088131aa908bc81fe215d86acafc7c0fca916b2be5c4b32d3f6f2830ee9dd5
Instruction Fuzzy Hash: 7A90027520504442E50069995C05A870109ABD0345F51D811A041559CDC6948861B161

Uniqueness

Uniqueness Score: -1.00%

Function 01669770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1ff4bdfb3b90c048b36313c9a2dabf108cbbb3558a0bb6168db9173ceb647e
Instruction ID: 085d2b9570adca5e25688942cf4448d428b977d034bcf4b5c73a25b6e458daa2
Opcode Fuzzy Hash: 9e1ff4bdfb3b90c048b36313c9a2dabf108cbbb3558a0bb6168db9173ceb647e
Instruction Fuzzy Hash: 1590026120504442E10069995809A070109ABD0245F51D411A1055595DC6758851B171

Uniqueness

Uniqueness Score: -1.00%

Function 01669730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f9cb5cc31f56163aa52d26c548cb9fa575ac8fc5a04b883242a65e45e54006
Instruction ID: b490b46e5f5d9d7f310833fbec1908b9fbb0633e324dbed88ea8e2999e376ec2
Opcode Fuzzy Hash: 00f9cb5cc31f56163aa52d26c548cb9fa575ac8fc5a04b883242a65e45e54006
Instruction Fuzzy Hash: 0D90026160500402E140759958197070119ABD0241F51D411A0015554DC6998A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 0166A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a83f4986ae6d6511357da09b197c21ff48805c82bd945c5086f3a20e1dd4d1
Instruction ID: e57b976ab4f4ef2b0a6be5878db42f3be74a310ea63096c585dc2a8b168e9694
Opcode Fuzzy Hash: b5a83f4986ae6d6511357da09b197c21ff48805c82bd945c5086f3a20e1dd4d1
Instruction Fuzzy Hash: C090027130100052A500AAD95C05A4B4209ABF0341B51D415A4005554CC59488616161

Uniqueness

Uniqueness Score: -1.00%

Function 01669FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07ac8f22ab8bd4bff436631292db202f9b1720b62437a5955a5fe7e2d9f6566
Instruction ID: 6ef7b7c60f3a243c2697aeb6053367af3fb9aa233c400b9a78860d41a3498bd5
Opcode Fuzzy Hash: e07ac8f22ab8bd4bff436631292db202f9b1720b62437a5955a5fe7e2d9f6566
Instruction Fuzzy Hash: 5590027131114402E110659988057070109ABD1241F51C811A0815558DC6D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 01669650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f721eccfda34306c5e6292594fbc7de7dbcb19529371b5b4c464e517f68420d
Instruction ID: 0ad80f112b7df9724f3b08705b77f7a52bf5bbcbf7c98c1b6b075c54cd83450e
Opcode Fuzzy Hash: 6f721eccfda34306c5e6292594fbc7de7dbcb19529371b5b4c464e517f68420d
Instruction Fuzzy Hash: 5790027120504842E14075994805A470119ABD0345F51C411A0055694DD6658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01669610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b609c75a196b6290d7048baf4e5a5feb41461b07b46fb8e70ab81ace8d721b
Instruction ID: 94b61ec3c8350a3219c4bbbd6ea8dceb11987acde83098931b5769adef3699c9
Opcode Fuzzy Hash: 14b609c75a196b6290d7048baf4e5a5feb41461b07b46fb8e70ab81ace8d721b
Instruction Fuzzy Hash: 6D90027160500802E150759948157470109ABD0341F51C411A0015654DC7958A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 016696D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c165217588edee2cea44f3d6791ab56ad8b206accd39941aef220227cde3c3
Instruction ID: 1dfa4d7e603cc2c87fdb0901613559873f9479dfa8c8bff5e9e98243c22651ad
Opcode Fuzzy Hash: 50c165217588edee2cea44f3d6791ab56ad8b206accd39941aef220227cde3c3
Instruction Fuzzy Hash: 8E90027120100842E10065994805B470109ABE0341F51C416A0115654DC655C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 01669670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 4ade4bddde16522380ddb09c9e631f1c301057152f5e53df303db9a7a9c501ce
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 016BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E016BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0166CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E016B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E016B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x016bfdda
0x016bfde2
0x016bfde5
0x016bfdec
0x016bfdfa
0x016bfdff
0x016bfe0a
0x016bfe0f
0x016bfe17
0x016bfe1e
0x016bfe19
0x016bfe19
0x016bfe19
0x016bfe20
0x016bfe21
0x016bfe22
0x016bfe25
0x016bfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016BFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016BFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016BFE01

Memory Dump Source

Source File: 0000000A.00000002.371692405.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: a94b4ae3efa4aa942f7a996a221185dbeef3a545bd5e26f1d8bbdea9500b5b4d
Instruction ID: f953a75abab84bd5648f5257beb2f420212c023a173cc5aea62bd82349f8ecad
Opcode Fuzzy Hash: a94b4ae3efa4aa942f7a996a221185dbeef3a545bd5e26f1d8bbdea9500b5b4d
Instruction Fuzzy Hash: 48F0C272200602BBE6211A45DC42EB3BB6AEB45B30F240218F628561E1DA62B87087E4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 5580 Parent PID: 3352 svchost.exeCOMMON

Executed Functions

Function 02F5A360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02F54BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F54BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02F5A3AD

Strings

.z`, xrefs: 02F5A39D, 02F5A3A8

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 177e99407182e69f23dccf3bfe33cc188530fd654845b6e6d5e381c19b1bc26a
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: FFF0BDB2200208ABCB08CF88DC84EEB77EDAF8C754F158248FA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A53C, Relevance: 1.6, APIs: 1, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02F42D11,00002000,00003000,00000004), ref: 02F5A579

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6666cc8b226a2e93d2b56f7e63d6ea0876c87ee07c7a02073ade3396fe1a9da4
Instruction ID: 4c0ef6d63ab93baa5e0bf02a017ad52b104da4815631dfae535f8b39c95e7506
Opcode Fuzzy Hash: 6666cc8b226a2e93d2b56f7e63d6ea0876c87ee07c7a02073ade3396fe1a9da4
Instruction Fuzzy Hash: B10116B2200218AFDB18DF88DC81DAB73ADEF88754F108649FE0897241D630E820CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A410, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02F54D72,5EB65239,FFFFFFFF,02F54A31,?,?,02F54D72,?,02F54A31,FFFFFFFF,5EB65239,02F54D72,?,00000000), ref: 02F5A455

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 581f8d952f306ed03bfa154d010f71a6ee2d68af121c2c180239beb729ebe097
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 5DF0A4B2200208ABCB14DF89DC80EEB77ADEF8C754F158248BE1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A40D, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02F54D72,5EB65239,FFFFFFFF,02F54A31,?,?,02F54D72,?,02F54A31,FFFFFFFF,5EB65239,02F54D72,?,00000000), ref: 02F5A455

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6928a17d8428d178027b01c3bd8931f63874de6d7414cc2b3eccd0ca51693906
Instruction ID: c36319867d2435da293ad594f3ff13cb20b2c951840fdb70f81b2c1b9bf59ab4
Opcode Fuzzy Hash: 6928a17d8428d178027b01c3bd8931f63874de6d7414cc2b3eccd0ca51693906
Instruction Fuzzy Hash: F3F0A4B2200108AFDB18DF99DC90EEB77AAEF8C754F158249FA1D97254D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02F42D11,00002000,00003000,00000004), ref: 02F5A579

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 6bd3ad91a2455f81b7a09dee02250eda2bf5000595a88bf3db6de9b7efc2de70
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: C3F015B2200218ABCB14DF89CC80EAB77ADEF88754F118248FE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02F54D50,?,?,02F54D50,00000000,FFFFFFFF), ref: 02F5A4B5

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: d3c03d543196c23033acd15741643ce547657c8255fb17c1798b7f8e2dc3c90b
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 58D012762002146BD710EB98CC45E97779DEF44750F154555BA185B241C530F51086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A48B, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02F54D50,?,?,02F54D50,00000000,FFFFFFFF), ref: 02F5A4B5

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0dc9c939694232ae93c2b9434ca84d1c1e3392ff40551aabb94a69670b82df84
Instruction ID: 42fa4c3511fa6b3a64e746c4f118aad8dc6de25034ee27b016ac203e629d2075
Opcode Fuzzy Hash: 0dc9c939694232ae93c2b9434ca84d1c1e3392ff40551aabb94a69670b82df84
Instruction Fuzzy Hash: 35D02B9940D3C44BC711EBB4ACC40927F80DE515287245BCFD5E80B683C1609115E391

Uniqueness

Uniqueness Score: -1.00%

Function 03769A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03769A5A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74dbbf65c0f8807c6bce3a1add5fb5179ac1b2b845943a27d8dee9a158b20c12
Instruction ID: 1f47bcf4c908087ab1a289f7d4d20727a7925d7541bc4ac1d57eb46007cb806a
Opcode Fuzzy Hash: 74dbbf65c0f8807c6bce3a1add5fb5179ac1b2b845943a27d8dee9a158b20c12
Instruction Fuzzy Hash: 1790026121184446F610A5694C14B0700459BD4343F51C125A0145554CCA5588617561

Uniqueness

Uniqueness Score: -1.00%

Function 03769910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376991A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c0d37a5e4278a73724e4d53d40443e79a1fdb16e89ce374e78737f992e39afd
Instruction ID: c9259f2284185dd02d6b7b9e9c1d5f4d2807931c277d247bc9c740638e5119d2
Opcode Fuzzy Hash: 7c0d37a5e4278a73724e4d53d40443e79a1fdb16e89ce374e78737f992e39afd
Instruction Fuzzy Hash: EA9002B120104806F550B159440474600459BD4341F51C021A5055554E87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 037699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037699AA

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ccc939d0b31140adb33cee2d21ef71724ebd225d1a87f4eae06de9ac09f632a
Instruction ID: 4b139668a566c3187901403d6413e67f796ecd8a07900abff1f8dd5b618853e5
Opcode Fuzzy Hash: 7ccc939d0b31140adb33cee2d21ef71724ebd225d1a87f4eae06de9ac09f632a
Instruction Fuzzy Hash: D49002A134104846F510A1594414B060045DBE5341F51C025E1055554D8759CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03769860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376986A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d0a6a7acb310ec7a190665bd8c9f86f6f97144ca1d0ef791ff21d32a6a703eb
Instruction ID: e00ee4f5a2989750e260400931adc2d85cf9f58560eb605a12ec6f196d6699b2
Opcode Fuzzy Hash: 6d0a6a7acb310ec7a190665bd8c9f86f6f97144ca1d0ef791ff21d32a6a703eb
Instruction Fuzzy Hash: ED90027120104817F521A159450470700499BD4281F91C422A0415558D97968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 03769840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376984A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89f0c771f7f7860c27f9b311d3578deb8efb2c6f526bf0175d4c15c9ef788004
Instruction ID: 2a3fe56e6f98d2f99a5a0ad220aa303f09ee3fc32e4500bffc96baca59463233
Opcode Fuzzy Hash: 89f0c771f7f7860c27f9b311d3578deb8efb2c6f526bf0175d4c15c9ef788004
Instruction Fuzzy Hash: AE900261242085567955F15944045074046ABE4281791C022A1405950C86669856F661

Uniqueness

Uniqueness Score: -1.00%

Function 03769710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376971A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b657588bee2ae08c32d1552fbc4f7e25ab8d36ef7008f0e8aa22faeda91ae050
Instruction ID: 3ed94147959c8bfeff822efa233fccf6aaff572399eb088af6939ac4a97f92c9
Opcode Fuzzy Hash: b657588bee2ae08c32d1552fbc4f7e25ab8d36ef7008f0e8aa22faeda91ae050
Instruction Fuzzy Hash: 0890027120104806F510A599540864600459BE4341F51D021A5015555EC7A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03769FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03769FEA

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27caf313e9e88b1248ff14ebf9e189ed62ef8fdbe33ecfd8c2567731eabb06b7
Instruction ID: 968836a356bbc50b6db916cb4da0638f757c1581214a11fc1c687f449b24a314
Opcode Fuzzy Hash: 27caf313e9e88b1248ff14ebf9e189ed62ef8fdbe33ecfd8c2567731eabb06b7
Instruction Fuzzy Hash: 2E90027131118806F520A159840470600459BD5241F51C421A0815558D87D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03769780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376978A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 612be1965258382ffa70403b10132a1e294eebd792e73977c74b720e6bc7d662
Instruction ID: 247e05d038e035370285974ab3424d2a4d534fd2ce22a3df1cb52e6912df155a
Opcode Fuzzy Hash: 612be1965258382ffa70403b10132a1e294eebd792e73977c74b720e6bc7d662
Instruction Fuzzy Hash: 5990026921304406F590B159540860A00459BD5242F91D425A0006558CCA5588697361

Uniqueness

Uniqueness Score: -1.00%

Function 03769660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376966A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c717976e7140832f04c51248ecafc7db837c30df9fb55ad95f13a4f6923f5af1
Instruction ID: 7998b3169f93fd9ac942240708fc609f768b297fd6a1339528a0f9cd96e2b501
Opcode Fuzzy Hash: c717976e7140832f04c51248ecafc7db837c30df9fb55ad95f13a4f6923f5af1
Instruction Fuzzy Hash: C790027120104C06F590B159440464A00459BD5341F91C025A0016654DCB558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 03769650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376965A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b1f70b37f1c40e69d636f508a1b51d66662f9884e630a020f5f378566c289ff
Instruction ID: e225560b92455b70e5e10ddcb52f900035a30cd0e84fd9bf7d3c32792970f765
Opcode Fuzzy Hash: 6b1f70b37f1c40e69d636f508a1b51d66662f9884e630a020f5f378566c289ff
Instruction Fuzzy Hash: 9E90027120508C46F550B1594404A4600559BD4345F51C021A0055694D97658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 037696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037696EA

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f65a4436a75d0eda15ea0ca5e5ea60ac0eac79eab942c0ceb567c8982e64a12
Instruction ID: 7e5b4385a0729efd6822f86bb54fafd2b41ff8d8c9ec69c9803e927b623adc0b
Opcode Fuzzy Hash: 7f65a4436a75d0eda15ea0ca5e5ea60ac0eac79eab942c0ceb567c8982e64a12
Instruction Fuzzy Hash: DB9002712010CC06F520A159840474A00459BD4341F55C421A4415658D87D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 037696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037696DA

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82a581b71b03cac4a9cbcc5b346d6e82e0a8b99fe2501f0e568ee1c29028e94d
Instruction ID: 355baf8cb4efa10c748964ef7622eb2f8e8a6b732494d7ebc6dbf45c0b60d5ce
Opcode Fuzzy Hash: 82a581b71b03cac4a9cbcc5b346d6e82e0a8b99fe2501f0e568ee1c29028e94d
Instruction Fuzzy Hash: 9690027120104C46F510A1594404B4600459BE4341F51C026A0115654D8755C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 03769540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0376954A

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0720442bd784a8b498e843d5fff05f9e32eee26da5fac1547c51033d6abb1fc
Instruction ID: 978d3abd105bf8287130fbf93a76554d132e19837344f6732bee0c1a06d359b4
Opcode Fuzzy Hash: e0720442bd784a8b498e843d5fff05f9e32eee26da5fac1547c51033d6abb1fc
Instruction Fuzzy Hash: 67900265211044072515E559070450700869BD9391351C031F1006550CD76188617161

Uniqueness

Uniqueness Score: -1.00%

Function 037695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037695DA

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d915aeb22f506ae57191ed8c13acee76e656a05fac4a2dfa32d76dec59503f06
Instruction ID: 7126e903ff9f9f06bb51d2049ea7a63d98c5f8c22c0e6532388a30fa855cf2e2
Opcode Fuzzy Hash: d915aeb22f506ae57191ed8c13acee76e656a05fac4a2dfa32d76dec59503f06
Instruction Fuzzy Hash: 479002A1202044076515B1594414616404A9BE4241B51C031E1005590DC66588917165

Uniqueness

Uniqueness Score: -1.00%

Function 02F59080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02F59128

Strings

wininet.dll, xrefs: 02F590DE, 02F590E7
net.dll, xrefs: 02F590F1, 02F59177, 02F5914F, 02F5915B, 02F59183

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e63f199d2932236bfa97f06934cae8ca54023926c20c929890c708b8932c5d33
Instruction ID: 1d2c0a2434adfa6c422930ee1f98333e9353d6d8ccf96088c2683d9cbc75af34
Opcode Fuzzy Hash: e63f199d2932236bfa97f06934cae8ca54023926c20c929890c708b8932c5d33
Instruction Fuzzy Hash: 01318FB2900654ABD728DF64CC89F67B7B9EB48B44F00811DFB2A5B245D770A650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F59077, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02F59128

Strings

wininet.dll, xrefs: 02F590DE, 02F590E7
net.dll, xrefs: 02F590F1, 02F5914F, 02F5915B

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b45c87b1f8d689a90f156a0ebc9e5db89b619a0af991b3cf584047d500dfd0ce
Instruction ID: 8daafe5ae52e170571a4f1aa2684f3769c1dabc013b1c7d446120dafc9f05a52
Opcode Fuzzy Hash: b45c87b1f8d689a90f156a0ebc9e5db89b619a0af991b3cf584047d500dfd0ce
Instruction Fuzzy Hash: DC21A572900314ABD714DF64CC85BABB7B5FB48744F10811DEB295B285D770A550CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A665, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F43AF8), ref: 02F5A69D

Strings

.z`, xrefs: 02F5A68C, 02F5A698

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 19bddc57994943ba2139af911f09eb90193de9e7fde5c85dacfa4a5619bebdee
Instruction ID: 4cf101bfca5dacace15122b65427d672f8c2789425d5b72d25a22bf840a954a1
Opcode Fuzzy Hash: 19bddc57994943ba2139af911f09eb90193de9e7fde5c85dacfa4a5619bebdee
Instruction Fuzzy Hash: 35E06DB2200204AFCB14DFB9CCC5EEB7769EF85750F218658FA4997245C631E814CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F43AF8), ref: 02F5A69D

Strings

.z`, xrefs: 02F5A68C, 02F5A698

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: f0c8421d0bc9cebdde6637e7e748b942a14b8af0b2fbc847d7616618962aee69
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: E4E046B2200218ABDB18EF99CC48EA777ADEF88750F118658FE085B241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02F48310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F4836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F4838B

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
Instruction ID: ab4a4f30235b2aa52b9f6c9f4879a5559cc21aa212bf41faeb7be138267c8f97
Opcode Fuzzy Hash: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
Instruction Fuzzy Hash: 0B01A231A8022877E721AA949C42FFE7B6D5B40FD4F050159FF04BA1C1EAE46A064AF6

Uniqueness

Uniqueness Score: -1.00%

Function 02F4830E, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F4836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F4838B

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0c612ca64d64e1737f34504b502cab82f20a6708d9e7d55db33bd818dbf3d47d
Instruction ID: 4ad7f59fdea234bf684b0038f8d8ce516fec009b46b942330957fe22fc8d2ecd
Opcode Fuzzy Hash: 0c612ca64d64e1737f34504b502cab82f20a6708d9e7d55db33bd818dbf3d47d
Instruction Fuzzy Hash: 8E01F731A802287BF721AA909C42FFE7B6C9B41B94F080159FF04BA1C0EAD566064BF1

Uniqueness

Uniqueness Score: -1.00%

Function 02F48308, Relevance: 3.0, APIs: 2, Instructions: 48threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F4836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F4838B

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d7a9dbe22a70e3f5a1c39f1ef826d06d61ea64f2edb0d3eaef8180c6b7c4da29
Instruction ID: b5991de48d64ae2cfcc55fc35895604125c15471e089e5781125aeb611a97076
Opcode Fuzzy Hash: d7a9dbe22a70e3f5a1c39f1ef826d06d61ea64f2edb0d3eaef8180c6b7c4da29
Instruction Fuzzy Hash: F4F0C831A8023877E721AA909C42FFE7B595B40FD4F090149FF04BA1C0EBE569064BF1

Uniqueness

Uniqueness Score: -1.00%

Function 02F4ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02F4AD62

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 406f53f4cfaeb8567ce3a1715cad7da9a4b83254f69f6caab119498e1a4c03c8
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: DE015EB5D4020DABDF10DAA0DC41F9EB7799B04348F004595AF0997240FA70E744CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A6DE, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02F5A734

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: eb8638b84feec1f084de3d2f5f4f3c9ce2d5f9331b7646b5ba84cf0359e0f68c
Instruction ID: fdc2c1c50a83227b19b740bcb523d5882d5312fedfc2d4fe8a24b6ed5cae6b13
Opcode Fuzzy Hash: eb8638b84feec1f084de3d2f5f4f3c9ce2d5f9331b7646b5ba84cf0359e0f68c
Instruction Fuzzy Hash: 6301AFB2210108ABCB54DF89DC80EEB37ADAF8C754F158258FA0D97250D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02F5A734

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 46a46cf3774d20b62718ddcb3af7f2db7cb7bd58c07819590b54e51a945b18ba
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 59015FB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97255D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A6A2, Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02F54536,?,02F54CAF,02F54CAF,?,02F54536,?,?,?,?,?,00000000,00000000,?), ref: 02F5A65D

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 74288cdb7effb400b32cc95703ffeeaa8a0645cd172de113f8e851d44c8fb37e
Instruction ID: 1c9b1473fec2712e9fb996dbda3df1fa6700f2ffe79c01147ae2d1e11478d82d
Opcode Fuzzy Hash: 74288cdb7effb400b32cc95703ffeeaa8a0645cd172de113f8e851d44c8fb37e
Instruction Fuzzy Hash: 1AF044B16001146FDB10DF58DC44EE777A8EF88354F1186A5FE0C9B201D631A9218FE0

Uniqueness

Uniqueness Score: -1.00%

Function 02F591B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02F4F050,?,?,00000000), ref: 02F591EC

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: b68e6f369081869e3b8fd31e12c5b2d380daa11ca5a0600d0435d8fbc4efec32
Instruction ID: 95a168d11cfe14eb8adf7de01e6f9d63af259b03c440d4480c6eafe2b50e8fd7
Opcode Fuzzy Hash: b68e6f369081869e3b8fd31e12c5b2d380daa11ca5a0600d0435d8fbc4efec32
Instruction Fuzzy Hash: C0E092773803243AE7306599AC02FE7B39CCB81B60F140026FB0DEB2C0D995F40146E4

Uniqueness

Uniqueness Score: -1.00%

Function 02F591AD, Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02F4F050,?,?,00000000), ref: 02F591EC

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5064d8843c6ff12873ff436556d372574f440a9992955e67772650c23afe3f3a
Instruction ID: 4fc0fc81a0fbd3dc2dd8c2f079e1174c4cd67f866fd5e0daf9061b2479180c52
Opcode Fuzzy Hash: 5064d8843c6ff12873ff436556d372574f440a9992955e67772650c23afe3f3a
Instruction Fuzzy Hash: 3AE0D8777803103AE73066689C03FEB77999F91B50F190119FB49BB2C1D9D5B4014AE4

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A630, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02F54536,?,02F54CAF,02F54CAF,?,02F54536,?,?,?,?,?,00000000,00000000,?), ref: 02F5A65D

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: e449b96b0e3a8973347b260cf7e0b94e3236eb023b8b736c4e8adfd1146e964b
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 74E046B2200218ABDB14EF99CC40EA777ADEF88754F118558FE085B241C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02F5A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02F4F1D2,02F4F1D2,?,00000000,?,?), ref: 02F5A800

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 9dd2aef2c3fabf2799361750d8c38b922f342a0e040736ff6f61fb3945a21489
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 45E01AB12002186BDB10DF49CC84EE737ADEF88650F118154FE0857241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02F4F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02F48D14,?), ref: 02F4F6FB

Memory Dump Source

Source File: 0000000F.00000002.559409706.0000000002F40000.00000040.00020000.sdmp, Offset: 02F40000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 154922064d25eebb6b18a4e52171f615817e1ab0e5f498cffbd870a67de5a356
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 13D05E616503082BE610AAA49C12F6632895B44A54F490064FA48962C3ED90E0004565

Uniqueness

Uniqueness Score: -1.00%

Function 0376967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03769694

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0fd06d084880cc76b42f7508f84834baadd3dc58262f127501e257c14ec3c0c3
Instruction ID: 21366c38769c8bbe3a5472d1b332b0c02609fdc0b829177763d0711acb8457d8
Opcode Fuzzy Hash: 0fd06d084880cc76b42f7508f84834baadd3dc58262f127501e257c14ec3c0c3
Instruction Fuzzy Hash: 0AB09B719015C5C9FA11D760470871779447BD5741F16C061D2020641A4778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 037BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E037BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0376CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E037B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E037B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x037bfdda
0x037bfde2
0x037bfde5
0x037bfdec
0x037bfdfa
0x037bfdff
0x037bfe0a
0x037bfe0f
0x037bfe17
0x037bfe1e
0x037bfe19
0x037bfe19
0x037bfe19
0x037bfe20
0x037bfe21
0x037bfe22
0x037bfe25
0x037bfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 037BFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 037BFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 037BFE2B

Memory Dump Source

Source File: 0000000F.00000002.559918506.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true

Associated: 0000000F.00000002.560801367.000000000381B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.560824494.000000000381F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 8fc867ae0da030e2f21de6e5bed8e52925184cc87b485f72ef503ffebd5264cf
Instruction ID: 776ef4d646dbef420b065e56c6a1c6a292dd5e81dc9b8908947d31dbe9a24356
Opcode Fuzzy Hash: 8fc867ae0da030e2f21de6e5bed8e52925184cc87b485f72ef503ffebd5264cf
Instruction Fuzzy Hash: BEF0C8762006017FD7215E45DC05F67BB7ADB45730F140214F624591D1D962B83096A4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PO_101&102.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers