Loading ...

Play interactive tourEdit tour

Analysis Report KYC DEBIT 11202020.exe

Overview

General Information

Sample Name:KYC DEBIT 11202020.exe
Analysis ID:321019
MD5:1a507889b51bb4c630efdab875fe492d
SHA1:18213e51363e486cff2e3707db5f3b85dc9c7d6f
SHA256:dc124de38bc46065f427928b5b1c0dae742f8dbbca236e611735f24ae70e6cb5
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Machine Learning detection for sample
Detected potential crypto function
Enables debug privileges
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Yara signature match

Classification

Startup

  • System is w10x64
  • KYC DEBIT 11202020.exe (PID: 4168 cmdline: 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe' MD5: 1A507889B51BB4C630EFDAB875FE492D)
    • WerFault.exe (PID: 5340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xb050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xb3da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16ced:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x167d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16def:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x16f67:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xbde2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x15a54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xcb5a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1bdcf:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ce42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18cf1:$sqlite3step: 68 34 1C 7B E1
    • 0x18e04:$sqlite3step: 68 34 1C 7B E1
    • 0x18d20:$sqlite3text: 68 38 2A 90 C5
    • 0x18e45:$sqlite3text: 68 38 2A 90 C5
    • 0x18d33:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18e5b:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xb050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xb3da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x16ced:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x167d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16def:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x16f67:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xbde2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x15a54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xcb5a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1bdcf:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ce42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 7 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: KYC DEBIT 11202020.exeJoe Sandbox ML: detected

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeCode function: 0_2_00BCDB210_2_00BCDB21
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Source: KYC DEBIT 11202020.exe, 00000000.00000002.300296289.0000000005740000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJnMryRIPGtnuqyyG.bounce.exe4 vs KYC DEBIT 11202020.exe
      Source: KYC DEBIT 11202020.exe, 00000000.00000002.300792152.00000000060B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs KYC DEBIT 11202020.exe
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: KYC DEBIT 11202020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal60.troj.winEXE@33502/4@0/1
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4168
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp
      Source: KYC DEBIT 11202020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: unknownProcess created: C:\Users\user\Desktop\KYC DEBIT 11202020.exe 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: KYC DEBIT 11202020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: KYC DEBIT 11202020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: mscorlib.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.Drawing.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: mscorlib.ni.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.ni.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.pdb source: WERE917.tmp.dmp.3.dr
      Source: initial sampleStatic PE information: section name: .text entropy: 7.86097375794
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeQueries volume information: C:\Users\user\Desktop\KYC DEBIT 11202020.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      KYC DEBIT 11202020.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:321019
      Start date:20.11.2020
      Start time:09:16:58
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 43s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:KYC DEBIT 11202020.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal60.troj.winEXE@33502/4@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 19.6% (good quality ratio 12.5%)
      • Quality average: 48.2%
      • Quality standard deviation: 36.6%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 1
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
      • Excluded IPs from analysis (whitelisted): 52.147.198.201, 92.122.144.200
      • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, umwatsonrouting.trafficmanager.net, fs.microsoft.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      09:18:30API Interceptor1x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_KYC DEBIT 112020_61257d391877fef8e1fad562b49b966fbe1f87_3e8fb774_14bb27d6\Report.wer
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
      Category:dropped
      Size (bytes):12958
      Entropy (8bit):3.7775445336367377
      Encrypted:false
      SSDEEP:192:OWVd/WkRgHBUZMXiaKoKVgz/u7s1S274It1ao:hV1WkOBUZMXiaJz/u7s1X4It1ao
      MD5:CA4AB08F78D4FEDF6DB26B8503A0F04C
      SHA1:47C3E1793AA727CB1D4C2FEC231ECD2F825E9DB8
      SHA-256:2DB307ED9F68E24ABC714725F0FF213F5B2652D494CADDDDE180035ECD57D2A2
      SHA-512:EE13B730F5E11D1D5379F9A57102E321CEE57E1E98A278BA42A124674DECA159B4E8D46B97ACA09A7DCA5CAA1C301A83E3144B05584675854E02CC546CA7EFFC
      Malicious:false
      Reputation:low
      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.6.6.2.9.3.9.6.3.6.1.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.6.6.2.9.5.5.2.6.1.0.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.d.4.e.2.2.a.-.8.4.3.4.-.4.a.9.b.-.9.3.9.d.-.e.0.6.b.3.f.f.b.a.8.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.2.1.1.4.7.1.-.8.4.1.c.-.4.6.1.0.-.a.f.7.f.-.4.b.9.3.9.5.0.8.9.6.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.K.Y.C. .D.E.B.I.T. .1.1.2.0.2.0.2.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.4.8.-.0.0.0.1.-.0.0.1.7.-.0.f.a.6.-.6.9.1.4.6.1.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.4.c.c.6.e.c.6.2.d.d.6.9.b.e.a.5.e.a.b.0.b.7.7.f.3.d.0.4.3.8.3.0.0.0.0.f.f.f.f.!.0.0.0.0.1.8.2.1.3.e.5.1.3.6.3.e.4.8.6.c.f.f.2.e.3.7.0.7.d.b.5.f.3.b.8.5.d.c.9.c.7.d.6.f.!.K.Y.C. .D.E.B.I.T. .1.1.2.0.2.
      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp.dmp
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Fri Nov 20 17:18:14 2020, 0x1205a4 type
      Category:dropped
      Size (bytes):292042
      Entropy (8bit):3.666978083515441
      Encrypted:false
      SSDEEP:3072:gUCgUob4KBa5LXjd+pNVCigP9gIOgF5M0MVIDxAE:gTjU4eWAp7I9RpDMDy5
      MD5:786BB5B457E4AF51EB0F2768A2AE57CF
      SHA1:97CB2A16972A16197E03F23A2FAD2BB34603BB86
      SHA-256:FD5BD1A73277D8D77B3655F6B7DB3E27268CE384C509CB46255238F1A6C91CF9
      SHA-512:032DEB2695B2320A0150196A5CDDBD9A89ACD06BBB2A8854A30B6B74D9EB8A02E22F23CE1FD13D0EA46EC2B919DAE0A27E71C25CAFF56BF74119AE9E6624B1B5
      Malicious:false
      Reputation:low
      Preview: MDMP....... .......V.._...................U...........B......T.......GenuineIntelW...........T.......H...@.._.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
      C:\ProgramData\Microsoft\Windows\WER\Temp\WERED9D.tmp.WERInternalMetadata.xml
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
      Category:dropped
      Size (bytes):8442
      Entropy (8bit):3.7013057923344577
      Encrypted:false
      SSDEEP:192:Rrl7r3GLNiPH6+6YS/SUWA/gmfZ0SQCprQ89b7asf5pm:RrlsNiv6+6YKSUWA/gmfGSl75f2
      MD5:D905D1637164D1119FAFBE81C8DF667E
      SHA1:A5EAFF9038D530315C21B95D4DC203F4F2492C78
      SHA-256:06CD23812326C76057BDCE1256C9506E1EF86BBD3985CA7D178333CAB9B869F3
      SHA-512:9994739259F5122C20793E810620F3AE4C20CB6F040C66FA4A55249374A40C1B13EF46BD84132AA7EAB4DC98AD16CB3FCC9A12FA90C392CA7A101B38C286729B
      Malicious:false
      Reputation:low
      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.6.8.<./.P.i.d.>.......
      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE98.tmp.xml
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4723
      Entropy (8bit):4.501096848790684
      Encrypted:false
      SSDEEP:48:cvIwSD8zsRJgtWI9Xi8WSC8BI8fm8M4JZyokFom+q8vAyo1wzXvxXJd:uITfj8i1SN7JeKywzXvxXJd
      MD5:593199A442B0E6FEB4E20A5F3BA57EFB
      SHA1:40DCF5AF35370467C6F1DDB3FC64A6DC31EAEB49
      SHA-256:D0C0277E6953D6B9C1A94BEC872869343B6B16E2414F848D6FCEB508EF38C0C2
      SHA-512:401AEE82E141D91D5D9D69AEE5781102804AAB440737026BE7A5EB593AE2606F126FB80C8FBDF8DFAFA506BFD46F6211DBC33C02BEF19DD7E98005B7DEDAA294
      Malicious:false
      Reputation:low
      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="737428" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.8547656632266065
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      • Win32 Executable (generic) a (10002005/4) 49.78%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Generic Win/DOS Executable (2004/3) 0.01%
      • DOS Executable Generic (2002/1) 0.01%
      File name:KYC DEBIT 11202020.exe
      File size:546816
      MD5:1a507889b51bb4c630efdab875fe492d
      SHA1:18213e51363e486cff2e3707db5f3b85dc9c7d6f
      SHA256:dc124de38bc46065f427928b5b1c0dae742f8dbbca236e611735f24ae70e6cb5
      SHA512:65ebfd138e7cce5114470b6ce59186007add72367bc604cbaaefca5673193bbd06e1293cb9f78d1e981cdcc797c08207c5c4bdddea427725e5390c9a255e3be0
      SSDEEP:12288:BiHYRuVLX/Jp+zlQiMAi513nW3HDUnIIb1duIXOX:8Y4V9p6lx4/nsHDUnBbOIXO
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F6._.................P...........n... ........@.. ....................................@................................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x486eee
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5FB73646 [Fri Nov 20 03:21:42 2020 UTC]
      TLS Callbacks:
      CLR (.Net) Version:v4.0.30319
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x86ea00x4b.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x242.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x84ef40x85000False0.898793614897data7.86097375794IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rsrc0x880000x2420x400False0.30859375data3.56683492949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_MANIFEST0x880580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Network Behavior

      Network Port Distribution

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 20, 2020 09:17:53.056655884 CET5696153192.168.2.38.8.8.8
      Nov 20, 2020 09:17:53.092269897 CET53569618.8.8.8192.168.2.3
      Nov 20, 2020 09:17:53.986880064 CET5935353192.168.2.38.8.8.8
      Nov 20, 2020 09:17:54.014408112 CET53593538.8.8.8192.168.2.3
      Nov 20, 2020 09:17:55.380896091 CET5223853192.168.2.38.8.8.8
      Nov 20, 2020 09:17:55.408087015 CET53522388.8.8.8192.168.2.3
      Nov 20, 2020 09:17:56.147533894 CET4987353192.168.2.38.8.8.8
      Nov 20, 2020 09:17:56.174639940 CET53498738.8.8.8192.168.2.3
      Nov 20, 2020 09:17:56.970762014 CET5319653192.168.2.38.8.8.8
      Nov 20, 2020 09:17:56.997936010 CET53531968.8.8.8192.168.2.3
      Nov 20, 2020 09:17:58.139626980 CET5677753192.168.2.38.8.8.8
      Nov 20, 2020 09:17:58.166762114 CET53567778.8.8.8192.168.2.3
      Nov 20, 2020 09:17:59.163197994 CET5864353192.168.2.38.8.8.8
      Nov 20, 2020 09:17:59.190366983 CET53586438.8.8.8192.168.2.3
      Nov 20, 2020 09:17:59.975115061 CET6098553192.168.2.38.8.8.8
      Nov 20, 2020 09:18:00.002249002 CET53609858.8.8.8192.168.2.3
      Nov 20, 2020 09:18:00.851927996 CET5020053192.168.2.38.8.8.8
      Nov 20, 2020 09:18:00.879008055 CET53502008.8.8.8192.168.2.3
      Nov 20, 2020 09:18:01.601603985 CET5128153192.168.2.38.8.8.8
      Nov 20, 2020 09:18:01.628655910 CET53512818.8.8.8192.168.2.3
      Nov 20, 2020 09:18:03.030726910 CET4919953192.168.2.38.8.8.8
      Nov 20, 2020 09:18:03.057806015 CET53491998.8.8.8192.168.2.3
      Nov 20, 2020 09:18:04.010086060 CET5062053192.168.2.38.8.8.8
      Nov 20, 2020 09:18:04.037270069 CET53506208.8.8.8192.168.2.3
      Nov 20, 2020 09:18:04.970616102 CET6493853192.168.2.38.8.8.8
      Nov 20, 2020 09:18:04.997704983 CET53649388.8.8.8192.168.2.3
      Nov 20, 2020 09:18:06.442523956 CET6015253192.168.2.38.8.8.8
      Nov 20, 2020 09:18:06.469597101 CET53601528.8.8.8192.168.2.3
      Nov 20, 2020 09:18:11.887151003 CET5754453192.168.2.38.8.8.8
      Nov 20, 2020 09:18:11.922557116 CET53575448.8.8.8192.168.2.3
      Nov 20, 2020 09:18:12.858613968 CET5598453192.168.2.38.8.8.8
      Nov 20, 2020 09:18:12.885711908 CET53559848.8.8.8192.168.2.3
      Nov 20, 2020 09:18:13.717292070 CET6418553192.168.2.38.8.8.8
      Nov 20, 2020 09:18:13.744362116 CET53641858.8.8.8192.168.2.3
      Nov 20, 2020 09:18:15.364953995 CET6511053192.168.2.38.8.8.8
      Nov 20, 2020 09:18:15.402148008 CET53651108.8.8.8192.168.2.3
      Nov 20, 2020 09:18:15.505676985 CET5836153192.168.2.38.8.8.8
      Nov 20, 2020 09:18:15.532661915 CET53583618.8.8.8192.168.2.3

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Start time:09:17:53
      Start date:20/11/2020
      Path:C:\Users\user\Desktop\KYC DEBIT 11202020.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\KYC DEBIT 11202020.exe'
      Imagebase:0xb50000
      File size:546816 bytes
      MD5 hash:1A507889B51BB4C630EFDAB875FE492D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      Reputation:low

      General

      Start time:09:18:13
      Start date:20/11/2020
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Imagebase:0xee0000
      File size:434592 bytes
      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:high

      Disassembly

      Code Analysis

      Reset < >

        Executed Functions

        Non-executed Functions

        C-Code - Quality: 79%
        			E00BCDB21(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
        				signed char _t311;
        				void* _t313;
        				signed int _t314;
        				signed int _t315;
        				signed int _t316;
        				signed int _t318;
        				signed int _t328;
        				intOrPtr* _t329;
        				signed int _t334;
        				signed int _t340;
        				signed int* _t341;
        				signed int _t342;
        				intOrPtr* _t343;
        				signed int _t345;
        				intOrPtr* _t347;
        				signed int _t348;
        				signed int _t355;
        				signed int _t356;
        				signed int _t357;
        				intOrPtr* _t358;
        				intOrPtr* _t359;
        				signed int _t360;
        				signed int _t361;
        				signed int _t363;
        				signed int _t364;
        				signed int _t365;
        				signed char _t373;
        				signed char _t374;
        				signed char _t377;
        				signed char _t378;
        				signed char _t379;
        				signed char _t380;
        				signed char _t381;
        				signed char _t382;
        				signed char _t383;
        				signed char _t384;
        				signed int _t385;
        				signed int* _t386;
        				intOrPtr* _t389;
        				signed int _t391;
        				intOrPtr* _t393;
        				signed int _t394;
        				intOrPtr* _t395;
        				signed char _t396;
        				intOrPtr* _t398;
        				signed char _t399;
        				signed int _t400;
        				intOrPtr* _t401;
        				signed int _t402;
        				signed int _t403;
        				signed int* _t405;
        				signed int _t409;
        				signed int _t410;
        				intOrPtr* _t411;
        				signed int _t412;
        				char* _t413;
        				signed char _t414;
        				void* _t418;
        				signed int _t420;
        				signed int _t421;
        				intOrPtr* _t422;
        				intOrPtr* _t423;
        				void* _t424;
        				signed int _t425;
        				intOrPtr* _t426;
        				signed int _t429;
        				void* _t430;
        				signed int* _t432;
        				intOrPtr* _t435;
        				intOrPtr* _t436;
        				intOrPtr* _t438;
        				signed int* _t440;
        				signed int _t442;
        				signed int _t443;
        				intOrPtr* _t444;
        				signed int _t445;
        				signed int _t448;
        				signed int* _t452;
        				signed int _t453;
        				signed int* _t454;
        				signed char _t459;
        				intOrPtr* _t462;
        				signed int* _t464;
        				signed int* _t465;
        				signed int _t467;
        
        				_t311 = __eax | 0xffffffff9fe00603;
        				asm("sbb ecx, [0xb8000102]");
        				_pop(ds);
        				asm("in al, dx");
        				asm("adc eax, [esi]");
        				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
        				 *__edx =  *__edx + _t311;
        				asm("adc eax, [esi]");
        				_t313 = (_t311 & __ecx) + (_t311 & __ecx);
        				asm("sbb ebp, esp");
        				asm("adc eax, [ecx]");
        				_t465[0x43aac7] = _t465[0x43aac7] + _t313;
        				_t465[0x407647] = _t465[0x407647] + __ecx;
        				_t420 = __ecx + __ecx;
        				_pop(ds);
        				asm("scasd");
        				 *_t420 =  *_t420 + _t313;
        				_t314 = _t313 + _t420;
        				_pop(ds);
        				asm("scasd");
        				 *_t420 =  *_t420 + _t314;
        				_t409 = __ebx + __edx;
        				_pop(ds);
        				asm("scasd");
        				 *_t420 =  *_t420 + _t314;
        				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t314;
        				_t315 = _t314 | 0x17000102;
        				_pop(ss);
        				asm("scasd");
        				 *_t420 =  *_t420 + _t315;
        				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t420;
        				asm("lahf");
        				_t316 = _t315 - 0xaf;
        				 *__esi =  *__esi + _t316;
        				 *__edx =  *__edx + _t316;
        				asm("das");
        				asm("scasd");
        				 *_t420 =  *_t420 + _t316;
        				 *((intOrPtr*)(_t409 + 0x6020d2c)) =  *((intOrPtr*)(_t409 + 0x6020d2c)) + _t316;
        				 *_t409 =  *_t409 + _t420;
        				asm("das");
        				_pop(ds);
        				_t318 = _t316 | 0xffffffffff000702;
        				asm("das");
        				_push(_t318);
        				asm("sbb dh, [esi]");
        				 *((intOrPtr*)(_t318 + 0xf)) =  *((intOrPtr*)(_t318 + 0xf)) + _t318;
        				asm("pushad");
        				asm("sbb dl, [esi]");
        				 *((intOrPtr*)(_t318 + __esi)) =  *((intOrPtr*)(_t318 + __esi)) + _t409;
        				asm("sbb dl, [gs:esi]");
        				 *__esi =  *__esi + _t318;
        				 *(__esi + 0x1a) =  *(__esi + 0x1a) ^ _t420;
        				_push(es);
        				 *_t420 =  *_t420 + _t409;
        				asm("sbb al, 0x1f");
        				_push(ss);
        				_push(es);
        				 *((intOrPtr*)(_t318 + 0x1c)) =  *((intOrPtr*)(_t318 + 0x1c)) + __edx;
        				_t465[6] = _t465[6] & _t409;
        				 *[ss:eax+0xf] =  *[ss:eax+0xf] + (_t318 | 0x3c000602);
        				_push(ss);
        				 *__edi =  *__edi + __edx;
        				 *0x66000134 =  *0x66000134 & 0x0000001a;
        				ss = ss;
        				asm("scasd");
        				 *_t420 =  *_t420 + 0x1a;
        				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t420;
        				_push(0x6020d2d);
        				 *((intOrPtr*)(_t420 + 0x1020d30)) =  *((intOrPtr*)(_t420 + 0x1020d30)) + __edx;
        				 *((intOrPtr*)(__edx + 0x2d)) =  *((intOrPtr*)(__edx + 0x2d)) + __edx;
        				 *0xcb000102 =  *0xcb000102 ^ _t420;
        				 *(__edi - 0x21ffff00) =  *(__edi - 0x21ffff00) ^ _t420;
        				asm("sbb al, [ecx]");
        				 *_t420 =  *_t420 ^ 0x0000001a;
        				asm("sbb eax, [ecx]");
        				 *0x4000102 =  *0x4000102 ^ _t420;
        				 *0x66000102 =  *0x66000102 ^ _t420;
        				ss = ss;
        				_push(ss);
        				_t429 = __edx &  *(__edi + 0x1a00060d);
        				 *(__edi + 0x2300010d) =  *(__edi + 0x2300010d) ^ _t429;
        				 *(__edi + 0x2e000109) =  *(__edi + 0x2e000109) ^ __esi;
        				_t328 = ((0xffffffffd700071a ^ _t409) + _t420 + __edx | 0x57000102) ^ __edi;
        				 *_t420 =  *_t420 + _t328;
        				_t329 = _t328 + _t409;
        				asm("clc");
        				 *_t420 =  *_t420 + _t329;
        				 *__edi =  *__edi + _t409;
        				 *0x46000102 =  *0x46000102 ^ _t420;
        				_t410 = _t409 ^ __edi;
        				asm("adc [ecx], al");
        				_t465[0xc] = _t465[0xc] + _t429;
        				asm("scasd");
        				 *_t420 =  *_t420 + 0x1a;
        				 *((intOrPtr*)(__edi + 0x31)) =  *((intOrPtr*)(__edi + 0x31)) + _t410;
        				_t438 = _t329;
        				asm("scasd");
        				 *__esi =  *__esi + _t429;
        				ss = ss;
        				asm("sgdt [es:eax]");
        				 *_t420 =  *_t420 + 0x1a;
        				 *((intOrPtr*)(_t429 + 0x34)) =  *((intOrPtr*)(_t429 + 0x34)) + _t429;
        				_t334 = ((__edi | 0x337a0006) + _t420 | 0x6d000102) ^ 0x000000af;
        				 *_t420 =  *_t420 + 0x1a;
        				 *((intOrPtr*)(_t334 + 0x10d9734)) =  *((intOrPtr*)(_t334 + 0x10d9734)) + _t420;
        				 *__esi =  *__esi + _t334;
        				 *(_t438 + _t429 * 4) = _t429;
        				asm("scasd");
        				 *__esi =  *__esi + 0x1a;
        				_push(es);
        				asm("invalid");
        				_t442 = _t334 ^ 0x00010db0 | 0x353c0001;
        				asm("sahf");
        				asm("cmpsb");
        				_t340 = __esi ^ 0x11c9f;
        				 *_t420 =  *_t420 + 0x1a;
        				 *((intOrPtr*)(_t420 + 0x3300af35)) =  *((intOrPtr*)(_t420 + 0x3300af35)) + _t410;
        				 *((intOrPtr*)(_t410 + 0x36)) =  *((intOrPtr*)(_t410 + 0x36)) + _t442;
        				asm("out 0x1c, eax");
        				asm("enter 0x20, 0x0");
        				 *_t340 =  *_t340 + 0x1a;
        				_t341 = _t442;
        				_t443 = _t340;
        				 *((intOrPtr*)(_t410 + 0x1005121)) =  *((intOrPtr*)(_t410 + 0x1005121)) + 0x1a;
        				_t430 = _t429 + _t429;
        				 *_t341 =  *_t341 & 0x0000001a;
        				 *_t341 =  *_t341 + 0x1a;
        				 *((intOrPtr*)(_t443 + 0x6021a800)) =  *((intOrPtr*)(_t443 + 0x6021a800)) + _t430;
        				 *_t410 =  *_t410 + 0x1a;
        				_t411 = _t341 + _t410;
        				 *_t341 =  *_t341 & 0x0000001a;
        				 *_t341 =  *_t341 + 0x1a;
        				 *((intOrPtr*)(_t443 + 0x6821c000)) =  *((intOrPtr*)(_t443 + 0x6821c000)) + _t430;
        				 *0x20f400 =  *0x20f400 + 0x1a;
        				 *_t341 =  *_t341 + 0x1a;
        				 *((intOrPtr*)(_t443 + 0x6e21d000)) =  *((intOrPtr*)(_t443 + 0x6e21d000)) + _t430;
        				 *_t443 =  *_t443 + 0x1a;
        				_t342 = _t341 + _t411;
        				 *_t342 =  *_t342 & 0x0000001a;
        				 *_t342 =  *_t342 + 0x1a;
        				 *((intOrPtr*)(_t411 + 0x7621e900)) =  *((intOrPtr*)(_t411 + 0x7621e900)) + _t430;
        				 *_t443 =  *_t443 + 0x1a;
        				 *_t420 =  *_t420 + _t420;
        				 *_t342 =  *_t342 & _t342;
        				 *_t342 =  *_t342 + 0x1a;
        				 *((intOrPtr*)(_t411 + 0x7b220000)) =  *((intOrPtr*)(_t411 + 0x7b220000)) + _t430;
        				 *_t438 =  *_t438 + 0x1a;
        				 *_t411 =  *_t411 + _t411;
        				 *_t342 =  *_t342 & _t342;
        				 *_t342 =  *_t342 + 0x1a;
        				 *((intOrPtr*)(_t411 + 0x7b220a00)) =  *((intOrPtr*)(_t411 + 0x7b220a00)) + _t430;
        				 *_t438 =  *_t438 + 0x1a;
        				 *((intOrPtr*)(_t342 + 0x27)) =  *((intOrPtr*)(_t342 + 0x27)) + _t411;
        				 *((intOrPtr*)(_t443 - 0x68dde300)) =  *((intOrPtr*)(_t443 - 0x68dde300)) + _t430;
        				 *_t438 =  *_t438 + 0x1a;
        				 *_t443 =  *_t443 + _t411;
        				 *_t342 =  *_t342 & _t342;
        				 *_t342 =  *_t342 + 0x1a;
        				 *((intOrPtr*)(_t443 - 0x6cf1dae8)) =  *((intOrPtr*)(_t443 - 0x6cf1dae8)) + 0x1a;
        				 *_t342 =  *_t342 + _t420;
        				 *_t443 =  *_t443 + _t342;
        				 *_t342 =  *_t342 & _t342;
        				 *_t342 =  *_t342 + 0x1a;
        				 *((intOrPtr*)(_t420 + 0x6e222c18)) =  *((intOrPtr*)(_t420 + 0x6e222c18)) + _t430;
        				 *_t342 =  *_t342 + _t420;
        				_t465[8] = _t465[8] + _t430;
        				 *_t342 =  *_t342 + 0x1a;
        				 *_t342 =  *_t342 + 0x1a;
        				_t343 = _t411;
        				_t412 = _t342;
        				 *((intOrPtr*)(_t412 + 0x22)) =  *((intOrPtr*)(_t412 + 0x22)) + 0x1a;
        				asm("daa");
        				 *_t343 =  *_t343 + 0x1a;
        				 *_t343 =  *_t343 + 0x1a;
        				_t444 = _t343;
        				 *((intOrPtr*)(_t420 + 0x22)) =  *((intOrPtr*)(_t420 + 0x22)) + _t412;
        				asm("in al, 0x0");
        				_t345 = _t443 |  *_t443;
        				 *((intOrPtr*)(_t444 - 0xadd9c00)) =  *((intOrPtr*)(_t444 - 0xadd9c00)) + 0xfc000800;
        				 *((intOrPtr*)(_t345 + _t345)) =  *((intOrPtr*)(_t345 + _t345)) + _t420;
        				 *_t345 =  *_t345 & _t345;
        				 *_t345 =  *_t345 + 0x1a;
        				 *((intOrPtr*)(_t420 + 0x6e227b00)) =  *((intOrPtr*)(_t420 + 0x6e227b00)) + 0xfc000800;
        				 *((intOrPtr*)(_t345 + _t345)) =  *((intOrPtr*)(_t345 + _t345)) + _t420;
        				 *_t345 =  *_t345 & _t345;
        				 *_t345 =  *_t345 + 0x1a;
        				 *((intOrPtr*)(_t444 + 0x6e228e00)) =  *((intOrPtr*)(_t444 + 0x6e228e00)) + 0xfc000800;
        				 *((intOrPtr*)(_t345 + _t345)) =  *((intOrPtr*)(_t345 + _t345)) + _t420;
        				_t440 = 0x28;
        				 *_t345 =  *_t345 & _t345;
        				 *_t345 =  *_t345 + 0x1a;
        				 *((intOrPtr*)(_t420 + 0x6e22a100)) =  *((intOrPtr*)(_t420 + 0x6e22a100)) + 0xfc000800;
        				 *((intOrPtr*)(_t345 + _t345)) =  *((intOrPtr*)(_t345 + _t345)) + _t420;
        				_push(ds);
        				 *_t345 =  *_t345 & _t345;
        				 *_t345 =  *_t345 + 0x1a;
        				 *((intOrPtr*)(_t444 - 0x6cf1dae8)) =  *((intOrPtr*)(_t444 - 0x6cf1dae8)) + 0x1a;
        				 *((intOrPtr*)(_t345 + _t345)) =  *((intOrPtr*)(_t345 + _t345)) + _t420;
        				asm("insd");
        				 *_t345 =  *_t345 & _t345;
        				 *_t345 =  *_t345 + 0x1a;
        				 *((intOrPtr*)(_t420 + 0x6e222c18)) =  *((intOrPtr*)(_t420 + 0x6e222c18)) + 0xfc000800;
        				 *((intOrPtr*)(_t345 + _t345)) =  *((intOrPtr*)(_t345 + _t345)) + _t420;
        				 *_t345 = gs;
        				 *_t345 =  *_t345 + 0x1a;
        				 *_t345 =  *_t345 + 0x1a;
        				_t445 = _t345;
        				 *((intOrPtr*)(_t420 + 0xc010722)) =  *((intOrPtr*)(_t420 + 0xc010722)) + 0xfc000800;
        				_t347 = _t444 + 0x1a;
        				 *_t347 =  *_t347 - 0x1a;
        				 *_t347 =  *_t347 + 0x1a;
        				 *((intOrPtr*)(_t445 + 0x2922c800)) =  *((intOrPtr*)(_t445 + 0x2922c800)) + 0xfc000800;
        				 *0x294c00 =  *0x294c00 + _t420;
        				 *_t347 =  *_t347 + 0x1a;
        				 *((intOrPtr*)(_t445 + 0x67230100)) =  *((intOrPtr*)(_t445 + 0x67230100)) + 0xfc000800;
        				 *_t445 =  *_t445 + _t420;
        				 *((intOrPtr*)(_t347 + 0x29)) =  *((intOrPtr*)(_t347 + 0x29)) + _t347;
        				 *((intOrPtr*)(_t445 - 0x6adcb200)) =  *((intOrPtr*)(_t445 - 0x6adcb200)) + 0xfc000800;
        				 *_t420 =  *_t420 + 0xfc000800;
        				 *_t347 =  *_t347 + _t347;
        				_t348 = _t347 -  *_t347;
        				 *_t348 =  *_t348 + 0x1a;
        				 *((intOrPtr*)(_t445 + 0x29237100)) =  *((intOrPtr*)(_t445 + 0x29237100)) + 0xfc000800;
        				 *0xfc000800 =  *0xfc000800 + 0xfc000800;
        				 *((intOrPtr*)(0xfc000800 + _t465)) =  *((intOrPtr*)(0xfc000800 + _t465)) + _t420;
        				 *_t348 =  *_t348 + 0x1a;
        				 *((intOrPtr*)(_t420 - 0x48dc6200)) =  *((intOrPtr*)(_t420 - 0x48dc6200)) + 0xfc000800;
        				 *_t412 =  *_t412 + 0xfc000800;
        				 *_t445 =  *_t445 + _t412;
        				 *_t348 =  *_t348 & _t348;
        				 *_t348 =  *_t348 + 0x1a;
        				 *((intOrPtr*)(_t445 - 0x6cf1dae8)) =  *((intOrPtr*)(_t445 - 0x6cf1dae8)) + _t348;
        				 *_t445 =  *_t445 + 0xfc000800;
        				 *((intOrPtr*)(0xfc000800 + _t465)) =  *((intOrPtr*)(0xfc000800 + _t465)) + _t348;
        				 *0xFFFFFFFFFC000824 =  *((intOrPtr*)(0xfffffffffc000824)) + _t420;
        				_push(ss);
        				 *0x0000002D =  *((intOrPtr*)(0x2d)) + _t412;
        				 *2 =  *2 + 2;
        				 *2 =  *2 + 2;
        				 *((intOrPtr*)(_t412 + 0x10)) =  *((intOrPtr*)(_t412 + 0x10)) + _t420;
        				 *0xfc000800 =  *0xfc000800 + 1;
        				asm("sbb [eax], al");
        				L1();
        				 *0x52106B02 =  *((intOrPtr*)(0x52106b02)) + 0xfc000800;
        				_t413 = _t412 +  *0xfc000800;
        				 *((intOrPtr*)(_t465 + _t467)) =  *((intOrPtr*)(_t465 + _t467)) + _t420;
        				_t448 = _t348;
        				 *((intOrPtr*)(_t413 + 0x10)) =  *((intOrPtr*)(_t413 + 0x10)) + _t420;
        				 *_t413 =  *_t413 + 0x1c;
        				 *0x00000004 =  *((intOrPtr*)(4)) + 2;
        				 *((intOrPtr*)(_t448 - 0x35db7e00)) =  *((intOrPtr*)(_t448 - 0x35db7e00)) + 0xfc000800;
        				_t414 = _t413 +  *0x2d7800;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 2;
        				 *((intOrPtr*)(_t448 + 0x40f8300)) =  *((intOrPtr*)(_t448 + 0x40f8300)) + 0xfc000800;
        				_t355 = _t448;
        				 *((intOrPtr*)(_t414 + 0x1f04040f)) =  *((intOrPtr*)(_t414 + 0x1f04040f)) + 2;
        				 *_t355 =  *_t355 + 2;
        				 *[cs:eax] =  *[cs:eax] + 2;
        				 *_t355 =  *_t355 + 2;
        				_t356 = _t420;
        				_t421 = _t355;
        				 *((intOrPtr*)(_t414 + 0x20044924)) =  *((intOrPtr*)(_t414 + 0x20044924)) + 0xfc000800;
        				 *((intOrPtr*)(_t356 + 0x2e)) =  *((intOrPtr*)(_t356 + 0x2e)) + _t421;
        				 *((intOrPtr*)(_t421 - 0x37db5600)) =  *((intOrPtr*)(_t421 - 0x37db5600)) + 0xfc000800;
        				_t357 = _t356 + 0x22;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t414;
        				 *_t357 =  *_t357 & _t357;
        				 *_t357 =  *_t357 + 2;
        				 *0xFFFFFFFF930E251C =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
        				 *0x315000 =  *0x315000 + _t357;
        				 *_t357 =  *_t357 + 2;
        				 *((intOrPtr*)(_t414 - 0x66f07600)) =  *((intOrPtr*)(_t414 - 0x66f07600)) + 2;
        				_t358 = _t357 +  *0x211e00;
        				 *_t358 =  *_t358 + 2;
        				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t358;
        				 *((intOrPtr*)(_t421 + 0x21)) =  *((intOrPtr*)(_t421 + 0x21)) + _t414;
        				 *_t358 =  *_t358 + 2;
        				 *_t358 =  *_t358 + 2;
        				 *_t358 =  *_t358 + 0xffffff97;
        				asm("adc [esp+eax], bh");
        				 *[es:edi+0x21] =  *[es:edi+0x21] + 2;
        				 *((intOrPtr*)(_t414 + 0x1110ad00)) =  *((intOrPtr*)(_t414 + 0x1110ad00)) + 2;
        				_t359 = _t358 + 0x21aa0027;
        				 *_t359 =  *_t359 + 2;
        				 *_t359 =  *_t359 + 2;
        				_t360 = _t421;
        				_t422 = _t359;
        				asm("sbb [edx], ch");
        				asm("outsb");
        				 *_t360 =  *_t360 + _t422;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t414;
        				 *_t360 =  *_t360 & _t360;
        				 *_t360 =  *_t360 + 2;
        				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
        				 *_t360 =  *_t360 + _t422;
        				 *0x00000025 =  *((intOrPtr*)(0x25)) + 0xfc000800;
        				 *((intOrPtr*)(_t414 + 0x4e0f6400)) =  *((intOrPtr*)(_t414 + 0x4e0f6400)) + 2;
        				_t423 = _t422 +  *_t360;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t414;
        				 *_t360 =  *_t360 & _t360;
        				 *_t360 =  *_t360 + 2;
        				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
        				 *_t423 =  *_t423 + _t423;
        				 *((intOrPtr*)(_t360 + 0x32)) =  *((intOrPtr*)(_t360 + 0x32)) + _t423;
        				 *_t360 =  *_t360 + 2;
        				 *_t360 =  *_t360 + 2;
        				 *_t360 =  *_t360 + 0x12;
        				_t361 = _t360 & 0x0029056a;
        				_push(ds);
        				 *_t361 =  *_t361 & _t361;
        				 *_t361 =  *_t361 + 2;
        				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
        				 *0xfc000800 =  *0xfc000800 + _t423;
        				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t414;
        				 *((intOrPtr*)(_t414 + 0x3c253600)) =  *((intOrPtr*)(_t414 + 0x3c253600)) + 2;
        				_t363 = _t361 + 0xfffffffffc00082a;
        				 *_t363 =  *_t363 & _t363;
        				 *_t363 =  *_t363 + 2;
        				 *((intOrPtr*)(_t414 - 0x66dabb00)) =  *((intOrPtr*)(_t414 - 0x66dabb00)) + 2;
        				_t424 = _t423 +  *_t414;
        				 *0xFFFFFFFFFC000804 =  *((intOrPtr*)(0xfffffffffc000804)) + _t424;
        				 *_t363 =  *_t363 + 0x59;
        				_t364 = _t363 & 0x002c057f;
        				_push(ds);
        				 *_t364 =  *_t364 & _t364;
        				 *_t364 =  *_t364 + 2;
        				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
        				 *0x21e700 =  *0x21e700 + _t424;
        				 *_t364 =  *_t364 + 2;
        				 *((intOrPtr*)(_t414 + 0x3c258400)) =  *((intOrPtr*)(_t414 + 0x3c258400)) + 2;
        				_t365 = _t364 + 0x2d;
        				_t432 = 0xfc000800 + _t414;
        				 *_t365 =  *_t365 & _t365;
        				 *_t365 =  *_t365 + 2;
        				 *((intOrPtr*)(_t424 + 0x6e222c18)) =  *((intOrPtr*)(_t424 + 0x6e222c18)) + _t432;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t424;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t414;
        				 *_t365 =  *_t365 & _t365;
        				 *_t365 =  *_t365 + 2;
        				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
        				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t424;
        				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t432;
        				 *((intOrPtr*)(_t414 + 0x4e25a000)) =  *((intOrPtr*)(_t414 + 0x4e25a000)) + 2;
        				_t425 = _t424 +  *((intOrPtr*)(4));
        				 *((intOrPtr*)(_t414 + 4)) =  *((intOrPtr*)(_t414 + 4)) + _t365;
        				 *_t365 =  *_t365 + 2;
        				 *_t365 =  *_t365 + 2;
        				 *0x33 =  *0x33 + 2;
        				 *0x33 =  *0x33 + 2;
        				_push(es);
        				_t373 = _t365 + _t414 & 0x0032064a &  *(_t365 + _t414 & 0x0032064a);
        				 *_t373 =  *_t373 + 2;
        				 *((intOrPtr*)(_t425 + 0x6e222c18)) =  *((intOrPtr*)(_t425 + 0x6e222c18)) + _t432;
        				 *_t440 = _t432 +  *_t440;
        				 *0x33 =  *0x33 + _t414;
        				 *_t373 =  *_t373 & _t373;
        				 *_t373 =  *_t373 + 2;
        				 *0xFFFFFFFF930E254B =  *((intOrPtr*)(0xffffffff930e254b)) + 2;
        				 *_t440 = _t432 +  *_t440;
        				 *0xfc000800 =  *0xfc000800 + _t432;
        				_t374 = _t373 &  *_t373;
        				 *_t374 =  *_t374 + 2;
        				 *((intOrPtr*)(_t414 - 0x7cd9f700)) =  *((intOrPtr*)(_t414 - 0x7cd9f700)) + 2;
        				_push(es);
        				asm("aaa");
        				 *((intOrPtr*)(0x33 + _t467)) =  *((intOrPtr*)(0x33 + _t467)) + _t425;
        				 *_t374 =  *_t374 + 2;
        				 *_t374 =  *_t374 + 2;
        				_t375 = 0x33;
        				_t452 = _t374;
        				_t465[9] = _t465[9] + 2;
        				asm("clc");
        				_push(es);
        				if( *0x33 >= 2) {
        					 *0x33 =  *0x33 + 2;
        					 *0x33 =  *0x33 + 2;
        					_t465[9] = _t432 + _t465[9];
        					es = 0xfc000800;
        					_t405 = _t452;
        					 *[ss:eax] =  *[ss:eax] + 2;
        					 *_t405 =  *_t405 + 2;
        					_t464 = _t405;
        					_t440[0xf426009] = _t440[0xf426009] + 2;
        					 *((intOrPtr*)(0x66)) =  *((intOrPtr*)(0x66)) + 2;
        					_t464[0x349a4c0] = _t432 + _t464[0x349a4c0];
        					_t414 = _t414 |  *_t464;
        					 *_t440 =  *_t440 + _t425;
        					_t375 = _t464;
        					_t452 = 0x66;
        					 *((intOrPtr*)(_t414 + 0x400a6926)) =  *((intOrPtr*)(_t414 + 0x400a6926)) + _t432;
        				}
        				 *0x22 =  *0x22 + _t432;
        				_t452[0x1c837bc2] = _t375 + _t452[0x1c837bc2];
        				 *_t414 = _t375 +  *_t414;
        				asm("sbb eax, 0x22");
        				 *((intOrPtr*)(_t452 - 0x66d902f8)) =  *((intOrPtr*)(_t452 - 0x66d902f8)) + _t375;
        				_t377 = _t375 +  *_t414 &  *[es:eax];
        				 *_t377 =  *_t377 + _t377;
        				_t452[0x689c182] = _t452[0x689c182] + _t377;
        				 *((intOrPtr*)(_t377 + _t377 + 0x2e)) =  *((intOrPtr*)(_t377 + _t377 + 0x2e)) + _t377;
        				_t378 = _t377 &  *_t377;
        				 *_t378 =  *_t378 + _t378;
        				 *((intOrPtr*)(_t452 - 0x77d8eff8)) =  *((intOrPtr*)(_t452 - 0x77d8eff8)) + _t378;
        				_t379 = _t378 |  *(_t378 + _t378 + 0x1e);
        				 *_t379 =  *_t379 & _t379;
        				 *_t379 =  *_t379 + _t379;
        				 *((intOrPtr*)(_t452 - 0x6cf1dae8)) =  *((intOrPtr*)(_t452 - 0x6cf1dae8)) + _t379;
        				 *_t465 =  *_t465 + _t379;
        				asm("aaa");
        				_t380 = _t379 &  *_t379;
        				 *_t380 =  *_t380 + _t380;
        				 *((intOrPtr*)(_t452 - 0x72f1dae8)) =  *((intOrPtr*)(_t452 - 0x72f1dae8)) + _t380;
        				_t381 = _t380 |  *_t465;
        				_push(ds);
        				 *_t381 =  *_t381 & _t381;
        				 *_t381 =  *_t381 + _t381;
        				 *((intOrPtr*)(_t452 - 0x6cf1dae8)) =  *((intOrPtr*)(_t452 - 0x6cf1dae8)) + _t381;
        				 *_t440 =  *_t440 + _t381;
        				_t382 = _t381 &  *_t381;
        				 *_t382 =  *_t382 + _t382;
        				 *((intOrPtr*)(_t414 - 0x15ed5a00)) =  *((intOrPtr*)(_t414 - 0x15ed5a00)) + _t382;
        				 *_t440 =  *_t440 | _t382;
        				_push(ds);
        				 *_t382 =  *_t382 & _t382;
        				 *_t382 =  *_t382 + _t382;
        				 *((intOrPtr*)(_t452 - 0x6cf1dae8)) =  *((intOrPtr*)(_t452 - 0x6cf1dae8)) + _t382;
        				 *_t382 =  *_t382 + _t425;
        				asm("pushad");
        				_t383 = _t382 &  *_t382;
        				 *_t383 =  *_t383 + _t383;
        				 *((intOrPtr*)(_t414 - 0x15ed3700)) =  *((intOrPtr*)(_t414 - 0x15ed3700)) + _t383;
        				 *_t383 =  *_t383 | _t425;
        				_push(ds);
        				 *_t383 =  *_t383 & _t383;
        				 *_t383 =  *_t383 + _t383;
        				 *((intOrPtr*)(_t452 - 0x6cf1dae8)) =  *((intOrPtr*)(_t452 - 0x6cf1dae8)) + _t383;
        				 *_t425 =  *_t425 + _t425;
        				_t384 = _t383 ^ 0x0000003f;
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + 0xffffffe2;
        				asm("adc ch, dl");
        				 *_t425 =  *_t425 | _t425;
        				if( *_t425 == 0) {
        					 *_t384 =  *_t384 + _t384;
        					 *_t384 =  *_t384 + _t384;
        					_t264 = _t384;
        					_t384 = _t425;
        					_t425 = _t264;
        					asm("sbb [edx], ch");
        					asm("outsb");
        					 *_t432 =  *_t432 + _t425;
        					_push(ds);
        					 *_t384 =  *_t384 & _t384;
        					 *_t384 =  *_t384 + _t384;
        					 *((intOrPtr*)(_t452 - 0x6cf1dae8)) =  *((intOrPtr*)(_t452 - 0x6cf1dae8)) + _t384;
        					 *_t432 =  *_t432 + _t425;
        					 *_t432 =  *_t432 & 0x00000000;
        					 *_t384 =  *_t384 + 0x2f;
        				}
        				asm("das");
        				asm("adc bl, [edx]");
        				 *_t432 =  *_t432 | _t425;
        				asm("adc ah, [edx]");
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + 0x4c;
        				asm("adc bh, [eax]");
        				 *_t414 =  *_t414 | _t425;
        				 *_t432 = _t467;
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + 0x71;
        				asm("adc bh, [ecx+0x8]");
        				 *_t432 = _t432 +  *_t432;
        				 *_t384 =  *_t384 + 0xffffff8e;
        				asm("adc ch, [ebx+0x1e004d08]");
        				 *_t384 =  *_t384 & _t384;
        				 *_t384 =  *_t384 + _t384;
        				 *((intOrPtr*)(_t452 - 0x6cf1dae8)) =  *((intOrPtr*)(_t452 - 0x6cf1dae8)) + _t384;
        				 *_t452 =  *_t452 + _t425;
        				asm("aas");
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + _t384;
        				 *_t384 =  *_t384 + 0xffffffec;
        				asm("adc ecx, ecx");
        				 *_t452 =  *_t452 | _t425;
        				asm("pushfd");
        				_t385 = _t384 &  *_t384;
        				 *_t385 =  *_t385 + _t385;
        				 *((intOrPtr*)(_t425 + 0x6e222c18)) =  *((intOrPtr*)(_t425 + 0x6e222c18)) + _t432;
        				 *_t440 =  *_t440 + _t425;
        				 *_t385 =  *_t385 & _t385;
        				 *_t385 =  *_t385 + _t385;
        				 *((intOrPtr*)(_t452 - 0x6cf1dae8)) =  *((intOrPtr*)(_t452 - 0x6cf1dae8)) + _t385;
        				 *_t440 =  *_t440 + _t425;
        				 *_t385 =  *_t385 + _t385;
        				 *_t385 =  *_t385 + _t385;
        				 *_t385 =  *_t385 + 0x26;
        				asm("adc al, 0xc9");
        				 *_t440 =  *_t440 | _t425;
        				asm("int3");
        				asm("aas");
        				 *_t385 =  *_t385 + _t385;
        				 *_t385 =  *_t385 + _t385;
        				_t386 = _t452;
        				_t453 = _t385;
        				 *((intOrPtr*)(_t453 + 0x500b2827)) =  *((intOrPtr*)(_t453 + 0x500b2827)) + _t432;
        				_t386[0x10] = _t386 + _t386[0x10];
        				 *_t386 = _t386 +  *_t386;
        				 *_t386 = _t386 +  *_t386;
        				_t454 = _t386;
        				_t454[0x1482d089] = _t432 + _t454[0x1482d089];
        				_t389 = _t453 + _t453 + 1;
        				 *_t389 =  *_t389 + _t389;
        				 *_t389 =  *_t389 + _t389;
        				 *((intOrPtr*)(_t389 + 0x550b8627)) =  *((intOrPtr*)(_t389 + 0x550b8627)) + _t432;
        				_t391 = _t454 + _t432;
        				_t426 = _t425 + 1;
        				 *_t391 =  *_t391 + _t391;
        				 *_t391 =  *_t391 + _t391;
        				asm("daa");
        				_t393 = ds;
        				 *_t393 =  *_t393 + _t426;
        				 *_t393 =  *_t393 + _t393;
        				 *_t393 =  *_t393 + _t393;
        				_t394 = _t391;
        				_t435 = _t432 + _t414 + 0xc;
        				asm("daa");
        				asm("fisttp qword [ebx]");
        				 *((intOrPtr*)(_t435 + _t394 * 2)) =  *((intOrPtr*)(_t435 + _t394 * 2)) + 0xb;
        				 *_t394 =  *_t394 + _t394;
        				 *_t394 =  *_t394 + _t394;
        				_t395 = _t393;
        				 *_t435 =  *_t435 + _t395;
        				_t396 = _t395 - 0xb;
        				asm("pushfd");
        				_t436 = _t435 + 1;
        				 *_t396 =  *_t396 + _t396;
        				 *_t396 =  *_t396 + _t396;
        				_t459 = _t396;
        				 *((intOrPtr*)(_t459 + 0x600c4d27)) =  *((intOrPtr*)(_t459 + 0x600c4d27)) + _t436;
        				_t398 = _t394 + _t436;
        				 *_t398 =  *_t398 + _t398;
        				 *_t398 =  *_t398 + _t398;
        				_t399 = _t459;
        				 *((intOrPtr*)(_t426 + 0x28)) =  *((intOrPtr*)(_t426 + 0x28)) + _t399;
        				_pop(_t418);
        				_t400 = _t399 | 0x00000064;
        				 *_t400 =  *_t400 + _t400;
        				 *_t400 =  *_t400 + _t400;
        				 *_t400 =  *_t400 + _t400;
        				_t401 = _t398;
        				 *((intOrPtr*)(_t418 + 0x28)) =  *((intOrPtr*)(_t418 + 0x28)) + _t426;
        				 *_t401 =  *_t401 + _t401;
        				_t402 = _t400;
        				_t462 = _t401;
        				 *((intOrPtr*)(_t426 + 0x680cc528)) =  *((intOrPtr*)(_t426 + 0x680cc528)) + _t436;
        				 *_t462 =  *_t462 + _t418;
        				 *_t402 =  *_t402 & _t402;
        				 *_t402 =  *_t402 + _t402;
        				 *((intOrPtr*)(_t462 - 0x6cf1dae8)) =  *((intOrPtr*)(_t462 - 0x6cf1dae8)) + _t402;
        				 *_t426 =  *_t426 + _t426;
        				 *_t402 =  *_t402 + _t402;
        				 *_t402 =  *_t402 + _t402;
        				 *_t402 =  *_t402 + 0xffffffc3;
        				asm("adc al, 0x3c");
        				_t403 = _t402 + 0x69;
        				 *_t462 =  *_t462 + _t418;
        				 *_t403 =  *_t403 & _t403;
        				 *_t403 =  *_t403 + _t403;
        				 *((intOrPtr*)(_t462 - 0x6cf1dae8)) =  *((intOrPtr*)(_t462 - 0x6cf1dae8)) + _t403;
        				 *_t436 =  *_t436 + 0x22;
        				return _t403;
        			}
























































































        0x00bcdb26
        0x00bcdb2b
        0x00bcdb31
        0x00bcdb32
        0x00bcdb33
        0x00bcdb35
        0x00bcdb3b
        0x00bcdb3f
        0x00bcdb41
        0x00bcdb43
        0x00bcdb45
        0x00bcdb47
        0x00bcdb4d
        0x00bcdb53
        0x00bcdb55
        0x00bcdb56
        0x00bcdb57
        0x00bcdb59
        0x00bcdb5b
        0x00bcdb5c
        0x00bcdb5d
        0x00bcdb5f
        0x00bcdb61
        0x00bcdb62
        0x00bcdb63
        0x00bcdb65
        0x00bcdb68
        0x00bcdb6d
        0x00bcdb6e
        0x00bcdb6f
        0x00bcdb71
        0x00bcdb78
        0x00bcdb79
        0x00bcdb7b
        0x00bcdb7d
        0x00bcdb7f
        0x00bcdb80
        0x00bcdb81
        0x00bcdb83
        0x00bcdb89
        0x00bcdb8b
        0x00bcdb91
        0x00bcdb92
        0x00bcdb97
        0x00bcdb98
        0x00bcdb99
        0x00bcdb9b
        0x00bcdb9e
        0x00bcdb9f
        0x00bcdba1
        0x00bcdba4
        0x00bcdba7
        0x00bcdba9
        0x00bcdbac
        0x00bcdbad
        0x00bcdbaf
        0x00bcdbb1
        0x00bcdbb2
        0x00bcdbb3
        0x00bcdbbb
        0x00bcdbbe
        0x00bcdbc4
        0x00bcdbc5
        0x00bcdbc7
        0x00bcdbd3
        0x00bcdbd4
        0x00bcdbd5
        0x00bcdbd7
        0x00bcdbde
        0x00bcdbe3
        0x00bcdbe9
        0x00bcdbf1
        0x00bcdbf7
        0x00bcdbff
        0x00bcdc03
        0x00bcdc05
        0x00bcdc09
        0x00bcdc0f
        0x00bcdc1b
        0x00bcdc21
        0x00bcdc27
        0x00bcdc2d
        0x00bcdc33
        0x00bcdc39
        0x00bcdc3b
        0x00bcdc3d
        0x00bcdc40
        0x00bcdc41
        0x00bcdc43
        0x00bcdc45
        0x00bcdc4b
        0x00bcdc4d
        0x00bcdc4f
        0x00bcdc52
        0x00bcdc53
        0x00bcdc55
        0x00bcdc58
        0x00bcdc5e
        0x00bcdc5f
        0x00bcdc63
        0x00bcdc64
        0x00bcdc6b
        0x00bcdc6d
        0x00bcdc75
        0x00bcdc77
        0x00bcdc79
        0x00bcdc7f
        0x00bcdc86
        0x00bcdc8e
        0x00bcdc8f
        0x00bcdc91
        0x00bcdc92
        0x00bcdc98
        0x00bcdc9e
        0x00bcdca4
        0x00bcdca5
        0x00bcdcad
        0x00bcdcaf
        0x00bcdcb5
        0x00bcdcb8
        0x00bcdcba
        0x00bcdcbe
        0x00bcdcc0
        0x00bcdcc0
        0x00bcdcc1
        0x00bcdcc7
        0x00bcdcc9
        0x00bcdccb
        0x00bcdccd
        0x00bcdcd3
        0x00bcdcd5
        0x00bcdcd7
        0x00bcdcd9
        0x00bcdcdb
        0x00bcdce1
        0x00bcdce7
        0x00bcdce9
        0x00bcdcef
        0x00bcdcf1
        0x00bcdcf3
        0x00bcdcf5
        0x00bcdcf7
        0x00bcdcfd
        0x00bcdcff
        0x00bcdd01
        0x00bcdd03
        0x00bcdd05
        0x00bcdd0b
        0x00bcdd0d
        0x00bcdd0f
        0x00bcdd11
        0x00bcdd13
        0x00bcdd19
        0x00bcdd1b
        0x00bcdd21
        0x00bcdd27
        0x00bcdd29
        0x00bcdd2b
        0x00bcdd2d
        0x00bcdd2f
        0x00bcdd35
        0x00bcdd37
        0x00bcdd39
        0x00bcdd3b
        0x00bcdd3d
        0x00bcdd43
        0x00bcdd45
        0x00bcdd48
        0x00bcdd4a
        0x00bcdd4c
        0x00bcdd4c
        0x00bcdd4d
        0x00bcdd55
        0x00bcdd56
        0x00bcdd58
        0x00bcdd5a
        0x00bcdd5b
        0x00bcdd5e
        0x00bcdd60
        0x00bcdd67
        0x00bcdd6d
        0x00bcdd71
        0x00bcdd73
        0x00bcdd75
        0x00bcdd7b
        0x00bcdd7e
        0x00bcdd81
        0x00bcdd83
        0x00bcdd89
        0x00bcdd8c
        0x00bcdd8d
        0x00bcdd8f
        0x00bcdd91
        0x00bcdd97
        0x00bcdd9a
        0x00bcdd9b
        0x00bcdd9d
        0x00bcdd9f
        0x00bcdda5
        0x00bcdda8
        0x00bcdda9
        0x00bcddab
        0x00bcddad
        0x00bcddb3
        0x00bcddb6
        0x00bcddb8
        0x00bcddba
        0x00bcddbc
        0x00bcddbd
        0x00bcddc3
        0x00bcddc5
        0x00bcddc7
        0x00bcddc9
        0x00bcddcf
        0x00bcddd5
        0x00bcddd7
        0x00bcdddd
        0x00bcdddf
        0x00bcdde5
        0x00bcddeb
        0x00bcdded
        0x00bcddef
        0x00bcddf1
        0x00bcddf3
        0x00bcddf9
        0x00bcddfb
        0x00bcddff
        0x00bcde01
        0x00bcde07
        0x00bcde09
        0x00bcde0b
        0x00bcde0d
        0x00bcde0f
        0x00bcde15
        0x00bcde17
        0x00bcde1f
        0x00bcde24
        0x00bcde25
        0x00bcde28
        0x00bcde2a
        0x00bcde2d
        0x00bcde30
        0x00bcde32
        0x00bcde34
        0x00bcde39
        0x00bcde3f
        0x00bcde41
        0x00bcde48
        0x00bcde49
        0x00bcde4c
        0x00bcde53
        0x00bcde55
        0x00bcde5b
        0x00bcde61
        0x00bcde63
        0x00bcde64
        0x00bcde65
        0x00bcde6b
        0x00bcde6d
        0x00bcde70
        0x00bcde72
        0x00bcde72
        0x00bcde73
        0x00bcde79
        0x00bcde7f
        0x00bcde85
        0x00bcde87
        0x00bcde89
        0x00bcde8b
        0x00bcde8d
        0x00bcde93
        0x00bcde99
        0x00bcde9b
        0x00bcdea1
        0x00bcdea7
        0x00bcdea9
        0x00bcdeaf
        0x00bcdeb1
        0x00bcdeb4
        0x00bcdeb6
        0x00bcdeb8
        0x00bcdebb
        0x00bcdebe
        0x00bcdec5
        0x00bcdecb
        0x00bcded0
        0x00bcded2
        0x00bcded4
        0x00bcded4
        0x00bcded5
        0x00bcded8
        0x00bcded9
        0x00bcdedb
        0x00bcdedd
        0x00bcdedf
        0x00bcdee1
        0x00bcdee7
        0x00bcdee9
        0x00bcdeef
        0x00bcdef5
        0x00bcdef7
        0x00bcdef9
        0x00bcdefb
        0x00bcdefd
        0x00bcdf03
        0x00bcdf05
        0x00bcdf08
        0x00bcdf0a
        0x00bcdf0c
        0x00bcdf0f
        0x00bcdf14
        0x00bcdf15
        0x00bcdf17
        0x00bcdf19
        0x00bcdf1f
        0x00bcdf21
        0x00bcdf27
        0x00bcdf2f
        0x00bcdf31
        0x00bcdf33
        0x00bcdf35
        0x00bcdf3b
        0x00bcdf3d
        0x00bcdf44
        0x00bcdf47
        0x00bcdf4c
        0x00bcdf4d
        0x00bcdf4f
        0x00bcdf51
        0x00bcdf57
        0x00bcdf5d
        0x00bcdf5f
        0x00bcdf65
        0x00bcdf67
        0x00bcdf69
        0x00bcdf6b
        0x00bcdf6d
        0x00bcdf73
        0x00bcdf75
        0x00bcdf77
        0x00bcdf79
        0x00bcdf7b
        0x00bcdf81
        0x00bcdf83
        0x00bcdf89
        0x00bcdf8f
        0x00bcdf91
        0x00bcdf94
        0x00bcdf96
        0x00bcdfa2
        0x00bcdfa4
        0x00bcdfae
        0x00bcdfaf
        0x00bcdfb1
        0x00bcdfb3
        0x00bcdfb9
        0x00bcdfbb
        0x00bcdfbd
        0x00bcdfbf
        0x00bcdfc1
        0x00bcdfc7
        0x00bcdfc9
        0x00bcdfcb
        0x00bcdfcd
        0x00bcdfcf
        0x00bcdfd5
        0x00bcdfd6
        0x00bcdfd7
        0x00bcdfda
        0x00bcdfdc
        0x00bcdfde
        0x00bcdfde
        0x00bcdfdf
        0x00bcdfe2
        0x00bcdfe3
        0x00bcdfe6
        0x00bcdfe8
        0x00bcdfea
        0x00bcdfed
        0x00bcdff1
        0x00bcdff4
        0x00bcdff5
        0x00bcdff8
        0x00bcdffa
        0x00bcdffb
        0x00bce005
        0x00bce007
        0x00bce00d
        0x00bce00f
        0x00bce016
        0x00bce016
        0x00bce017
        0x00bce017
        0x00bce01d
        0x00bce023
        0x00bce029
        0x00bce02c
        0x00bce031
        0x00bce03a
        0x00bce03d
        0x00bce03f
        0x00bce045
        0x00bce049
        0x00bce04b
        0x00bce04d
        0x00bce053
        0x00bce057
        0x00bce059
        0x00bce05b
        0x00bce061
        0x00bce064
        0x00bce065
        0x00bce067
        0x00bce069
        0x00bce06f
        0x00bce072
        0x00bce073
        0x00bce075
        0x00bce077
        0x00bce07d
        0x00bce081
        0x00bce083
        0x00bce085
        0x00bce08b
        0x00bce08e
        0x00bce08f
        0x00bce091
        0x00bce093
        0x00bce099
        0x00bce09c
        0x00bce09d
        0x00bce09f
        0x00bce0a1
        0x00bce0a7
        0x00bce0aa
        0x00bce0ab
        0x00bce0ad
        0x00bce0af
        0x00bce0b5
        0x00bce0b8
        0x00bce0ba
        0x00bce0bc
        0x00bce0be
        0x00bce0c1
        0x00bce0c3
        0x00bce0c6
        0x00bce0c8
        0x00bce0ca
        0x00bce0cc
        0x00bce0cc
        0x00bce0cc
        0x00bce0cd
        0x00bce0d0
        0x00bce0d1
        0x00bce0d4
        0x00bce0d5
        0x00bce0d7
        0x00bce0d9
        0x00bce0df
        0x00bce0e2
        0x00bce0e8
        0x00bce0e8
        0x00bce0ea
        0x00bce0eb
        0x00bce0ed
        0x00bce0f0
        0x00bce0f2
        0x00bce0f4
        0x00bce0f6
        0x00bce0f9
        0x00bce0fb
        0x00bce0fe
        0x00bce100
        0x00bce102
        0x00bce104
        0x00bce107
        0x00bce10b
        0x00bce112
        0x00bce115
        0x00bce11b
        0x00bce11d
        0x00bce11f
        0x00bce125
        0x00bce128
        0x00bce12a
        0x00bce12c
        0x00bce12e
        0x00bce131
        0x00bce133
        0x00bce136
        0x00bce137
        0x00bce139
        0x00bce13b
        0x00bce141
        0x00bce145
        0x00bce147
        0x00bce149
        0x00bce14f
        0x00bce154
        0x00bce156
        0x00bce158
        0x00bce15b
        0x00bce15d
        0x00bce160
        0x00bce161
        0x00bce162
        0x00bce164
        0x00bce166
        0x00bce166
        0x00bce167
        0x00bce16d
        0x00bce170
        0x00bce172
        0x00bce174
        0x00bce175
        0x00bce17d
        0x00bce17e
        0x00bce180
        0x00bce183
        0x00bce189
        0x00bce18b
        0x00bce18c
        0x00bce18e
        0x00bce193
        0x00bce196
        0x00bce197
        0x00bce19a
        0x00bce19c
        0x00bce19e
        0x00bce19f
        0x00bce1a1
        0x00bce1a2
        0x00bce1a5
        0x00bce1a8
        0x00bce1aa
        0x00bce1ac
        0x00bce1ad
        0x00bce1af
        0x00bce1b4
        0x00bce1b5
        0x00bce1b6
        0x00bce1b8
        0x00bce1ba
        0x00bce1bb
        0x00bce1c1
        0x00bce1c4
        0x00bce1c6
        0x00bce1c8
        0x00bce1c9
        0x00bce1cc
        0x00bce1cd
        0x00bce1cf
        0x00bce1d2
        0x00bce1d4
        0x00bce1d6
        0x00bce1d7
        0x00bce1e2
        0x00bce1e4
        0x00bce1e4
        0x00bce1e5
        0x00bce1eb
        0x00bce1ed
        0x00bce1ef
        0x00bce1f1
        0x00bce1f7
        0x00bce1fc
        0x00bce1fe
        0x00bce200
        0x00bce203
        0x00bce205
        0x00bce207
        0x00bce209
        0x00bce20b
        0x00bce20d
        0x00bce213
        0x00bce216

        Memory Dump Source
        • Source File: 00000000.00000002.296648802.0000000000B52000.00000002.00020000.sdmp, Offset: 00B50000, based on PE: true
        • Associated: 00000000.00000002.296644920.0000000000B50000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.296699396.0000000000BD8000.00000002.00020000.sdmp Download File
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 76a86fd39f4f2928afb8c0b21a6158c4287fe209c075f04076d4307efcd8e1a0
        • Instruction ID: fa14384ee981e71bec81483b471b2873c9e9839e0ec0d573b140ab3b0ad2d41f
        • Opcode Fuzzy Hash: 76a86fd39f4f2928afb8c0b21a6158c4287fe209c075f04076d4307efcd8e1a0
        • Instruction Fuzzy Hash: C742ED6148E3D25FD7138B744CB5586BFB0AE1312475E4AEFC0C1CB9E3E258598AC762
        Uniqueness

        Uniqueness Score: -1.00%