Loading ...

Play interactive tourEdit tour

Analysis Report PO_6620200947535257662_Arabico.PDF.exe

Overview

General Information

Sample Name:PO_6620200947535257662_Arabico.PDF.exe
Analysis ID:382596
MD5:b737570f9e9a1bdd794f78e3906e61b9
SHA1:0dd10acab603b2f1269d05534902b09d38e31ac5
SHA256:0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • PO_6620200947535257662_Arabico.PDF.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe' MD5: B737570F9E9A1BDD794F78E3906E61B9)
    • cmd.exe (PID: 6780 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6816 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • gvvccsccefghhsnd.exe (PID: 6824 cmdline: 'C:\Users\user\gvvccsccefghhsnd.exe' MD5: B737570F9E9A1BDD794F78E3906E61B9)
      • InstallUtil.exe (PID: 5596 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "883c2226-d991-4f34-8646-4dd2732a", "Group": "", "Domain1": "185.157.161.86", "Domain2": "nanopc.linkpc.net", "Port": 50005, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 29 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 104 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "883c2226-d991-4f34-8646-4dd2732a", "Group": "", "Domain1": "185.157.161.86", "Domain2": "nanopc.linkpc.net", "Port": 50005, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exeMetadefender: Detection: 13%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exeReversingLabs: Detection: 25%
      Source: C:\Users\user\gvvccsccefghhsnd.exeReversingLabs: Detection: 20%
      Multi AV Scanner detection for submitted fileShow sources
      Source: PO_6620200947535257662_Arabico.PDF.exeReversingLabs: Detection: 20%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\gvvccsccefghhsnd.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: PO_6620200947535257662_Arabico.PDF.exeJoe Sandbox ML: detected
      Source: 28.2.InstallUtil.exe.5970000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 28.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: PO_6620200947535257662_Arabico.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001C.00000002.601725662.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04B9B700
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then jmp 04B96611h0_2_04B95D98
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_04B9BDF0
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04B9BDF0
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04B9AFF4
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04B9E0A4
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04B9B1EC
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then jmp 04B96611h0_2_04B95D8A
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_04B9BDE4
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04B9BDE4
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then xor edx, edx0_2_04B9BD28
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then xor edx, edx0_2_04B9BD1E
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_04B9BAD0
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04B9BAD0
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_04B9BAC4
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_04B9BAC4
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_04B9DA74
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_063F4460
      Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_063F8090
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h19_2_04D5B700
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-24h]19_2_04D5BDF0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh19_2_04D5BDF0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 04D56611h19_2_04D55D98
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h19_2_04D5AFF4
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h19_2_04D5E0A4
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h19_2_04D5B1EC
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-24h]19_2_04D5BDE4
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh19_2_04D5BDE4
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then jmp 04D56611h19_2_04D55D8A
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then xor edx, edx19_2_04D5BD1E
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then xor edx, edx19_2_04D5BD28
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-20h]19_2_04D5BAD0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh19_2_04D5BAD0
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then push dword ptr [ebp-20h]19_2_04D5BAC4
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh19_2_04D5BAC4
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h19_2_04D5DA74
      Source: C:\Users\user\gvvccsccefghhsnd.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h19_2_065D4460
      Source: C:\Users\user\g